Home
Program
Partnership
Accommodations
Sponsorship
eNewsroom
Registration
 
Nasir Memon, Ph.D.
Professor, Polytechnic Institute of New York University, New York, New York
 

Nasir Memon is a Professor in the Computer Science Department at Polytechnic Institute of NYU, New York. He is the director of the Information Systems and Internet Security (ISIS) lab at Polytechnic. His research interests include Data Compression, Computer and Network Security, Digital Forensics, and Multimedia Data Security.

Dr. Memon will discuss INFECTION DETECTION. Polytechnic University’s “Infection Detection” is a new approach to detecting compromised hosts (such as those that have become bots or bot controllers) from the network by passively observing host communications behavior. Detection from the network has many advantages; in particular host access is not needed, and the passive nature of the observation means the malware does not know how it is being observed and can not defeat the detection process by deleting log entries, etc. Polytechnic’s “Infection Detection” approach looks for a relativelysmall set of “symptoms” to form the basis of "behavioral detection" of malware and other host "infections." Network based sensors monitor the behavior of hosts over time by observing their communications (including connections, flows, timing, content, DNS activity, attempted dark space access, etc.). These observations are correlated over both over time and across hosts/devices to detect "symptoms" of infected hosts. Symptoms are pre-identified forms of behavior that may indicate a problem. Note that signatures of specific attacks are not needed—just the kinds of behaviors that attacks exhibit. Also note the symptoms are pre-defined, and they are not just deviations from previous recorded behavior, as in anomaly detection based systems, which are very prone to false alarms. A prototype system has been developed and tested at Polytechnic, a local county government network, and selected corporate networks. Results to date show a strong ability to detect bots and other malware, and network managers have indicated that the reports give them greater insight into network activity beyond malware detection. Research leading to this prototype has been performed at Polytechnic University, with funding coming from NSF, NSA, and other sources. A product based on this research is being developed at Vivic Networks, an incubator supported by Polytechnic and the State of NY, and staffed by Polytechnic researchers.