Dropped red herring attacks

Prof_KarpThe ‘Dropped Red Herring Attack’ was first (Improbable believes) described by Professor Brad Karp (pictured right) and colleagues Dr. James Newsome and Professor Dawn Song in their paper for Proceedings of the 9th International Symposium On Recent Advances In Intrusion Detection (RAID 2006), entitled: ‘Paragraph: Thwarting signature learning by training maliciously’.

“In the Dropped Red Herring attack, the attacker again chooses a set of spurious features. Initially, he includes all features in every target-class sample. As a result, the target-class samples in the learner’s malicious training pool will all have all spurious features, and all spurious features will be included in the signature. Once the signature is in place, all the attacker needs to do to evade the signature is to stop including one of the spurious features in subsequent target-class sample. The signature will have a 100% false negative rate until the learner sees a target-class sample missing the spurious feature, and deploys an updated signature that no longer requires that feature to be present. At that point, the attacker stops including another spurious feature. The cycle continues until the attacker has stopped including all of the spurious features.”

Since its description, a number of other computer-network-science researchers have examined its implications, see, for example :

Thwarting zero-day polymorphic worms with network-level length-based signature generation
Network-based and Attack-resilient Length Signature Generation for Zero-day Polymorphic Worms
LISABETH: automated content-based signature generator for zero-day polymorphic worms

Bonus [1]: Dr. Newsome has developed ‘The Piranha Tank Game’

Bonus [2]: Monty Python developed ‘The Fish Slapping Dance’

Bonus [3]: “The Disappointing Reality of Musical Fish

Bonus [4]: A fish driven car: