Research Of Attack Signature Automatic Generation Based On Muscle

Abstract:With the increase of network attack and the emergence of great amounts of deformation and polymorphic technology, only depending on the post analysis of security experts to generate attack signatures would seriously delay the detection of new attacks. Attack signature automatic generation technology can generate signatures quickly and accurately and therefore ensure that the network environment is safe and reliable. This paper analyses the attack signature automatic generation technology、 summarizes the existing problems and future development of signature generation, and studies the application of sequence alignment in attack signature automatic generation.As Needleman-Wunsch algorithm would bring fragments problem when applied in signature automatic generation, INW is presented to reduce fragments so as to obtain substrings with more semantic information. NJ algorithm is a common method for building phylogenetic trees, but it may bring "tied tree" problem. This paper proposes the INJ algorithm. If sequence-pairs that have the same minimum rate-corrected distance don’t have public sequences, then all these sequence-pairs will be added to the phylogenetic tree. Otherwise, INJ algorithm solves the problem by considering the second minimum rate-corrected and sequence distance to decide which sequence-pair can join in the phylogenetic tree this time. The results show that INW can generate more continuous attack characters with less fragments while INJ can build a correct and only topology.Muscle is an effective MSA algorithm that combines porgreesive alignment with iterative alignment. However, when used for attack signatures generation, Muscle algorithm would give rise to the following problems:uncertain phylogenetic tree, arising fragments, failure to remove noise interference and so on. The paper puts forward its improved method, IMuscle. IMuscle has three phases, namely draft progress, improved progress, and refinement. In draft progress, IMuscle removes sequences as noises that are very different from others or cannot meet requirements of valid attack data flows and as a result reduces the interference of noise in results; IMuscle will generate more meaningful attack signatures when using INW algorithm in pairwise sequence alignment and INJ algorithm in building phylogenetic tree. In improved progress alignment, because the kimura distance is easy to be influenced by the biological genetic model, the paper gets the distance matrix by using the normalized distance instead of kimura distance. The results show that IMuscle can improve the convergence speed of algorithm, get more accurate features, and possess preferable ability to resist noises.