RE: automatic signature generation

["Ofer Shezaf" <OferS () Breach com>]

One problem I see with automated signatures generation is that, if based
on a sample of attack vectors, these signatures would address only those
attack vectors. Strong signatures should address a vulnerability and not
a specific attack vector exploiting it.

On the other hand there are interesting ways to combine learning and
signatures. For example, combining generic signatures (such as
ModSecurity Core Rule Set [1]) and a positive security model derived by
learning (such as suggested by by C. Kruegel and G. Vigna in the their
work "Anomaly Detection of Web-based Attacks" [2]).

Kruegel, Vigna at el describe two such ways to combine anomaly based
positive security and signatures in their work "Using Generalization and
Characterization Techniques in the Anomaly-based Detection of Web
Attacks" [3]:
+ Generating "anomaly signatures"
+ Applying generic signatures of known attack techniques to lower false
positive rate for anomaly based detection.

An additional way to combine is to use learning to reduce false
positives by learning exceptions. A generic rule set such as the Core
Rule Set usually generates a small number of repeating false positives.
For example, some XSS signatures would alert a lot in a form than
enables editing a blog theme that contains HTML. A combined system would
use learning to determine such exceptions to the generic signatures.

~ Ofer Shezaf
ModSecurity Core Rule Set Project Leader
CTO, Breach Security

[1] 
http://www.modsecurity.org/projects/rules/index.html

[2]
http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf

[3]
http://www.cs.ucsb.edu/~vigna/publications/2006_robertson_vigna_kruegel_
kemmerer_NDSS.pdf


> -----Original Message-----
> From: listbounce () securityfocus com
> [mailto:listbounce () securityfocus com] On Behalf Of Sanjay R
> Sent: Sunday, May 20, 2007 1:55 PM
> To: Focus-Ids Mailing List
> Subject: automatic signature generation
>
> Hi List:
> There have been few studies to propose the automatic generation for
> misuse based IDS, like snort (in fact, it is the hot area of research
> among IDS researchers). Suddenly, it came into my mind, whether is it
> feasible to generate (Good) signatures for all types of attack in an
> automatic way (in a black-box environment, where we don't have the
> source-code of the vulnerable application)? Perhaps, It is easy
> (relatively) to automatically generate signature for flooding type of
> attacks. The main cause of my doubt is the observation that it is not
> feasible to generate attacks automatically. Usually, an attacker spend
> hours to analyze the application and then write an exploit. We don't
> have any tool that take, as an input,  the application to be
> exploited, and gives us an working exploit (of course, Metasploit
> helps us to create exploit). Therefore, the early thought that comes
> into my mind is "creating an automated signature generation tool is as
> difficult as creating an automated attack generation tool". I would
> like to know your opinion on this.
>
> -Sanjay
-----------------------------------------------------------------------
> -
> Test Your IDS
>
> Is your IDS deployed correctly?
> Find out quickly and easily by testing it
> with real-world attacks from CORE IMPACT.
> Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
> gn=intro_sfw
> to learn more.
-----------------------------------------------------------------------
> -


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------