Automated Signature Extraction for High Volume Attacks

Yehuda Afek, Anat Bremler-Barr, Shir Landau Feibish
ACM/IEEE ANCS,
2013
Conferences & Workshops
Deep Packet Inspection (DPI)

Abstract

We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P of messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings, that are frequently found in A and not in P . Therefore, a packet containing one of the strings from S is likely to be an attack packet.
This is an important tool in protecting sites on the Internet from Worm attacks, and Distributed Denial of Service (DDoS) attacks. It may also be useful for other problems, including command and control identification, DNA-sequences analysis, etc. which are beyond the scope of this work.
Two contributions of this paper are the system we developed to extract the required signatures together with the problem definition and the string-heavy hitters algorithm. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. This algorithm is then used by our system to extract the desired signatures. Using our system a yet unknown attack can be detected and stopped within minutes from attack start time.

Prizes

January 25, 2014
Broadcom Foundation University Research Competition Second Place Winner
@INPROCEEDINGS{6665197,
  author={Afek, Yehuda and Bremler-Barr, Anat and Landau Feibish, Shir},
  booktitle={Architectures for Networking and Communications Systems}, 
  title={Automated signature extraction for high volume attacks}, 
  year={2013},
  volume={},
  number={},
  pages={147-156},
  doi={10.1109/ANCS.2013.6665197}}