RE: automatic signature generation

["Oleg Kolesnikov x 133" <okolesnikov () toplayer com>]

You might want to consider the following publications from the IEEE S&P proceedings:
- Misleading Worm Signature Generators Using Deliberate Noise Injection (Georgia Tech)
- Towards Automatic Generation of Vulnerability Based Signatures (CMU)

Regards,
Oleg Kolesnikov
http://www.cc.gatech.edu/isg/phd/ok

-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com]On Behalf Of Jose Nazario
Sent: Thursday, May 24, 2007 11:09 AM
To: Sanjay R
Cc: focus-ids () securityfocus com
Subject: Re: automatic signature generation


have a look at tools like:

        netsift www.netsift.net/  -- now a part of cisco, but check out
        their technology.

        honeycomb - www.icir.org/christian/honeycomb/index.html
        uses suffix trees to evaluate honeypot dat to build signatures.

in short its been done, there's some room for improvement (via hueristics 
and better speedups via algorithms), but it's proven to work.

________
jose nazario, ph.d.                 jose () monkey org
http://monkey.org/~jose/            http://monkey.org/~jose/secnews.html
                                    http://www.wormblog.com/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------