Intrusion Prevention Systems fail to spot AET attacks, University study finds

Many big-brand Intrusion Prevention Systems (IPS) consistently fail to block attacks that target vulnerabilities in web-based applications using Advanced Evasion Techniques (AETs), a University of Glamorgan study has found.

At first sight the team's findings are slightly alarming; using Stonesoft's open source Evader AET generation tool targeting two ancient vulnerabilities, CVE-2008-4250, CVE-2004-1315 (the first affecting Windows servers, the second in PHP) the team found widely varying rates of IPS detection failure in fully up-to-date systems from nine vendors.

For hosts vulnerable to CVE-2008-4250, the team recorded only a relatively small number of successful attacks equivalent to 184 (6.69 percent) for the worst performing Sourcefire product down to only two for Cisco's system.

The other vendors tested - IBM, Palo Alto, Fortigate, McAfee, Checkpoint, Juniper, and Stonesoft itself - achieved detection rates somewhere between these two poles.

Conducting the same test against the older flaw, however, and things turned much darker with several systems detecting only between 50 and 60 percent of AETs, and only two - Stonesoft and Fortigate - spotting more than 99 percent.

The worst performing IPS, McAfee's, failed to see 1,304 of the evasions generated by the test while the best performer, Stonesoft, spotted all but seven so the difference in this example was huge.

The contrast has nothing to do with the age of the flaws so much as the type of flaw. The better-detected AET attack targeted a network-level TCP issue while the one many struggled with was at the application layer.

AETs shouldn't be confused with the similar-sounding Advanced Persistent Threats (APTs) that have the security industry in a tizzy and Sino-US relations in the doldrums. AETs are designed specifically to beat IPS and their cousins, internal Intrusion Detection Systems (IDS); APT is a generic term for multi-layered attacks that could include AETs as well as other types of threat such as credential hacking, Trojans, malicious links, and so on.

AETs are still mildly contentious in some quarters because the term was first used widely by one of the firms that took part in and supported the University's project, Stonesoft.

But although hard figures on their use in attacks are hard to come by there is evidence that they are real, not least from the University itself.

"We have seen AETs trying to circumvent detection systems at the University of Glamorgan," confirmed study co-author, Professor Andrew Blyth.

The University had tried to interest other vendors in their work but only Stonesoft had been willing to get involved - some hadn't even replied to emails. Despite Stonesoft's assistance, the report was entirely independent, he stressed.

The first conclusion is that organisations should check that their IPS systems have been updated to detect more recent application-layer evasions and no only the older network-level ones most were originally invented to see.

Because no single vendor achieved a perfect score, it is also a good idea to use more than one system, Blyth suggested. Perhaps organisatons would also be wise to look for alternatives.

"We hope to repeat the test in two years and note any improvement," he said. The University planned to work with affected vendors to address the issues it had uncovered.

The full report and methodology is available from the Stonesoft website.