authors
- GASCON POLANCO, HUGO
- ORFILA DIAZ-PABON, AGUSTIN
- BLASCO ALIS, JORGE
Analysis of update delays in signature-based network intrusion detection systems
Articles
Overview
published in
- COMPUTERS & SECURITY Journal
publication date
- November 2011
start page
- 613
end page
- 624
issue
- 8
volume
- 30
Digital Object Identifier (DOI)
International Standard Serial Number (ISSN)
- 0167-4048
Electronic International Standard Serial Number (EISSN)
- 1872-6208
abstract
- Network Intrusion Detection Systems (NIDS) play a fundamental role on security policy deployment and help organizations in protecting their assets from network attacks. Signature-based NIDS rely on a set of known patterns to match malicious traffic. Accordingly, they are unable to detect a specific attack until a specific signature for the corresponding vulnerability is created, tested, released and deployed. Although vital, the delay in the updating process of these systems has not been studied in depth. This paper presents a comprehensive statistical analysis of this delay in relation to the vulnerability disclosure time, the updates of vulnerability detection systems (VDS), the software patching releases and the publication of exploits. The widely deployed NIDS Snort and its detection signatures release dates have been used. Results show that signature updates are typically available later than software patching releases. Moreover, Snort rules are generally released within the first 100 days from the vulnerability disclosure and most of the times exploits and the corresponding NIDS rules are published with little difference. Implications of these results are drawn in the context of security policy definition. This study can be easily kept up to date due to the methodology used.