Towards probabilistic identification of zero-day attack paths
Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a pro...
Saved in:
| Published in: | 2016 IEEE Conference on Communications and Network Security (CNS) pp. 64 - 72 |
|---|---|
| Main Authors: | , , , , |
| Format: | Conference Proceeding |
| Language: | English |
| Published: |
IEEE
01-10-2016
|
| Subjects: | |
| Online Access: | Get full text |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Abstract | Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths. |
|---|---|
| AbstractList | Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths. |
| Author | Xiaoyan Sun Yen, John Peng Liu Singhal, Anoop Jun Dai |
| Author_xml | – sequence: 1 surname: Xiaoyan Sun fullname: Xiaoyan Sun email: xzs5052@ist.psu.edu organization: Pennsylvania State Univ., University Park, PA, USA – sequence: 2 surname: Jun Dai fullname: Jun Dai email: jun.dai@csus.edu organization: California State Univ., Sacramento, CA, USA – sequence: 3 surname: Peng Liu fullname: Peng Liu email: pliu@ist.psu.edu organization: Pennsylvania State Univ., University Park, PA, USA – sequence: 4 givenname: Anoop surname: Singhal fullname: Singhal, Anoop email: anoop.singhal@nist.gov organization: Nat. Inst. of Stand. & Technol., Gaithersburg, MD, USA – sequence: 5 givenname: John surname: Yen fullname: Yen, John email: jyen@ist.psu.edu organization: Pennsylvania State Univ., University Park, PA, USA |
| BookMark | eNotz7tKBDEUgOEICuo6vWCTF5jxHDO5FRYyeINFC9d6ObkMRtfJMAnI-vQWbvV3H_zn7HjKU2TsEqFDBHs9vLx1N4Cq00ZBr_GINVYblGBBgJJ4yppSPgEArTJozBm73eQfWkLh85IdubRLpSbPU4hTTWPyVFOeeB75b1xyG2jPqVbyX3ym-lEu2MlIuxKbQ1fs_eF-Mzy169fH5-Fu3SbUsrZWa2WlNyQNuSCC0b1TkkQfR-MdKBDeCgQ0dlTWaCDdRyWCVi7YoIUSK3b176YY43Ze0jct--1hUvwBQ6xIiw |
| ContentType | Conference Proceeding |
| DBID | 6IE 6IL CBEJK RIE RIL |
| DOI | 10.1109/CNS.2016.7860471 |
| DatabaseName | IEEE Electronic Library (IEL) Conference Proceedings IEEE Proceedings Order Plan All Online (POP All Online) 1998-present by volume IEEE Xplore All Conference Proceedings IEEE Electronic Library Online IEEE Proceedings Order Plans (POP All) 1998-Present |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: RIE name: IEEE Electronic Library Online url: http://ieeexplore.ieee.org/Xplore/DynWel.jsp sourceTypes: Publisher |
| DeliveryMethod | fulltext_linktorsrc |
| Discipline | Engineering |
| EISBN | 9781509030651 1509030654 |
| EndPage | 72 |
| ExternalDocumentID | 7860471 |
| Genre | orig-research |
| GroupedDBID | 6IE 6IF 6IK 6IL 6IN AAJGR ALMA_UNASSIGNED_HOLDINGS BEFXN BFFAM BGNUA BKEBE BPEOZ CBEJK IEGSK OCL RIE RIL |
| ID | FETCH-LOGICAL-i175t-977695c8a58abd3d874b65a34ef8cb0603c9310189f69870a74e63d76bd9d7363 |
| IEDL.DBID | RIE |
| IngestDate | Thu Jun 29 18:37:45 EDT 2023 |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-LOGICAL-i175t-977695c8a58abd3d874b65a34ef8cb0603c9310189f69870a74e63d76bd9d7363 |
| PageCount | 9 |
| ParticipantIDs | ieee_primary_7860471 |
| PublicationCentury | 2000 |
| PublicationDate | 2016-Oct. |
| PublicationDateYYYYMMDD | 2016-10-01 |
| PublicationDate_xml | – month: 10 year: 2016 text: 2016-Oct. |
| PublicationDecade | 2010 |
| PublicationTitle | 2016 IEEE Conference on Communications and Network Security (CNS) |
| PublicationTitleAbbrev | CNS |
| PublicationYear | 2016 |
| Publisher | IEEE |
| Publisher_xml | – name: IEEE |
| SSID | ssj0001968188 |
| Score | 1.80372 |
| Snippet | Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more... |
| SourceID | ieee |
| SourceType | Publisher |
| StartPage | 64 |
| SubjectTerms | Bayes methods Communication networks Conferences Feature extraction Probabilistic logic Security Sockets |
| Title | Towards probabilistic identification of zero-day attack paths |
| URI | https://ieeexplore.ieee.org/document/7860471 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://sdu.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEA22J7340Yrf5ODRtNtmNx_n2tJTEargrSSZCRShK-32oL_end21VfDiLQRCYEJ4k8l7bxi7t9EnJhoQQwhOpIOhFm6gMhE8Ud4ztB5JOzyd69mreRyTTc7DTguDiBX5DHs0rP7yIQ9bKpX1tVFJSoLxlram1mrt6ylWldhjvn8iE9sfzeZE3VK9Ztmv_ikVfEyO_7fxCevudXj8aYcwp-wAV2fs6IeFYIdReZh0U5w6w1RuuWS8zJfQsICqwPM88k9c5wLcB3dF4cIbp1bEmy57mYyfR1PRtEQQyxLnC1Fma8pmwbjMOA8SjE69ypxMMZrgE5XIYCWZcNmobHkVnU5RSdDKgwUtlTxn7VW-wgvGoURmFaIOqY7lGw18mThoBy6BzCGawSXrUCAW77XrxaKJwdXf09fskGJd09xuWLtYb_GWtTawvavO6QsRRpRa |
| link.rule.ids | 310,311,782,786,791,792,798,27934,54767 |
| linkProvider | IEEE |
| linkToHtml | http://sdu.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwlV1NSwMxEA1aD-rFj1b8NgePpt12d_Nxri0VaxFawVtJMgkUoSvt7kF_vZnt2ip48RYCITAhvMnkvTeE3CpvIuklsA5YzZJ2RzDd5imzBinvqVPGoXZ4MBajV3nfQ5ucu7UWxjlXks9cE4flXz5ktsBSWUtIHiUoGN9JE8HFSq21qagoHtBHfv9FRqrVHY2RvMWb1cJfHVRKAOkf_G_rQ9LYKPHo8xpjjsiWmx-T_R8mgnWCBWJUTlHsDVP65aL1Mp1BxQMqQ08zTz_dImOgP6jOc23fKDYjXjbIS7836Q5Y1RSBzQLS5yzka1ylVupUagMxSJEYnuo4cV5aE_EotipGGy7luQqXUYvE8RgEN6BAxDw-IbV5NnenhELAZm69sInw4ZUGJqQOQoOOINXOyfYZqWMgpu8r34tpFYPzv6dvyO5g8jScDh9GjxdkD-O-Ir1dklq-KNwV2V5CcV2e2RcTIper |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=proceeding&rft.title=2016+IEEE+Conference+on+Communications+and+Network+Security+%28CNS%29&rft.atitle=Towards+probabilistic+identification+of+zero-day+attack+paths&rft.au=Xiaoyan+Sun&rft.au=Jun+Dai&rft.au=Peng+Liu&rft.au=Singhal%2C+Anoop&rft.date=2016-10-01&rft.pub=IEEE&rft.spage=64&rft.epage=72&rft_id=info:doi/10.1109%2FCNS.2016.7860471&rft.externalDocID=7860471 |