Simplifying signature engineering by reuse

  • Authors:

  • Sebastian Schmerl;Hartmut Koenig;Ulrich Flegel;Michael Meier

  • Affiliations:

  • Brandenburg University of Technology Cottbus, Cottbus, Germany;Brandenburg University of Technology Cottbus, Cottbus, Germany;University of Dortmund, Dortmund, Germany;University of Dortmund, Dortmund, Germany

  • Venue:
  • ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
  • Year:
  • 2006

  • Towards systematic signature testing

    TestCom'07/FATES'07 Proceedings of the 19th IFIP TC6/WG6.1 international conference, and 7th international conference on Testing of Software and Communicating Systems

Quantified Score

Hi-index 0.00

Visualization

Abstract

Most intrusion detection systems deployed today apply misuse detection as detection procedure. Misuse detection compares the recorded audit data with predefined patterns, i.e. signatures. A signature is usually empirically developed based on experience and expert knowledge. Methods for a systematic development are scarcely reported yet. Automated approaches to reusing design and modeling decisions of available signatures also do not exist. This induces relatively long development times for signatures causing inappropriate vulner ability windows. In this paper we present an approach for systematic signature derivation. It is based on the reuse of existing signatures to exploit similarities with existing attacks for deriving a new signature. The approach is based on an iterative abstraction of signatures. Based on a weighted abstraction tree it selects those signatures or signature fragments, which are similar to the novel at tack. Finally, we present a practical application of the approach using the signature description language EDL.