pSigene: Generalizing Attack Signatures
Project Members
Jeff Avery, Gaspar Modelo-Howard, Fahad Arshad, Saurabh Bagchi, Yuan Qi
Jeff Avery, Gaspar Modelo-Howard, Fahad Arshad, Saurabh Bagchi, Yuan Qi
Abstract
Intrusion detection systems (IDS) are an important
component to effectively protect computer systems. Misuse
detection is the most popular approach to detect intrusions,
using a library of signatures to find attacks. The accuracy of
the signatures is paramount for an effective IDS, still today’s
practitioners rely on manual techniques to improve and update
those signatures. We present a system, called pSigene, for the
automatic generation of intrusion signatures by mining the vast
amount of public data available on attacks. It follows a four step
process to generate the signatures, by first crawling attack
samples from multiple public cyber security web portals. Then,
a feature set is created from existing detection signatures to
model the samples, which are then grouped using a biclustering
algorithm which also gives the distinctive features of each
cluster. Finally the system automatically creates a set of
signatures using regular expressions, one for each cluster.
We tested our architecture for the prevalent class of SQL
injection attacks and found our signatures to have a True and
False Positive Rates of over 86% and 0.03%, respectively and
compared our findings to other SQL injection signature sets
from popular IDS and web application firewalls. Results show
our system to be very competitive to existing signature sets.