Systematic Signature Engineering by Re-use of Snort Signatures

• Published in: 2008 Annual Computer Security Applications Conference (ACSAC) pp. 23 - 32
• Main Authors: Schmerl, S., Koenig, H., Flegel, U., Meier, M., Rietz, R.
• Format: Conference Proceeding
• Language: English
• Published: IEEE 01.12.2008
• Subjects: Application software; Attack Signatures; Computer security; Counting circuits; Design engineering; Intrusion detection; Knowledge engineering; Misuse Detection; Signature Engineering; Snort; Specification languages; Systems engineering and theory
• ISBN: 0769534473; 9780769534473
• ISSN: 1063-9527; 2576-9103
• DOI: 10.1109/ACSAC.2008.20

Most intrusion detection systems deployed today apply the misuse detection approach. Misuse detection compares recorded audit data with predefined patterns denoted as signatures. A signature is usually empirically engineered based on experience and expert knowledge. This induces relatively long development times for novel signatures causing inappropriate long vulnerability windows. Methods for a systematic engineering have been scarcely reported so far. Approaches for an automated re-use of design and modeling decisions of available signatures also do not exist. In this paper we present an approach for systematic engineering of signatures which is based on the re-use of existing signatures. It exploits similarities with known attacks for the engineering process. The method applies an iterative abstraction of signatures. Based on a weighted assessment of the abstractions the signature engineer can select the most appropriate signatures or fragments of signatures for the development of the signature for a new attack. We demonstrate the usefulness of the method using Snort signatures as example.