Technology

Nemean’s core technology automatically generates protocol behavior-aware signatures that identify malicious attack activity with unprecedented accuracy.

 

Nemean technology walkthrough

Step One: Gather Data

Packet streams form the basis of Nemean’s signature generation technology. The Nemean system parses raw attack data from honeynets and other sources into behavior-aware representations of attack streams.

Step Two: Identify similar groups

These behavior-aware constructs are then compared with each other, partitioning streams with common attack characteristics into groups. The partitioning technique results in groups that represent families of similar attacks.

Step Three: Signature Generation

Finally, Nemean generates one attack signature for each attack group. The signatures express attack behavior details and are generalized to identify possible future attack variants. The result is a compact signature set that generates highly accurate alerts.

 

Whitepapers

Nemean’s core technology was developed through a variety of research at the University of Wisconsin. For more information about how it all works, see the following academic papers:

Using Honeynets for Internet Situational Awareness

V. Yegneswaran, P. Barford, and V. Paxson. In proceedings of the ACM/USENIX Fourth Workshop on Hot Topics in Networks (Hotnets IV), November, 2005. This paper describes the original vision of network situational awareness.

An Architecture for Generating Semantics-aware Signatures

V. Yegneswaran, J. Giffin, P. Barford and S. Jha. In proceedings of USENIX Security Symposium, August, 2005. This paper describes our basic signature generation methodology.

On the Design and Use of Internet Sinks for Network Abuse Monitoring

V. Yegneswaran, P. Barford, D. Plonka. In Proceedings of Symposium on Recent Advances in Intrusion Detection (RAID), September, 2004. This paper describes the basis for our honeynet technology.

Traffic Anomaly Detection at Fine Time Scales with Bayes Nets

J. Kline, S. Nam, P. Barford, D. Plonka and A. Ron. In Proceedings of the International Conference on Internet Monitoring and Protection (ICIMP ‘08), June, 2008. This paper describes the basis for our anomaly detection capability.