TY - GEN
T1 - Towards probabilistic identification of zero-day attack paths
AU - Sun, Xiaoyan
AU - Dai, Jun
AU - Liu, Peng
AU - Singhal, Anoop
AU - Yen, John
N1 - Publisher Copyright:
© 2016 IEEE.
PY - 2017/2/21
Y1 - 2017/2/21
N2 - Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.
AB - Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.
UR - http://www.scopus.com/inward/record.url?scp=85016086274&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85016086274&partnerID=8YFLogxK
U2 - 10.1109/CNS.2016.7860471
DO - 10.1109/CNS.2016.7860471
M3 - Conference contribution
AN - SCOPUS:85016086274
T3 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
SP - 64
EP - 72
BT - 2016 IEEE Conference on Communications and Network Security, CNS 2016
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2016 IEEE Conference on Communications and Network Security, CNS 2016
Y2 - 17 October 2016 through 19 October 2016
ER -