System for automated signature generation and refinement
Abstract
Systems and methods are provided for generating samples of network traffic and characterizing the samples to easily identify exploits. A first embodiment of the present disclosure can generate traffic between a sample generator and the target computing device based on a particular exploit. The traffic can be a plurality of samples of the exploit using an exploit script. The method can provide for collecting and storing the plurality of samples. These samples can then be used to characterize the exploit by identifying invariant portions and variable portions of the samples. The method can further provide for removing any artifacts from the samples. Regular expressions can be constructed based on the samples. Each regular expression can be tested and ranked according to metrics of efficiency and accuracy.
Claims
exact text as granted — not AI-modified1 . A method for generating samples of network traffic attempting to gain unauthorized access to a target computing device, comprising:
receiving an exploit script at a host device, wherein the exploit script configures a sample generator at the host device to attempt unauthorized access to the target computing device; generating traffic, based on the exploit script, between the sample generator and the target computing device; collecting a plurality of samples of the generated traffic; and storing the plurality of samples in a storage device, wherein the storage device is accessible by the host device.
2 . The method of claim 1 , wherein each sample in the plurality of samples further comprises at least one distinct portion from remaining samples in the plurality of samples.
3 . The method of claim 1 , wherein each sample in the plurality of samples can further comprise invariant portions and variable portions, wherein the invariant portions have identical values for different generations of the exploit script and the variable portions have unique values for different generations of the exploit script.
4 . The method of claim 1 , wherein the generated traffic occurs via a separate and private network between the host device and the target computing device.
5 . The method of claim 1 , further comprising determining at least one characteristic of the exploit from the collected plurality of samples to detect the exploit.
6 . A system for generating samples of network traffic, comprising:
a target computing device; a storage device; and a host device comprising a sample generator, wherein the host device is configured to:
receive an exploit script, wherein the exploit script configures the sample generator to attempt unauthorized access to the target computing device;
generate traffic, based on the received exploit script, between the sample generator and the target computing device;
collect a plurality of samples of the generated traffic; and
store the plurality of samples on the storage device.
7 . A non-transitory machine-readable medium, having stored thereon instructions for performing a method of generating samples of network traffic, the non-transitory machine-readable medium comprising machine executable code, which, when executed by at least one machine, causes the machine to:
receive an exploit script at a host device, wherein the exploit script configures a sample generator at the host device to attempt unauthorized access to a target computing device; generate traffic, based on the exploit script, between a sample generator and the target computing device; collect a plurality of samples of the generated traffic; and store the plurality of samples in a storage device, wherein the storage device is accessible by the host device.
8 - 19 . (canceled)
20 . The system of claim 6 , wherein each sample in the plurality of samples further comprises at least one distinct portion from remaining samples in the plurality of samples.
21 . The system of claim 6 , wherein each sample in the plurality of samples can further comprise invariant portions and variable portions, wherein the invariant portions have identical values for different generations of the exploit script and the variable portions have unique values for different generations of the exploit script.
22 . The system of claim 6 , wherein the generated traffic occurs via a separate and private network between the host device and the target computing device.
23 . The system of claim 6 , wherein the exploit script configures the sample generator to determine at least one characteristic of the exploit from the collected plurality of samples to detect the exploit.
24 . The system of claim 6 , wherein the storage device stores harvested samples from at least one of logs, direct observation or an anomaly detection system of a legacy computer system.
25 . The system of claim 24 , wherein the harvested samples are labeled with a class of exploits.
26 . The system of claim 1 , wherein the host device transfers the plurality of samples to a legacy computer security system.
27 . The method of claim 1 , further comprising storing harvested samples from at least one of logs, direct observation or an anomaly detection system of a legacy computer system in the storage device.
28 . The method of claim 27 , further comprising labeling the harvested samples with a class of exploits.
29 . The method of claim 27 , further comprising transferring the plurality of samples to a legacy computer security system.Cited by (0)
No later patents cite this yet.
References (0)
No backward citations on record.