Item

Abstract

With the advance of technology, the need for fast reaction to remote attacks gains in importance. A common practice to help detect malicious activity is to install an Intrusion Detection System. Intrusion detection systems are equipped with a set of signatures�descriptions of known intrusion attempts. They monitor traffic and use the signatures to detect intrusion attempts. To date, attack signatures are still mostly derived manually. However, to ensure the security of computer systems and data, the speed and quality of signature generation has to be improved. To help achieve the task, we propose an approach for automatic extraction of attack signatures. In contrast to the majority of the existing research in the area, we do not confine our approach to a particular type of attack. In particular, we are the first to try signature extraction for attacks resulting from misconfigured security policies. Whereas the majority of existing approaches rely on statistical methods and require many attack instances in order to launch the signature generation mechanism, we use experimentation and need only a single attack instance. For experimentation, we combine an existing framework for capture and replay of system calls with an appropriate minimization algorithm. We propose three minimization algorithms: Delta Debugging, Binary Debugging and Consecutive Binary Debugging. We evaluate the performance of the different algorithms and test our approach with an example program. In all test cases, our application successfully extracts the attack signature. Our current results suggest that this is a promising approach that can help us defend better and faster against unknown attacks.