RE: automatic signature generation

You might want to consider the following publications from the IEEE S&P proceedings:
- Misleading Worm Signature Generators Using Deliberate Noise Injection (Georgia Tech)
- Towards Automatic Generation of Vulnerability Based Signatures (CMU)

Regards,
Oleg Kolesnikov
http://www.cc.gatech.edu/isg/phd/ok

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx
[mailto:listbounce@xxxxxxxxxxxxxxxxx]On Behalf Of Jose Nazario
Sent: Thursday, May 24, 2007 11:09 AM
To: Sanjay R
Cc: focus-ids@xxxxxxxxxxxxxxxxx
Subject: Re: automatic signature generation


have a look at tools like:

netsift www.netsift.net/ -- now a part of cisco, but check out
their technology.

honeycomb - www.icir.org/christian/honeycomb/index.html
uses suffix trees to evaluate honeypot dat to build signatures.

in short its been done, there's some room for improvement (via hueristics
and better speedups via algorithms), but it's proven to work.

________
jose nazario, ph.d. jose@xxxxxxxxxx
http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html
http://www.wormblog.com/

------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------


------------------------------------------------------------------------
Test Your IDS

Is your IDS deployed correctly?
Find out quickly and easily by testing it
with real-world attacks from CORE IMPACT.
Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw
to learn more.
------------------------------------------------------------------------