IPS - A Solution for Zero Day Attacks

Pattern-matching engines and signature language have evolved in time from Intrusion Detection Systems into Intrusion Prevention Systems and have been adapted for host-based solutions. This is synonymous with another evolution, in functionality, as IDS moved from just logging capabilities to blocking and preventing patterns. The expressivity of signature languages has expanded, file-based and protocol-based decoding was made possible and the volume of false positives was considerably reduced making IPS a valid security solution.

According to Symantec's Mimi Hoang, Sr. Security Response Researcher, the implementation of IPS will counteract Zero-day exploits. "We have recently seen an increase in the number of zero-day exploits, which indicates that attackers are being more methodical in their discovery and use of software vulnerabilities. A zero-day exploit occurs when a software flaw is only discovered after it is already being exploited in the wild (and there isn't a patch available from the vendor)," stated Hoang.

Just in the first half of 2006, users were vulnerable to zero days for a total of 28 days after the initial attacks. A window of exposure equivalent to a vulnerable status perpetuated for a whole month before patches were deployed and can only be plugged via IPS.

"A single vulnerability is usually the target of multiple exploits and variants. Our strategy is to protect a new vulnerability against any future attacks in the form of broader coverage focusing on the one vulnerability, instead of having to reactively respond to every specific exploit. This approach protects against both known and unknown attempts to exploit that vulnerability. Users can deploy one signature that protects against many different attacks. To complement intrusion prevention signatures that focus on the network vector, antivirus signatures block the file-based attacks," concluded Hoang.