The Problem: Inaccurate signatures for IDS (Misuse detection) strongly limit the detection power of misuse detection systems as well as their economic profitability. A testing and correcting phase is indispensable to improve the quality of the signatures. This phase is an essential part of the signature development process independently of the fact, whether the signatures are derived systematically or by experience. The objective of a signature test is to prove the accuracy of the given signature by applying it to an audit trail which contains traces of the respective attack. If the signature does not completely detect all traces it must be corrected to approximate the ideal signature, i.e. the signature which describes all manifestations of the attack. Normally the signature derivation process does not induce ideal signatures. The derived signatures are either under or over specified.
Over specified signatures do not capture all action sequences which successfully exploit a given vulnerability. Attackers often replace one or more actions of the attack by semantically equal actions. The aim of this transformation is to change the traces of the attack so significantly that the attack is not detected by the intrusion detection system.
In  we presented an approach to tackle over specified signatures by testing. In association with this work, we created a catalogue of semantically equal system calls. This catalogue contains linked lists of atomic syscall substitutions, the substitution of complex syscals sequences and detailed description of all syscalls.
Click here for the catalogue.
 Schmerl, S.; König H.: Towards Systematic Signature Testing. In Petrenko A., Veanes M., Tretmans J., Grieskamp W.(Eds.): Proceedings of the Testing of Software and Communicating Systems, 19th IFIP TC6/WG6.1 International Conference, TestCom 2007, number 4581 in Lecture Notes in Computer Science , pages 276-291 , Tallinn, Estonia, June 2007, Springer , ISBN 978-3-540-73065-1.