NetShield: A Vulnerability Signature Based Network Intrusion Detection System

Summary

Accuracy and speed are the two most important metrics for Network Intrusion Detection or Prevention Systems (NIDS/NIPSes). NetShield is a vulnerability signature based NIDS/NIPS, which achieves multi-gigabit throughput while offering much better accuracy comparing to regular expression signature based NIDSes, such as Snort. NetShield uses the vulnerability signatures based on protocol semantic information. The core engine of NetShield matches thousands of vulnerability signatures at high speed.

This work is mainly conducted at Northwestern University, by the Lab for Internet and Security Technology (LIST), with colaboration from Tsinghua University, China.

Faculty and Staff

Zhichun Li (Research Associate, Northwestern Univ.)
Yan Chen (Associate Professor, Northwestern Univ.)
Bin Liu (Professor, Tsinghua Univ., China)

Students

Gao Xia (Tsinghua Univ., China)
Hongyu Gao (Northwestern Univ.)
Yi Tang (Tsinghua Univ., China)
Junchen Jiang (Tsinghua Univ, China)
Yuezhou Lv (Tsinghua Univ, China)

Collaborators

Ying He (was a visiting PhD student at Northwestern Univ.)
Jian Chang (was an undergraduate student at Tsinghua Univ., China)
James West (was an undergraduate student at Northwestern University)
Jim Spadaro (was an undergraduate student at Northwestern University)
Tianfan Xue (was an undergraduate student at Tsinghua Univ., China)

Publications

NetShield: Matching with a Large Vulnerability Signature Ruleset for High Performance Network Defense,
Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu, Junchen Jiang and Yuezhou Lv,
ACM SIGCOMM 2010, New Delhi, India, August 2010.

Netshield: Matching with a large vulnerability signature ruleset for high performance network defense,
Zhichun Li, Gao Xia, Hongyu Gao, Yi Tang, Yan Chen, Bin Liu
Technical Report NWU-EECS-08-07, Northwestern University, 2009.

Releases

NetShield (Release 0.2)
- NetShield includes the main program NetShield, an automated parser generator UltraPAC, and some python code for compiling the rule files into our internal XML presentation. UltraPAC is a BinPAC like tool, and it uses BinPAC's PAC language. But it produces faster parsers tailored for vulnerability signature matching. Similar to BinPAC, the parsers generated by UltraPAC faithfully parse the protocols according the protocol specification written in the PAC language.
- The current release only supports Windows Platform. We have successfully compiled it on Windows 2003 Server 32bit Edition. In near future, we plan to port Netshield to Linux/Unix. Mainly, we need to solve some library dependencies to make it can be compiled on Linux/Unix. Nevertheless, the WinPCAP is much faster than the Libpcap port on Linux.
- The current release mainly supports the HTTP and WINRPC protocol. We are still improving the code to make it easier adding protocols. Hopefully, in the next release, we can achieve that, so that anyone can add the protocol by themselves.
NetShield HTTP sample ruleset (Release 0.1)
- To our knowledge, there is no public vulnerability signature ruleset available. Even worse, although a few research projects focus on automated vulnerability signature generation, none of them release any automated vulnerability signature generators. In future, we might plan to build something on our own, but for now, we generate the vulnerability signatures manually. Thanks for all the people who help contribute signatures!
- We currently release 100 sample vulnerability signatures for testing purpose. They covers some of the vulnerabilities that Snort HTTP ruleset tries to detect. Based on the CVE ID of the Snort rules, we collect the vulnerability information to write such signatures. We are working on improving the accuracy of the other vulnerability signatures derived from Snort rules. We will release more signatures soon!
- We would like to call for any people who are interested in our system to contribute signatures. Please contact us if you would like to contribute signatures.