Белая книга для Cisco Cisco IPS 4255 Sensor
White Paper
© 2008 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 1 of 5
Vulnerability-Focused Threat Detection: Protect Against
the Unknown
the Unknown
Vulnerabilities and threats are being discovered at a pace that traditional exploit-based
attack detection technology cannot meet. Vulnerability-focused detection technologies
provide the solution to this problem with broader threat detection, fewer signatures, and
day-zero detection capabilities. This paper describes the difference between exploit-
focused and vulnerability-focused detection and how Cisco
®
intrusion prevention systems
(IPSs) use vulnerability-focused detection to provide comprehensive threat protection.
Introduction
This paper is intended for IT security staff and security managers considering deploying or
expanding the deployment of intrusion detection systems (IDSs) or IPSs in their organization;
analysts and researchers looking for information on detection technology; and security consultants
and other security professionals who desire a deeper insight into the advantages of Cisco IPS
technology.
The main points made in this paper are:
●
Vulnerability-focused signatures detect a wide range of day-zero threats, obfuscated
attacks, and exploit variants without frequent intrusive updates or large signature counts.
●
Exploit-focused systems detect known exploits but require a large number of signatures to
remain up-to-date; ultimately, these systems provide inferior protection as they still miss
new and altered attacks.
●
Cisco has more than 10 years of IDS and IPS development experience, with a seasoned
team of signature developers writing effective vulnerability-focused signatures that block
even the most determined attacker.
The Evolution of Intent in Network Hacking
In the past, network attacks were aimed at creating disruption and inconvenience, for “settling
scores,” or providing notoriety for hackers. Now, professional hackers, intelligence groups, and
criminal organizations create attacks designed to exploit programming errors (bugs), design flaws,
or insufficient protections in network applications to provide unlimited access to network devices or
computers for purposes of financial gain through data theft, identity theft, spam distribution,
intelligence-gathering, DDoS attacks, and numerous other potential criminal uses. Figure 1 shows
this transition.