Automated Signature Extraction for High Volume Attacks

Yehuda Afek, Anat Bremler-Barr, Shir Landau Feibish
Conferences & Workshops
Deep Packet Inspection (DPI)


We present a basic tool for zero day attack signature extraction. Given two large sets of messages, P of messages captured in the network at peacetime (i.e., mostly legitimate traffic) and A captured during attack time (i.e., contains many attack messages), we present a tool for extracting a set S of strings, that are frequently found in A and not in P . Therefore, a packet containing one of the strings from S is likely to be an attack packet.
This is an important tool in protecting sites on the Internet from Worm attacks, and Distributed Denial of Service (DDoS) attacks. It may also be useful for other problems, including command and control identification, DNA-sequences analysis, etc. which are beyond the scope of this work.
Two contributions of this paper are the system we developed to extract the required signatures together with the problem definition and the string-heavy hitters algorithm. This algorithm finds popular strings of variable length in a set of messages, using, in a tricky way, the classic heavy-hitter algorithm as a building block. This algorithm is then used by our system to extract the desired signatures. Using our system a yet unknown attack can be detected and stopped within minutes from attack start time.


January 25, 2014
Broadcom Foundation University Research Competition Second Place Winner
  author={Afek, Yehuda and Bremler-Barr, Anat and Landau Feibish, Shir},
  booktitle={Architectures for Networking and Communications Systems}, 
  title={Automated signature extraction for high volume attacks},