Let me try to clear up some confusion about the meaning of zero day protection. Unfortunately, many vendors of security solutions modify the definition of this term as needed, to make their products appear in the most positive light. After all, they all want to be able to say: We offer zero day protection!
Well, not so quick, please.
First of all, it is important to distinguish between two different concepts: The zero day vulnerability on one hand, and the zero day exploit on the other. Too often, those two terms are used interchangeably, even though they mean something very different.
Zero Day Vulnerability
If there is some vulnerability in a system, which nobody except the discoverer of that vulnerability knows about, then we talk about a zero day vulnerability. What this implies is that the security community and public do not know about the vulnerability, at all. Therefore there are no signatures for it and no patches. If the discoverer of the vulnerability is set on compromising other computers, then they may start to attack systems at their leisure. Everyone will be taken by surprise.
Zero Day Exploit
This is something entirely different: A zero day exploit is the term used to describe the attempt to take advantage of a known vulnerability, but with a new kind of exploit. If an IPS or IDS has rules to detect the attempt to take advantage of this known vulnerability, then they may detect this event. In effect, even though we have not seen a particular exploit before, we may still be protected, because just trying to take advantage of the underlying vulnerability will result in some specific session / packet content that can be discovered via signatures. Examples here are different mutations of the same worm, which all take advantage of the same vulnerability, but have somewhat modified code to do so.
Something in-between
One may discuss the theoretical definitions all day long. In the end, for the individual network operator, all that matters is whether their network is protected. The best signature-based system does not help, if it does not have the latest signatures, yet. For example, the Witty worm was, in effect, exploiting a zero day vulnerability for most networks. The particular vulnerability it exploited had been announced about one day before the worm broke out. Thus, the vulnerability was known to the security community. However, most networks did not have signatures for it, yet, and thus, for all practical purposes, it was a zero day vulnerability as far as they were concerned.
Zero Day Protection
So, what is zero day protection then? For vendors of traditional signature based systems (most IDSs and IPSs), zero day protection is the ability to protect against zero day exploits. They rely on the fact that they know ahead of time of a particular vulnerability. This allows them to provide signatures for the mere attempt to take advantage of the vulnerability. As we have seen with the Witty worm, this approach does not guarantee protection, or even detection of a new worm. Other trends are further contributing to the ever shrinking time window between discovery of a vulnerability and the release of a new worm trying to take advantage of it.
True zero day protection therefore cannot ever rely on any prior knowledge. For true zero day protection, a security solution needs to be able to discover abnormal behavior of hosts or networks, without needing any signatures databases. In addition, such a solution needs to be able to extract fine-grained signatures from the observed anomaly. Only if both conditions are met it is possible to architect self-defending networks, which can deal even with a true zero day vulnerability.
Juergen
anime goth sex
Posted by: rqundpcztx | July 21, 2007 at 08:07 AM
It is truly a pleasure for me to comment on a blog like this, my name is Richard, I personally believe every day that passes we learn more about the network, the Internet have at hand all the information you want, that's what we need to people like you wrote this blog, I found very attractive and very interesting topic, the pictures are striking, indeed the whole blog is amazing, congratulations!
Posted by: Impotence causes | October 11, 2010 at 07:14 AM
You blog is so lovely that speak the words right out my month. . I bookmarkt you so that we can talk about it in details, I really can't help myself but have to leave a comment,you are so good.
Posted by: supra shoes | October 30, 2010 at 10:45 PM
A man can succeed at almost anything for which he has unlimited enthusiasm..
Posted by: cheap air yeezy | November 03, 2010 at 09:24 PM
I will prepare and some day my chance will come.
Posted by: air yeezy | November 15, 2010 at 01:16 PM
What is rich and poor, what is the second generation in life, as long as one should do something, brave, a person should simply happy life, don't consider so much, let oneself so trouble!
Posted by: Cheap Supra Skytop | March 16, 2011 at 09:00 PM
You changes sound great! Good luck to everyone in the election(s).
Posted by: pandora online | April 08, 2011 at 03:07 PM
This is a Good writing, wow, it is wonderful,I'm interested in these right,I have found it very useful, looking forward to you as soon as possible to update your works!
Posted by: Pandora Canada | May 19, 2011 at 09:50 PM
almost every day i need to read your Article. so good. Thanks for sharing those valuable information .
Posted by: bracelet pandora | May 24, 2011 at 05:36 PM
almost every day i need to read your Article. so good. Thanks for sharing those valuable information .
Posted by: Authentic Pandora | May 31, 2011 at 08:51 PM
This is a very popular brand of products accepted by the public and welcome!
Posted by: Marc Jacobs handbags | December 06, 2011 at 08:12 PM