Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-IDS
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: automatic signature generation

from [Sanjay R] Network Security [Permanent Link]
Subject: Re: automatic signature generation
Date: Thu, 24 May 2007 13:08:36 +0200
On 5/22/07, Tim <tim-security@sentinelchicken.org> wrote: 
> Therefore, the early thought that comes
> into my mind is "creating an automated signature generation tool is as
> difficult as creating an automated attack generation tool". I would
> like to know your opinion on this.

I would say no.  That is, I think it would be easier to create an
automated signature generation tool that it would be to create an
automated exploit generation tool.  This is based on my experience with
machine learning algorithms and penetration testing.  This of course
with the caveats:

 - To create a signature for a single vulnerability, the generation tool
  would need to have a set of exploits for that vulnerability and a
  large body of harmless traffic to compare it against.

this is what I have in mind to start with. but there are problems. i
have manually created signatures for many vulnerabilities and for
various exploits/attacks, I had to use regexp or checks many fields
related to vulnerable protocols/applications. so we miss the
contaxt/semantics of the attack, if we directly apply machine
learning, at least to my understanding. if you know some work in this
direction, please refer. I would like to explore.


 - The signature generation tool would not be able to generate
  false-positive and false-negative free signatures (who does?).
  However, for simpler cases the error rates could be quite low and
  possibly even measurable.


As far as your comments about detecting flooding attacks, I think this
may actually be harder to get right.

under most general scenario, flooding is deected by the rate of
packets. so, if we keep checking the health of the victim
(destination), we can fine tune the threshold for this rate
automatically. you may like to see the work of J. Cannady on "CMAC and
flooding attacks"

thanks
-Sanjay


HTH,
tim



--
Postdoc, DIT, University of Trento, Italy

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more.
------------------------------------------------------------------------

[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: automatic signature generation, Joshua Barnes
Next by Date:  Re: automatic signature generation, Sanjay R
Previous by Thread:  Re: automatic signature generation, Tim
Next by Thread:  Re: automatic signature generation, Jose Nazario
Indexes:  [Date] [Thread] [Top] [All Lists]