hide
Free keywords:
-
Abstract:
With the advance of technology, the need for fast reaction to remote attacks
gains
in importance. A common practice to help detect malicious activity is to
install an
Intrusion Detection System. Intrusion detection systems are equipped with a set
of
signatures�descriptions of known intrusion attempts. They monitor traffic and
use
the signatures to detect intrusion attempts.
To date, attack signatures are still mostly derived manually. However, to
ensure the
security of computer systems and data, the speed and quality of signature
generation has to be improved. To help achieve the task, we propose an approach
for automatic extraction of attack signatures.
In contrast to the majority of the existing research in the area, we do not
confine
our approach to a particular type of attack. In particular, we are the first to
try signature extraction for attacks resulting from misconfigured security
policies. Whereas the majority of existing approaches rely on statistical
methods and require many attack instances in order to launch the signature
generation mechanism, we use experimentation and need only a single attack
instance.
For experimentation, we combine an existing framework for capture and replay of
system calls with an appropriate minimization algorithm. We propose three
minimization algorithms: Delta Debugging, Binary Debugging and Consecutive
Binary Debugging.
We evaluate the performance of the different algorithms and test our approach
with an example program. In all test cases, our application successfully
extracts the
attack signature. Our current results suggest that this is a promising approach
that
can help us defend better and faster against unknown attacks.
