Follow Us

We use cookies to provide you with a better experience. If you continue to use this site, we'll assume you're happy with this. Alternatively, click here to find out how to manage these cookies

hide cookie message

Intrusion Prevention Systems fail to spot AET attacks, University study finds

Web applications vulnerable to complex attacks

Article comments

Many big-brand Intrusion Prevention Systems (IPS) consistently fail to block attacks that target vulnerabilities in web-based applications using Advanced Evasion Techniques (AETs), a University of Glamorgan study has found.

At first sight the team’s findings are slightly alarming; using Stonesoft’s open source Evader AET generation tool targeting two ancient vulnerabilities, CVE-2008-4250, CVE-2004-1315 (the first affecting Windows servers, the second in PHP) the team found widely varying rates of IPS detection failure in fully up-to-date systems from nine vendors.

For hosts vulnerable to CVE-2008-4250, the team recorded only a relatively small number of successful attacks equivalent to 184 (6.69 percent) for the worst performing Sourcefire product down to only two for Cisco’s system.

The other vendors tested - IBM, Palo Alto, Fortigate, McAfee, Checkpoint, Juniper, and Stonesoft itself - achieved detection rates somewhere between these two poles.

Conducting the same test against the older flaw, however, and things turned much darker with several systems detecting only between 50 and 60 percent of AETs, and only two – Stonesoft and Fortigate – spotting more than 99 percent.

The worst performing IPS, McAfee’s, failed to see 1,304 of the evasions generated by the test while the best performer, Stonesoft, spotted all but seven so the difference in this example was huge.

The contrast has nothing to do with the age of the flaws so much as the type of flaw. The better-detected AET attack targeted a network-level TCP issue while the one many struggled with was at the application layer.

AETs shouldn’t be confused with the similar-sounding Advanced Persistent Threats (APTs) that have the security industry in a tizzy and Sino-US relations in the doldrums. AETs are designed specifically to beat IPS and their cousins, internal Intrusion Detection Systems (IDS); APT is a generic term for multi-layered attacks that could include AETs as well as other types of threat such as credential hacking, Trojans, malicious links, and so on.

AETs are still mildly contentious in some quarters because the term was first used widely by one of the firms that took part in and supported the University’s project, Stonesoft.

But although hard figures on their use in attacks are hard to come by there is evidence that they are real, not least from the University itself.

“We have seen AETs trying to circumvent detection systems at the University of Glamorgan,” confirmed study co-author, Professor Andrew Blyth.

The University had tried to interest other vendors in their work but only Stonesoft had been willing to get involved – some hadn’t even replied to emails. Despite Stonesoft's assistance, the report was entirely independent, he stressed.

The first conclusion is that organisations should check that their IPS systems have been updated to detect more recent application-layer evasions and no only the older network-level ones most were originally invented to see.

Because no single vendor achieved a perfect score, it is also a good idea to use more than one system, Blyth suggested. Perhaps organisatons would also be wise to look for alternatives.

“We hope to repeat the test in two years and note any improvement,” he said. The University planned to work with affected vendors to address the issues it had uncovered.

The full report and methodology is available from the Stonesoft website.


More from Techworld

More relevant IT news


Send to a friend

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

Techworld White Papers

Choose – and Choose Wisely – the Right MSP for Your SMB

End users need a technology partner that provides transparency, enables productivity, delivers...

Download Whitepaper

10 Effective Habits of Indispensable IT Departments

It’s no secret that responsibilities are growing while budgets continue to shrink. Download this...

Download Whitepaper

Gartner Magic Quadrant for Enterprise Information Archiving

Enterprise information archiving is contributing to organisational needs for e-discovery and...

Download Whitepaper

Advancing the state of virtualised backups

Dell Software’s vRanger is a veteran of the virtualisation specific backup market. It was the...

Download Whitepaper

Techworld UK - Technology - Business

Innovation, productivity, agility and profit

Watch this on demand webinar which explores IT innovation, managed print services and business agility.

Techworld Mobile Site

Access Techworld's content on the move

Get the latest news, product reviews and downloads on your mobile device with Techworld's mobile site.

Find out more...

From Wow to How : Making mobile and cloud work for you

On demand Biztech Briefing - Learn how to effectively deliver mobile work styles and cloud services together.

Watch now...

Site Map

* *