With the advance of technology, the need for fast reaction to remote attacks
in importance. A common practice to help detect malicious activity is to
Intrusion Detection System. Intrusion detection systems are equipped with a set
signatures�descriptions of known intrusion attempts. They monitor traffic and
the signatures to detect intrusion attempts.
To date, attack signatures are still mostly derived manually. However, to
security of computer systems and data, the speed and quality of signature
generation has to be improved. To help achieve the task, we propose an approach
for automatic extraction of attack signatures.
In contrast to the majority of the existing research in the area, we do not
our approach to a particular type of attack. In particular, we are the first to
try signature extraction for attacks resulting from misconfigured security
policies. Whereas the majority of existing approaches rely on statistical
methods and require many attack instances in order to launch the signature
generation mechanism, we use experimentation and need only a single attack
For experimentation, we combine an existing framework for capture and replay of
system calls with an appropriate minimization algorithm. We propose three
minimization algorithms: Delta Debugging, Binary Debugging and Consecutive
We evaluate the performance of the different algorithms and test our approach
with an example program. In all test cases, our application successfully
attack signature. Our current results suggest that this is a promising approach
can help us defend better and faster against unknown attacks.