FIRST - Improving Security Together 18th Annual FIRST Conference - June 2006 - Baltimore, Maryland

Automated Extraction of Threat Signatures from Network Flows

Platinum Sponsor


Silver Sponsor


Local Host

CERT Coordination Center

Supporting Sponsors






Korea CertCC

Conference Schedule

Technical Track

Wednesday – June 28th, 14:30

The paper describes methods of automated threat signature generation from network flows. These methods are being implemented as part of the CERT Polska early warning ARAKIS project, and the paper is a follow up to the ARAKIS talk given at the FIRST 2004 Budapest conference. The paper identifies what constitutes a good signature for use in IDS/IPS systems, presents an architecture of the signature extraction system, describes various signature extraction techniques, including our own proposal and presents some results. The level of technical detail is medium. Targeted at an audience with security experience, in particular, knowledge of the underlying principles of intrusion detection and honeynets is helpful.

Authors & presenters

  • PLPiotr Kijewski Presenter (CERT POLSKA – Research and Academic Computer Network in Poland, PL)

Conference Schedule