IDS mailing list archives
RE: automatic signature generation
From: "Ofer Shezaf" <OferS () Breach com>
Date: Sun, 27 May 2007 10:10:02 -0400
One problem I see with automated signatures generation is that, if based on a sample of attack vectors, these signatures would address only those attack vectors. Strong signatures should address a vulnerability and not a specific attack vector exploiting it. On the other hand there are interesting ways to combine learning and signatures. For example, combining generic signatures (such as ModSecurity Core Rule Set [1]) and a positive security model derived by learning (such as suggested by by C. Kruegel and G. Vigna in the their work "Anomaly Detection of Web-based Attacks" [2]). Kruegel, Vigna at el describe two such ways to combine anomaly based positive security and signatures in their work "Using Generalization and Characterization Techniques in the Anomaly-based Detection of Web Attacks" [3]: + Generating "anomaly signatures" + Applying generic signatures of known attack techniques to lower false positive rate for anomaly based detection. An additional way to combine is to use learning to reduce false positives by learning exceptions. A generic rule set such as the Core Rule Set usually generates a small number of repeating false positives. For example, some XSS signatures would alert a lot in a form than enables editing a blog theme that contains HTML. A combined system would use learning to determine such exceptions to the generic signatures. ~ Ofer Shezaf ModSecurity Core Rule Set Project Leader CTO, Breach Security [1] http://www.modsecurity.org/projects/rules/index.html [2] http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf [3] http://www.cs.ucsb.edu/~vigna/publications/2006_robertson_vigna_kruegel_ kemmerer_NDSS.pdf
-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Sanjay R Sent: Sunday, May 20, 2007 1:55 PM To: Focus-Ids Mailing List Subject: automatic signature generation Hi List: There have been few studies to propose the automatic generation for misuse based IDS, like snort (in fact, it is the hot area of research among IDS researchers). Suddenly, it came into my mind, whether is it feasible to generate (Good) signatures for all types of attack in an automatic way (in a black-box environment, where we don't have the source-code of the vulnerable application)? Perhaps, It is easy (relatively) to automatically generate signature for flooding type of attacks. The main cause of my doubt is the observation that it is not feasible to generate attacks automatically. Usually, an attacker spend hours to analyze the application and then write an exploit. We don't have any tool that take, as an input, the application to be exploited, and gives us an working exploit (of course, Metasploit helps us to create exploit). Therefore, the early thought that comes into my mind is "creating an automated signature generation tool is as difficult as creating an automated attack generation tool". I would like to know your opinion on this. -Sanjay
-----------------------------------------------------------------------
- Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=intro_sfw to learn more.
-----------------------------------------------------------------------
-
------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
Current thread:
- automatic signature generation Sanjay R (May 22)
- Re: automatic signature generation Tim (May 24)
- Re: automatic signature generation Sanjay R (May 24)
- Re: automatic signature generation Jose Nazario (May 24)
- RE: automatic signature generation Oleg Kolesnikov x 133 (May 28)
- Re: automatic signature generation Hugo Francisco González Robledo (May 24)
- RE: automatic signature generation Ackley, Alex (May 24)
- Re: automatic signature generation Eric Hacker (May 24)
- Re: automatic signature generation Sanjay R (May 24)
- RE: automatic signature generation Joshua Barnes (May 24)
- RE: automatic signature generation Ofer Shezaf (May 28)
- Re: automatic signature generation Tim (May 24)