An attack signature is a minimal part of the input vector to the system that makes the system fail. The purpose of attack signatures is to identify the attack. In practice, content-based intrusion detection systems, like Snort, use them to prevent malicious traffic from entering the network. To a large extent attack signatures are still derived manually. The majority of current automatic techniques identify the relevant part of the input by making use of thousands of attack instances with similar input vectors. My goal would be to extract the signature from a one-time attack. Having done this, I would try to use other similar input vectors in order to generalize the signature.