de.mpg.escidoc.pubman.appbase.FacesBean
English
 
Help Guide Disclaimer Contact us Login
  Advanced SearchBrowse

Item

ITEM ACTIONSEXPORT

Released

Thesis

Extraction of Attack Signatures

MPS-Authors
http://pubman.mpdl.mpg.de/cone/persons/resource/persons45112

Nenova,  Stefana
International Max Planck Research School, MPI for Informatics, Max Planck Society;

Locator
There are no locators available
Fulltext (public)
There are no public fulltexts available
Supplementary Material (public)
There is no public supplementary material available
Citation

Nenova, S. (2007). Extraction of Attack Signatures. Master Thesis, Universität des Saarlandes, Saarbrücken.


Cite as: http://hdl.handle.net/11858/00-001M-0000-0027-D1A0-2
Abstract
With the advance of technology, the need for fast reaction to remote attacks gains in importance. A common practice to help detect malicious activity is to install an Intrusion Detection System. Intrusion detection systems are equipped with a set of signatures�descriptions of known intrusion attempts. They monitor traffic and use the signatures to detect intrusion attempts. To date, attack signatures are still mostly derived manually. However, to ensure the security of computer systems and data, the speed and quality of signature generation has to be improved. To help achieve the task, we propose an approach for automatic extraction of attack signatures. In contrast to the majority of the existing research in the area, we do not confine our approach to a particular type of attack. In particular, we are the first to try signature extraction for attacks resulting from misconfigured security policies. Whereas the majority of existing approaches rely on statistical methods and require many attack instances in order to launch the signature generation mechanism, we use experimentation and need only a single attack instance. For experimentation, we combine an existing framework for capture and replay of system calls with an appropriate minimization algorithm. We propose three minimization algorithms: Delta Debugging, Binary Debugging and Consecutive Binary Debugging. We evaluate the performance of the different algorithms and test our approach with an example program. In all test cases, our application successfully extracts the attack signature. Our current results suggest that this is a promising approach that can help us defend better and faster against unknown attacks.