Diego Zamboni | Purdue University (original) (raw)

Papers by Diego Zamboni

We introduce the concept of using internal sensors to perform intrusion detection in computer sys... more We introduce the concept of using internal sensors to perform intrusion detection in computer systems. We show its practical feasibility and discuss its characteristics, related design and implementation issues. We introduce a classification of data collection mechanisms for intrusion detection systems. At a conceptual level, these mechanisms are classified as direct and indirect monitoring. At a practical level, direct monitoring can be implemented using external or internal sensors.

Dimva, 2008

... 64 Najwa Aaraj, Anand Raghunathan, and Niraj K. Jha Embedded Malware Detection Using Markov n... more ... 64 Najwa Aaraj, Anand Raghunathan, and Niraj K. Jha Embedded Malware Detection Using Markov n-Grams..... ... 126 Roberto Paleari, Davide Marrone, Danilo Bruschi, and Mattia Monga On the Limits of Information Flow Techniques for Malware Analysis and Containment ...

We propose a system for detecting scanning-worm infected machines in a local network. Infected ma... more We propose a system for detecting scanning-worm infected machines in a local network. Infected machines are detected after a few unsuccesful connection attempts, and in cooperation with the border router, their traffic is redirected to a honeypot for worm identification and capture. We discuss the architecture of the system and present a sample implementation based on a Linux router. We discuss future improvements for increasing the detection abilities and coverage of the sensor. While the system was developed based on the Billy Goat worm-detection system, it can easily be used with other honeypot systems.

Journal of Computer Security, 2002

The Intrusion Detection System architectures commonly used in commercial and research systems hav... more The Intrusion Detection System architectures commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this paper, we review our architecture for a distributed Intrusion Detection System based on multiple independent entities working collectively. We call these entities Autonomous Agents. This approach solves some of the problems previously mentioned. We present the motivation and description of the approach, partial results obtained from an early prototype, a discussion of design and implementation issues, and directions for future work.

Drawing from the experience obtained during the development and testing of a distributed intrusio... more Drawing from the experience obtained during the development and testing of a distributed intrusion detection system, we reflect on the data collection needs of intrusion detection systems, and on the limitations that are faced when using the data collection mechanisms built into most operating systems. We claim that it is best for an intrusion detection system to be able to collect its data by looking directly at the operations of the host, instead of indirectly through audit trails or network packets. Furthermore, for collecting data in an efficient, reliable and complete fashion, incorporation of monitoring mechanisms in the source code of the operating system and its applications is needed.

Comput Netw, 2007

... [7]. Chris Sinclair , Lyn Pierce , Sara Matzner, An Application of Machine Learning to Networ... more ... [7]. Chris Sinclair , Lyn Pierce , Sara Matzner, An Application of Machine Learning to Network Intrusion Detection, Proceedings of the 15th Annual Computer Security Applications Conference, p.371, December 06-10, 1999. ... Collaborative Colleagues: Deborah Frincke: colleagues. ...

Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the ... more Cloud infrastructure commonly relies on virtualization. Customers provide their own VMs, and the cloud provider runs them often without knowledge of the guest OSes or their configurations. However, cloud customers also want effective and efficient security for their VMs. Cloud providers offering security-as-a-service based on VM introspection promise the best of both worlds: efficient centralization and effective protection. Since customers can move images from one cloud to another, an effective solution requires learning what guest OS runs in each VM and securing the guest OS without relying on the guest OS functionality or an initially secure guest VM state.

Ispd, 2001

ii To my parents for giving me life, and to Susana for sharing it with me.

Intrusion detection systems have usually been developed using large host-based components. These ... more Intrusion detection systems have usually been developed using large host-based components. These components impose an extra load on the system where they run (sometimes even requiring a dedicated system) and are subject to tampering or disabling by an intruder.

Embedded sensors for intrusion detection consist of code added to the operating system and the pr... more Embedded sensors for intrusion detection consist of code added to the operating system and the programs of the hosts where monitoring will take place. The sensors check for specific conditions that indicate an attack is taking place, or an intrusion has occurred. Embedded sensors have advantages over other data collection techniques (usually implemented as separate processes) in terms of reduced host impact, resistance to attack, efficiency and effectiveness of detection. We describe the use of embedded sensors in general, and their application to the detection of specific network-based attacks. The sensors were implemented in the OpenBSD operating system, and our tests show a 100% success rate in the detection of the attacks for which sensors were instrumented. We discuss the sensors implemented and the results obtained, as well as current and future work in the area.

Raid, 2006

Page 1. Diego Zamboni Christopher Kruegel (Eds.) Recent Advances in Intrusion Detection 9th Inter... more Page 1. Diego Zamboni Christopher Kruegel (Eds.) Recent Advances in Intrusion Detection 9th International Symposium, RAID 2006 Hamburg, Germany, September 2006 Proceedings Page 2. ure Notes in Computer Science ...

Raid, 1999

Gene Spafford is a professor of Computer Sciences at Purdue University. He is the founder and dir... more Gene Spafford is a professor of Computer Sciences at Purdue University. He is the founder and director of the COAST Laboratory, and the new Center for Education and Research in Information Assurance and Security (CERIAS). He has been involved in Intrusion Detection and avoidance research for over a decade.

Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate ... more Billy Goat is a worm detection system widely deployed throughout IBM and several other corporate networks. We describe the tools and constructions that we have used in the implementation and deployments of the system, and discuss contributions which could be useful in the implementation of other similar systems. We also discuss the features and requirements of worm detection systems in general, and how they are addressed by Billy Goat, allowing it to perform reliably in terms of scalability, accuracy, resilience and rapidity in detection and identification of worms without false positives.

Proceedings 14th Annual Computer Security Applications Conference (Cat. No.98EX217), 1998

Proceedings of the 2009 ACM workshop on Cloud computing security - CCSW '09, 2009