One problem I see with automated signatures generation is that, if based
on a sample of attack vectors, these signatures would address only those
attack vectors. Strong signatures should address a vulnerability and not
a specific attack vector exploiting it.
On the other hand there are interesting ways to combine learning and
signatures. For example, combining generic signatures (such as
ModSecurity Core Rule Set [1]) and a positive security model derived by
learning (such as suggested by by C. Kruegel and G. Vigna in the their
work "Anomaly Detection of Web-based Attacks" [2]).
Kruegel, Vigna at el describe two such ways to combine anomaly based
positive security and signatures in their work "Using Generalization and
Characterization Techniques in the Anomaly-based Detection of Web
Attacks" [3]:
+ Generating "anomaly signatures"
+ Applying generic signatures of known attack techniques to lower false
positive rate for anomaly based detection.
An additional way to combine is to use learning to reduce false
positives by learning exceptions. A generic rule set such as the Core
Rule Set usually generates a small number of repeating false positives.
For example, some XSS signatures would alert a lot in a form than
enables editing a blog theme that contains HTML. A combined system would
use learning to determine such exceptions to the generic signatures.
~ Ofer Shezaf
ModSecurity Core Rule Set Project Leader
CTO, Breach Security
[1]
http://www.modsecurity.org/projects/rules/index.html
[2]
http://www.cs.ucsb.edu/~vigna/publications/2003_kruegel_vigna_ccs03.pdf
[3]
http://www.cs.ucsb.edu/~vigna/publications/2006_robertson_vigna_kruegel_
kemmerer_NDSS.pdf
-----Original Message-----
From: listbounce@securityfocus.com
[mailto:listbounce@securityfocus.com] On Behalf Of Sanjay R
Sent: Sunday, May 20, 2007 1:55 PM
To: Focus-Ids Mailing List
Subject: automatic signature generation
Hi List:
There have been few studies to propose the automatic generation for
misuse based IDS, like snort (in fact, it is the hot area of research
among IDS researchers). Suddenly, it came into my mind, whether is it
feasible to generate (Good) signatures for all types of attack in an
automatic way (in a black-box environment, where we don't have the
source-code of the vulnerable application)? Perhaps, It is easy
(relatively) to automatically generate signature for flooding type of
attacks. The main cause of my doubt is the observation that it is not
feasible to generate attacks automatically. Usually, an attacker spend
hours to analyze the application and then write an exploit. We don't
have any tool that take, as an input, the application to be
exploited, and gives us an working exploit (of course, Metasploit
helps us to create exploit). Therefore, the early thought that comes
into my mind is "creating an automated signature generation tool is as
difficult as creating an automated attack generation tool". I would
like to know your opinion on this.
-Sanjay
-----------------------------------------------------------------------
-
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campai
gn=intro_sfw
to learn more.
-----------------------------------------------------------------------
-
------------------------------------------------------------------------
Test Your IDS
Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to
http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------
