Theory and Techniques for Automatic Generation of Vulnerability-Based Signatures
1 Signature can be represented as regexp, Turing-complete language, etc. They consider multiple-path vulnerabilities. They have reduced exponential explosion to O(n2). Vulnerability—a type of bug can be used to alter program execution. Exploit—input for vulnerability. We need signature-based filtering to immediately stop outbreak. 2 Signature should be constructed based on the property of the vulnerability, instead of an exploit. So, no .3 Signature is indifferent to the specific type of attack.
4 They define vulnerability as Boolean predicate on the space of program executions. Predicate is checked by execution monitor. Security policy is a safety property if policy violation on path means policy violation on some finite subpath. Vulnerability has vulnerability condition and vulnerability point. They trying to create sound, but may be incomplete signature generators. No FP, but may be FN.
Sergey Vartanov, 2007–2020