As modern operating systems and software become larger and more
complex, they are more likely to contain bugs, which may allow
attackers to gain illegitimate access. A fast and reliable mechanism
to discern and generate vaccines for such attacks is vital for the
successful protection of networks and systems. In this paper we
present Argos, a containment environment for worms as well as human
orchestrated attacks. Argos is built upon a fast x86 emulator which
tracks network data throughout execution to identify their invalid use
as jump targets, function addresses, instructions, etc. Furthermore,
system call policies disallow the use of network data as arguments to
certain calls. When an attack is detected, we perform
'intelligent' process- or kernel-aware logging of the
corresponding emulator state for further off-line processing. In
addition, our own forensics shellcode is injected to gather
information about the attacked process. By correlating the data logged
by the emulator with the data collected from the network, the
generation of accurate network intrusion detection signatures is made
possible.
|
 I obtained my bachelors in computer science from the University of
Crete, in Heraklion, Greece in 2002. In 2005 I got my m.sc. in
computer science from Leiden University. Currently I am a ph.d.
student at the Vrije Universiteit in Amsterdam, under Henri Bal and
Herbert Bos.
In the past I have worked on network monitoring and peer-to-peer
systems. Currently, I am working on network security. My current
project is partially funded by the Dutch NWO and the NoAH project. I
have also worked as an internee in Intel Research Cambridge and
Internet Hellas in Greece
|
