How can Cisco Automatic Signature Extraction prevent zero-day virus attacks?

The Cisco IOS is powerful and already running on your routers. You would think that it could play a part in this virus detection and prevention, right? Luckily, it can. David Davis explains how it works.

The Cisco IOS is powerful and already running on your routers. You would think that it could play a part in virus detection and prevention, right? Luckily, it can. David Davis explains how it works.


David DavisMost virus prevention systems today are based on signatures. In the time that it takes to create those signatures, huge networks can become infected. Viruses that infect networks before they can be identified and stopped with signatures are called zero-day viruses. So why not automate this process and use network intelligence to create signatures and stop viruses much faster, preventing zero-day attacks?

What is Automatic Signature Extraction (ASE)?

Shortening the time to identify viruses and worms has become a little easier and safer thanks to a new Cisco IOS feature called Automatic Signature Extraction (ASE). In the speed that viruses can spread today, the old-signature detection timeframes are too slow — resulting in networks being infected before signatures could be created. With Cisco's new Automatic Signature Collector and Extraction system, you should be able to dramatically shorten the time it takes to uncover vicious malware.

This system has a couple of pieces, and the Cisco IOS is one of them. First, your routers need Cisco IOS 12.4(15)T or later with the Automatic Signature Detection (ASE) IOS feature. Second, you need an ASE collector. The ASE collector runs on a Linux server and uses the Cisco ASE Collector application. You should contact your Cisco representative, as the ASE collector is still in limited release.

Cisco ASE

Graphic Courtesy of Cisco Systems

The Cisco ASE software in the routers dynamically extracts signatures by unknown viruses or worms that traverse your network. To find the IOS for your router, see my article "Get to Know the Cisco IOS Feature Navigator."

There are basically three processes that the ASE uses to track and report viruses and worms. They are:

  • Content invariance — The ASE feature knows that all worms have a section of code that is virtually unchanged so it looks for unchanged code that is proliferating through your network.
  • Content prevalence — ASE looks for packets that are frequently showing on the network.
  • Address dispersion — ASE looks for large packets of data being sent to and from IP addresses.

When the ASE sensor extracts a virus, it sends it to the collector using the TIDP Threat Mitigation Service (TMS). TMS then quickly analyzes the threat information and generates an action to drop or redirect the packets. The great thing about all of this is that it can happen with no human intervention. You can receive a report about what traffic was blocked, in theory, while you are busy doing other things. Let's look at the configuration of this feature in the Cisco IOS.

How do you configure ASE in the Cisco IOS?

Here is an example configuration of an ASE on an ISR router. Once you have the proper IOS, here is what the basic ASE collector feature's configuration looks like:

Router# configure terminal

Router(config)# ase group {TIDP-group-number}

Router(config)# ase collector {ip-address}

Router(config)# ase signature extraction

Router(config)# interface {interface}

Router(config)# ase enable

Once it is configured, here is how you look at your Cisco IOS ASE status and statistics:

Router# show ase
ASE Information:
Collector IP:
TIDP Group  : 10
Status      : Online
Packets inspected: 10000
Address Dispersion Threshold: 20
Prevalence Threshold: 10
Sampling set to: 1 in 64
Address Dispersion Inactivity Timer: 3600s
Prevalence Table Refresh Time: 60s

You may notice that there were 10,000 packets inspected. The Address Dispersion Threshold (20) is the number of IP address occurrences that are permitted by the ASE sensor before the signature is considered an anomaly. The Sampling set to: 1 in 64 is less than 1 in 32 chances of an anomaly.


I think the ASE feature can help you secure your network from the never-ending malware that is so prevalent today. I also believe that using the Cisco IOS to identify zero-day viruses is a great method for early detection of problems. While the ASE collector feature is available in the latest Cisco IOS, it is still in limited release. I look forward to seeing this feature in action on more networks in the future.

To learn more about the Cisco ASE feature of the Cisco IOS, visit Cisco: Automatic Signature Extraction.

David Davis has worked in the IT industry for 15+ years and holds several certifications, including CCIE, CCNA, CCNP, MCSE, CISSP, VCP. He has authored hundreds of articles and numerous IT training videos. Today, David is the Director of Infrastructure at Train Train Signal, Inc. is the global leader in video training for IT professionals and end users.

Editor's Picks

Free Newsletters, In your Inbox