Analysis of update delays in signature-based network intrusion detection systems

Network Intrusion Detection Systems (NIDS) play a fundamental role on security policy deployment and help organizations in protecting their assets from network attacks. Signature-based NIDS rely on a set of known patterns to match malicious traffic. Accordingly, they are unable to detect a specific attack until a specific signature for the corresponding vulnerability is created, tested, released and deployed. Although vital, the delay in the updating process of these systems has not been studied in depth. This paper presents a comprehensive statistical analysis of this delay in relation to the vulnerability disclosure time, the updates of vulnerability detection systems (VDS), the software patching releases and the publication of exploits. The widely deployed NIDS Snort and its detection signatures release dates have been used. Results show that signature updates are typically available later than software patching releases. Moreover, Snort rules are generally released within the first 100 days from the vulnerability disclosure and most of the times exploits and the corresponding NIDS rules are published with little difference. Implications of these results are drawn in the context of security policy definition. This study can be easily kept up to date due to the methodology used.

[1]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[2]  Guofei Gu,et al.  Measuring intrusion detection capability: an information-theoretic approach , 2006, ASIACCS '06.

[3]  Arturo Ribagorda,et al.  Autonomous decision on intrusion detection with trained BDI agents , 2008, Comput. Commun..

[4]  F. Massey The Kolmogorov-Smirnov Test for Goodness of Fit , 1951 .

[5]  Dmitri Nizovtsev,et al.  To Disclose or Not? An Analysis of Software User Behavior , 2006, Inf. Econ. Policy.

[6]  D. Richard Kuhn,et al.  Surviving Insecure IT: Effective Patch Management , 2009, IT Professional.

[7]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004, Decis. Anal..

[8]  D. Richard Kuhn,et al.  Vulnerability Trends: Measuring Progress , 2010, IT Professional.

[9]  Lucas M. Venter,et al.  A comparison of Intrusion Detection systems , 2001, Comput. Secur..

[10]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[11]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[12]  송왕철,et al.  IDS(Intrusion Detection System) , 2000 .

[13]  Richard Lippmann,et al.  The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection , 2002, RAID.

[14]  Guido Schryen,et al.  A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors , 2009, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.

[15]  Qiao Liu,et al.  Research on Evaluation Method of Intrusion Detection System , 2010, 2010 2nd International Conference on E-business and Information System Security.

[16]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[17]  H. S. Osborne,et al.  The international electrotechnical commission , 1953, Electrical Engineering.

[18]  Yvan Labiche,et al.  Context-Based Intrusion Detection Using Snort, Nessus and Bugtraq Databases , 2005, PST.

[19]  Alex Delis,et al.  A Pragmatic Methodology for Testing Intrusion Prevention Systems , 2009, Comput. J..

[20]  J. Eccles,et al.  International electrotechnical commission , 1955, Journal of the American Institute of Electrical Engineers.

[21]  M. Petró‐Turza,et al.  The International Organization for Standardization. , 2003 .

[22]  François Gagnon,et al.  Automatic Evaluation of Intrusion Detection Systems , 2006, 2006 22nd Annual Computer Security Applications Conference (ACSAC'06).

[23]  Uwe Aickelin,et al.  Rule Generalisation in Intrusion Detection Systems using Snort , 2008, ArXiv.

[24]  Geraldine Vache Vulnerability analysis for a quantitative security evaluation , 2009, 2009 3rd International Symposium on Empirical Software Engineering and Measurement.

[25]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[26]  John E. Gaffney,et al.  A Decision Analysis Method for Evaluating Computer Intrusion Detection Systems , 2004 .