Skip to main content
SpringerLink
Log in

The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection

  • Conference paper
  • First Online:
Book cover Recent Advances in Intrusion Detection (RAID 2002)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 2516))

Included in the following conference series:

Abstract

Vulnerability scanning and installing software patches for known vulnerabilities greatly affects the utility of network-based intrusion detection systems that use signatures to detect system compromises. A detailed timeline analysis of important remote-to-local vulnerabilities demonstrates (1) Vulnerabilities in widely-used server software are discovered infrequently (at most 6 times a year) and (2) Software patches to prevent vulnerabilities from being exploited are available before or simultaneously with signatures. Signature-based intrusion detection systems will thus never detect successful system compromises on small secure sites when patches are installed as soon as they are available. Network intrusion detection systems may detect successful system compromises on large sites where it is impractical to eliminate all known vulnerabilities. On such sites, information from vulnerability scanning can be used to prioritize the large numbers of extraneous alerts caused by failed attacks and normal background traffic. On one class B network with roughly 10 web servers, this approach successfully filtered out 95% of all remote-to-local alerts.

This work was sponsored by the Federal Aviation Administration under Air Force Contract F19628-00-C-0002. Opinions, interpretations, conclusions, and recommendations are those of the authors and are not necessarily endorsed by the United States Government.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Arbaugh, W.A., W.L. Fithen, and J. McHugh, Windows of Vulnerability: A Case Study Analysis, IEEE Computer, 2000. 33,(12), 52–59, http://www.cs.umd.edu/~waa/pubs/Windows_of_Vulnerability.pdf.

    Google Scholar 

  2. CAIDA, Code-Red Worms: A Global Threat, Cooperative Association for Internet Data Analysis (CAIDA), 28 November 2001, http://www.caida.org/analysis/security/code-red/.

  3. Chien, E., W32.Nimda.A@mm Worm, Symantec Corporation, 18 September 2001, http://www.symantec.com/avcenter/venc/data/w32.nimda.a@mm.html.

  4. CVE, Common Vulnerabilities and Exposures, The MITRE Corporation, 2002, http://www.cve.mitre.org/.

  5. Dayioglu, B. and A. Ozgit, Use of Passive Network Mapping to Enhance Signature Quality of Misuse Network Intrusion Detection Systems, in Proceedings of the Sixteenth International Symposium on Computer and Information Sciences, 2001, http://www.dayioglu.net/publications/iscis2001.pdf.

  6. Dittrich, D., Distributed Denial of Service (DDoS) Attacks/tools, University of Washington, Seattle, 2001, http://staff.washington.edu/dittrich/misc/ddos/.

    Google Scholar 

  7. Dougherty, C., S. Hernan, J. Havrilla, J. Carpenter, A. Manion, I. Finlay, and J. Shaffer, CERT Advisory CA-2001-11 sadmind/IIS Worm, CERT Coordination Center, 8 May 2001, http://www.cert.org/advisories/CA-2001-11.html.

  8. Fearnow, M. and W. Stearns, Lion Worm, SANS Institute, 29 March 2001, http://www.incidents.org/react/lion.php.

  9. Forristal, J. and G. Shipley, Vulnerability Assessment Scanners, Network Computing, 8 January 2001, http://www.networkcomputing.com/1201/1201f1b1.html.

  10. Hassell, R., R. Permeh, and M. Maiffret, UPNP-Multiple Remote Windows XP/ME/98 Vulnerabilities, eEye Digital Security, 20 December 2001, http://www.eeye.com/html/Research/Advisories/AD20011220.html.

  11. Internet Software Consortium, ISC Berkeley Internet Name Domain (BIND) Domain Name System (DNS), January 2002, http://www.isc.org/products/BIND/.

  12. Lestat, M., The Ramen Worm and its use of rpc.statd, wu-ftpd and LPRng Vulnerabilities in Red Hat Linux, SANS Institute, 7 February 2001, http://rr.sans.org/malicious/ramen.php.

  13. Lippmann, R.P., J.W. Haines, D.J. Fried, J. Korba, and K. Das, The 1999 DARPA offline intrusion detection evaluation. Computer Networks, 2000. 32: pp. 579–595.

    Article  Google Scholar 

  14. Mell, P. and T. Grance, The ICAT Metabase CVE Vulnerability Search Engine, National Institute of Standards and Technology, January 2002, http://icat.nist.gov .

  15. Mueller, P. and G. Shipley, To Catch a Thief, Network Computing, 2001, http://www.networkcomputing.com/1217/1217f1.html.

  16. Netcraft Web Server Survey, Netcraft Ltd., Bath England, October 2001, http://www.netcraft.com/survey/index-200110.html.

  17. Nessus, The Nessus Security Scanner, 2002, http://www.nessus.org.

  18. NSS Group, Intrusion Detection Systems Group Test (Edition 2), Ockwood House, Wennington, Cambridgeshire, England, December 2001, http://www.nss.co.uk/ids/.

    Google Scholar 

  19. Power, R., 2001 CSI/FBI Computer Crime and Security Survey, Computer Security Institute, Spring 2000, http://www.gocsi.com/forms/fbi/pdf.html.

  20. Ptacek, T.H. and T.N. Newsham, Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Secure Networks, Inc., 1998, http://secinf.net/info/ids/idspaper/idspaper.html.

  21. Roesch, M. Snort-Lightweight Intrusion Detection for Networks, in USENIX 13th Systems Administration Conference-LISA’ 99. Seattle, Washington, 1999, http://www.snort.org.

  22. SANS, The Twenty Most Critical Internet Security Vulnerabilities (Updated). Bethesda, MD, System Administration, Networking, and Security (SANS) Institute, 2001, http://www.sans.org/top20.htm.

    Google Scholar 

  23. SANS, NIMDA Worm/Virus Report-Final, System Administration, Networking, and Security (SANS) Institute, October 2001, http://www.incidents.org/react/nimda.pdf.

  24. Spitzner, L., KnowYour Enemy: Passive Fingerprinting, Honeynet Project, January 2002, http://project.honeynet.org/papers/finger/.

  25. Yocom, B., K. Brown, and D.V. DerVeer, Review: Intrusion-Detection Products Grow Up, Network World Fusion, 2001, http://www.nwfusion.com/reviews/2001/1008rev.html.

Download references

Author information

Authors and Affiliations

  1. Lincoln Laboratory MIT, 244 Wood Street, Lexington, MA, 02173-9108

    Richard Lippmann, Seth Webster & Douglas Stetson

Authors
  1. Richard Lippmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Seth Webster
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Douglas Stetson
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Zurich Research Laboratory, Säumerstraße 4, 8803, Rüschlikon, Switzerland

    Andreas Wespi

  2. Department of Computer Science, University of California at Santa Barbara, Santa Barbara, CA, 93106-5110, USA

    Giovanni Vigna

  3. Centro Serra, University of Pisa, Lungarno Pacinotti 43, 56100, Pisa, Italy

    Luca Deri

Rights and permissions

Reprints and permissions

Copyright information

© 2002 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Lippmann, R., Webster, S., Stetson, D. (2002). The Effect of Identifying Vulnerabilities and Patching Software on the Utility of Network Intrusion Detection. In: Wespi, A., Vigna, G., Deri, L. (eds) Recent Advances in Intrusion Detection. RAID 2002. Lecture Notes in Computer Science, vol 2516. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-36084-0_17

Download citation

  • DOI: https://doi.org/10.1007/3-540-36084-0_17

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-00020-4

  • Online ISBN: 978-3-540-36084-1

  • eBook Packages: Springer Book Archive

Publish with us

Policies and ethics

Search

Navigation