Using Published Vulnerabilities for Security Testing of IDP/IPS
ABSTRACT
There is a fundamental difference between detecting specific exploit samples versus detecting patterns that
represent a class of exploits against an underlying vulnerability. Often a single vulnerability will allow multiple
similar but unique exploits to target the underlying weakness. Thus signatures for Intrusion Detection/Prevention
Systems (IDP/IDS/IPS) that are written to match traffic patterns corresponding to the underlying vulnerability
provide better coverage than more specific signatures that only match specific exploits.
This paper introduces the concept of a ‘vulnerability trigger’ that is broader than, and distinct from, an individual
exploit. It represents the pattern that represents a broader class of exploits for a single vulnerability. Specific
examples are also presented to show that building signature matching engines based on vulnerability triggers
as opposed to exploits to improve security effectiveness and reduce test time while simultaneously increasing
coverage against real threats without needing to chase every new exploit.
