IDS mailing list archives

Previous By Date Next
Previous By Thread Next

Re: automatic signature generation

From: Tim <tim-security () sentinelchicken org>
Date: Tue, 22 May 2007 12:44:59 -0400
Therefore, the early thought that comes
into my mind is "creating an automated signature generation tool is as
difficult as creating an automated attack generation tool". I would
like to know your opinion on this.


I would say no.  That is, I think it would be easier to create an
automated signature generation tool that it would be to create an
automated exploit generation tool.  This is based on my experience with
machine learning algorithms and penetration testing.  This of course
with the caveats:

 - To create a signature for a single vulnerability, the generation tool
   would need to have a set of exploits for that vulnerability and a
   large body of harmless traffic to compare it against.

 - The signature generation tool would not be able to generate
   false-positive and false-negative free signatures (who does?).
   However, for simpler cases the error rates could be quite low and
   possibly even measurable.


As far as your comments about detecting flooding attacks, I think this
may actually be harder to get right.

HTH,
tim

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it 
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw 
to learn more.
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: