FASGuard (Framework for Automatic Signature Generation)

FASGuard is designed to produce Snort rules from packets forwarded by anomaly detectors compliant with the FASGuard interface. FASGuard contains:

• A FASGuard format interface for anomaly detectors to transmit packet and meta-data to the signature extraction module.
• A reference host-peering anomaly detector which detects one type of anomaly and adheres to the FASGuard format interface.
• An Automatic Signature Generation (ASG) module that incorporates three separate signature extraction algorithms:
  • N-gram based signatures;
  • Joined signatures which find regions of unique content in suspicious packets;
  • Clustering-based signatures which can derive signatures from multiple instances of a polymorphic attack.
• Bloom filter production code and utilities to support benign traffic characterization
  • A per TCP/IP service n-gram storing Bloom filter module
  • A Bloom filter combining utility was created.
• Utilities to transmit rules to remote Snort/Suricata installations via STIX/TAXII