Title :
Systematic Signature Engineering by Re-use of Snort Signatures
Author :
Schmerl, Sebastian ; Koenig, Hartmut ; Flegel, Ulrich ; Meier, Michael ; Rietz, René
Author_Institution :
Brandenburg Univ. of Technol., Cottbus
Abstract :
Most intrusion detection systems deployed today apply the misuse detection approach. Misuse detection compares recorded audit data with predefined patterns denoted as signatures. A signature is usually empirically engineered based on experience and expert knowledge. This induces relatively long development times for novel signatures causing inappropriate long vulnerability windows. Methods for a systematic engineering have been scarcely reported so far. Approaches for an automated re-use of design and modeling decisions of available signatures also do not exist. In this paper we present an approach for systematic engineering of signatures which is based on the re-use of existing signatures. It exploits similarities with known attacks for the engineering process. The method applies an iterative abstraction of signatures. Based on a weighted assessment of the abstractions the signature engineer can select the most appropriate signatures or fragments of signatures for the development of the signature for a new attack. We demonstrate the usefulness of the method using Snort signatures as example.
Keywords :
expert systems; security of data; Snort signature; intrusion detection system; iterative abstraction; misuse detection approach; systematic signature engineering; Application software; Computer security; Counting circuits; Design engineering; Intrusion detection; Knowledge engineering; Specification languages; Systems engineering and theory; Attack Signatures; Computer Security; Intrusion Detection; Misuse Detection; Signature Engineering; Snort;
Conference_Titel :
Computer Security Applications Conference, 2008. ACSAC 2008. Annual
Conference_Location :
Anaheim, CA
Print_ISBN :
978-0-7695-3447-3
DOI :
10.1109/ACSAC.2008.20
