An automatic technique for generating signatures for malicious network traffic performs a cluster analysis of known malicious traffic to create a signature in the form of a state machine. The cluster analysis may operate on semantically tagged data collected by connection or session and normalized to eliminate protocol specific features. The signature extractor may generalize the finite-state machine signatures to match network traffic not previously observed.
展开▼
