Zero day protection
For vendors of traditional signature based systems (most IDSs and IPSs), zero day protection is the ability to protect against zero day exploits. They rely on the fact that they know ahead of time of a particular vulnerability. This allows them to provide signatures for the mere attempt to take advantage of the vulnerability. As we have seen with the Witty worm, this approach does not guarantee protection, or even detection of a new worm. Other trends are further contributing to the ever shrinking time window between discovery of a vulnerability and the release of a new worm trying to take advantage of it.True zero day protection therefore cannot ever rely on any prior knowledge. For true zero day protection, a security solution needs to be able to discover abnormal behavior of hosts or networks, without needing any signatures databases. In addition, such a solution needs to be able to extract fine-grained signatures from the observed anomaly. Only if both conditions are met it is possible to architect self defending networks which can deal even with a true zero day vulnerability.
Zero-day protection simply means that you are protected from a new
exploit at the moment it exists. Not 15 minutes after (since 15 > 0),
but at that instant. For example, if you had a device which could
intelligently detect buffer overflows, then you could claim that this
device offers “zero day protection” against buffer overflow attacks,
even those which have not been created yet. Contrast this, for example,
to a device which relies on signatures matching specific characters to
protect against known buffer overflow attacks.
In the world of virus scanners, the idea of zero day protection is
promoted by folks who sell heuristic scanners (i.e., those which do not
depend on specific matching of a signature). The idea is that using a
heuristic, you can determine whether a file has a virus or not, even if
you’ve never seen the virus. Thus, for certain classes of un-written
viruses, this technology would offer “zero day protection.”
A lot of people are MIS-using this term already. They seem to think
that if they empower you to do something very very very early in the
cycle of problems, that this offers zero day protection. It’s not. If
you wanted to use a term for that, you could call it “Day One protection.”
For example, IronPort has created a nifty thing called “Virus Outbreak
Filters” which use anomaly detection to say “you know, there’s something
going around.” I would classify that as “Day One Protection;” it
doesn’t protect you BEFORE the problem, but it tracks the problem very
early and lets you get a jump on the AV people before they have a
signature to catch the exact new virus. (I’m not saying that IronPort
calls that Zero Day protection; I’m just using it as an example of Day
One protection.)
In the IPS world, things which are anomaly based are often called Zero
Day protection. For example, if an internal system which has never made
an outbound connect to TFTP suddenly starts doing 30 TFTPs a second, the
IPS could shut it down. The IPS people would love to call that ‘Zero
Day’ protection, but it’s not really that—after all, the system DID
get compromised, ergo it wasn’t protected. I expect as the marketroids
get ahold of the term, they’ll push it as far to the limit as possible,
since the concept of “zero day protection” is so clearly desirable.