You might want to consider the following publications from the IEEE S&P proceedings: - Misleading Worm Signature Generators Using Deliberate Noise Injection (Georgia Tech) - Towards Automatic Generation of Vulnerability Based Signatures (CMU)
Regards, Oleg Kolesnikov http://www.cc.gatech.edu/isg/phd/ok -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Jose Nazario Sent: Thursday, May 24, 2007 11:09 AM To: Sanjay R Cc: [email protected] Subject: Re: automatic signature generation have a look at tools like: netsift www.netsift.net/ -- now a part of cisco, but check out their technology. honeycomb - www.icir.org/christian/honeycomb/index.html uses suffix trees to evaluate honeypot dat to build signatures. in short its been done, there's some room for improvement (via hueristics and better speedups via algorithms), but it's proven to work. ________ jose nazario, ph.d. [EMAIL PROTECTED] http://monkey.org/~jose/ http://monkey.org/~jose/secnews.html http://www.wormblog.com/ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------ ------------------------------------------------------------------------ Test Your IDS Is your IDS deployed correctly? Find out quickly and easily by testing it with real-world attacks from CORE IMPACT. Go to http://www.coresecurity.com/index.php5?module=Form&action=impact&campaign=intro_sfw to learn more. ------------------------------------------------------------------------
