Vulnerability scanning and installing software patches for known vulnerabilities greatly affects the utility of network-based intrusion detection systems that use signatures to detect system compromises. A detailed timeline analysis of important remote-to-local vulnerabilities demonstrates (1) Vulnerabilities in widely-used server software are discovered infrequently (at most 6 times a year) and (2) Software patches to prevent vulnerabilities from being exploited are available before or simultaneously with signatures. Signature-based intrusion detection systems will thus never detect successful system compromises on small secure sites when patches are installed as soon as they are available. Network intrusion detection systems may detect successful system compromises on large sites where it is impractical to eliminate all known vulnerabilities. On such sites, information from vulnerability scanning can be used to prioritize the large numbers of extraneous alerts caused by failed attacks and normal background traffic. On one class B network with roughly 10 web servers, this approach successfully filtered out 95% of all remote-to-local alerts.
[1]
Richard Lippmann,et al.
The 1999 DARPA off-line intrusion detection evaluation
,
2000,
Comput. Networks.
[2]
Burak Dayioglu,et al.
USE OF PASSIVE NETWORK MAPPING TO ENHANCE SIGNATURE QUALITY OF MISUSE NETWORK INTRUSION DETECTION SYSTEMS
,
2001
.
[3]
Thomas Henry Ptacek,et al.
Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection
,
1998
.
[4]
Martin P. Loeb,et al.
CSI/FBI Computer Crime and Security Survey
,
2004
.
[5]
Martin Roesch,et al.
Snort - Lightweight Intrusion Detection for Networks
,
1999
.
[6]
N W Ackerman,et al.
To catch a thief.
,
1970,
International psychiatry clinics.
[7]
Thomas A. Buckhoff,et al.
To Catch a Thief
,
2000
.
[8]
William A. Arbaugh,et al.
IEEE 52 Computer
,
1985
.
[9]
Craig Smith,et al.
Know Your Enemy : Passive Fingerprinting
,
2001
.