Improving Signature Testing Through Dynamic Data Flow Analysis

The effectiveness and precision of network-based intrusion detection signatures can be evaluated either by direct analysis of the signatures (if they are available) or by using black-box testing (if the system is closed-source). Recently, several techniques have been proposed to generate test cases by automatically deriving variations (or mutations) of attacks. Even though these techniques have been useful in identifying "Blind Spots" in the signatures of closed-source, network-based intrusion detection systems, the generation of test cases is performed in a random, unguided fashion.