IDS mailing list archives
Re: automatic signature generation
From: "Sanjay R" <2sanjayr () gmail com>
Date: Thu, 24 May 2007 13:08:36 +0200
On 5/22/07, Tim <tim-security () sentinelchicken org> wrote:
> Therefore, the early thought that comes > into my mind is "creating an automated signature generation tool is as > difficult as creating an automated attack generation tool". I would > like to know your opinion on this. I would say no. That is, I think it would be easier to create an automated signature generation tool that it would be to create an automated exploit generation tool. This is based on my experience with machine learning algorithms and penetration testing. This of course with the caveats: - To create a signature for a single vulnerability, the generation tool would need to have a set of exploits for that vulnerability and a large body of harmless traffic to compare it against.
this is what I have in mind to start with. but there are problems. i have manually created signatures for many vulnerabilities and for various exploits/attacks, I had to use regexp or checks many fields related to vulnerable protocols/applications. so we miss the contaxt/semantics of the attack, if we directly apply machine learning, at least to my understanding. if you know some work in this direction, please refer. I would like to explore.
- The signature generation tool would not be able to generate false-positive and false-negative free signatures (who does?). However, for simpler cases the error rates could be quite low and possibly even measurable. As far as your comments about detecting flooding attacks, I think this may actually be harder to get right.
under most general scenario, flooding is deected by the rate of packets. so, if we keep checking the health of the victim (destination), we can fine tune the threshold for this rate automatically. you may like to see the work of J. Cannady on "CMAC and flooding attacks" thanks -Sanjay
HTH, tim
-- Postdoc, DIT, University of Trento, Italy ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly?Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------
Current thread:
- automatic signature generation Sanjay R (May 22)
- Re: automatic signature generation Tim (May 24)
- Re: automatic signature generation Sanjay R (May 24)
- Re: automatic signature generation Jose Nazario (May 24)
- RE: automatic signature generation Oleg Kolesnikov x 133 (May 28)
- Re: automatic signature generation Hugo Francisco González Robledo (May 24)
- RE: automatic signature generation Ackley, Alex (May 24)
- Re: automatic signature generation Eric Hacker (May 24)
- Re: automatic signature generation Sanjay R (May 24)
- RE: automatic signature generation Joshua Barnes (May 24)
- RE: automatic signature generation Ofer Shezaf (May 28)
- Re: automatic signature generation Tim (May 24)