Towards probabilistic identification of zero-day attack paths

Xiaoyan Sun; Jun Dai; Peng Liu; Anoop Singhal; John Yen

doi:10.1109/CNS.2016.7860471

Towards probabilistic identification of zero-day attack paths

Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John Yen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

24 Scopus citations

Abstract

Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.

Original language	English (US)
Title of host publication	2016 IEEE Conference on Communications and Network Security, CNS 2016
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	64-72
Number of pages	9
ISBN (Electronic)	9781509030651
DOIs	https://doi.org/10.1109/CNS.2016.7860471
State	Published - Feb 21 2017
Event	2016 IEEE Conference on Communications and Network Security, CNS 2016 - Philadelphia, United States Duration: Oct 17 2016 → Oct 19 2016

Publication series

Name	2016 IEEE Conference on Communications and Network Security, CNS 2016

Other

Other	2016 IEEE Conference on Communications and Network Security, CNS 2016
Country/Territory	United States
City	Philadelphia
Period	10/17/16 → 10/19/16

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Safety, Risk, Reliability and Quality

Access to Document

10.1109/CNS.2016.7860471

Cite this

Sun, X., Dai, J., Liu, P., Singhal, A., & Yen, J. (2017). Towards probabilistic identification of zero-day attack paths. In 2016 IEEE Conference on Communications and Network Security, CNS 2016 (pp. 64-72). Article 7860471 (2016 IEEE Conference on Communications and Network Security, CNS 2016). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CNS.2016.7860471

@inproceedings{924f6f2e5c6347839bce26b1d3777e83,

title = "Towards probabilistic identification of zero-day attack paths",

abstract = "Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.",

author = "Xiaoyan Sun and Jun Dai and Peng Liu and Anoop Singhal and John Yen",

note = "Publisher Copyright: {\textcopyright} 2016 IEEE.; 2016 IEEE Conference on Communications and Network Security, CNS 2016 ; Conference date: 17-10-2016 Through 19-10-2016",

year = "2017",

month = feb,

day = "21",

doi = "10.1109/CNS.2016.7860471",

language = "English (US)",

series = "2016 IEEE Conference on Communications and Network Security, CNS 2016",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "64--72",

booktitle = "2016 IEEE Conference on Communications and Network Security, CNS 2016",

address = "United States",

}

Sun, X, Dai, J, Liu, P, Singhal, A & Yen, J 2017, Towards probabilistic identification of zero-day attack paths. in 2016 IEEE Conference on Communications and Network Security, CNS 2016., 7860471, 2016 IEEE Conference on Communications and Network Security, CNS 2016, Institute of Electrical and Electronics Engineers Inc., pp. 64-72, 2016 IEEE Conference on Communications and Network Security, CNS 2016, Philadelphia, United States, 10/17/16. https://doi.org/10.1109/CNS.2016.7860471

Towards probabilistic identification of zero-day attack paths. / Sun, Xiaoyan; Dai, Jun; Liu, Peng et al.
2016 IEEE Conference on Communications and Network Security, CNS 2016. Institute of Electrical and Electronics Engineers Inc., 2017. p. 64-72 7860471 (2016 IEEE Conference on Communications and Network Security, CNS 2016).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Towards probabilistic identification of zero-day attack paths

AU - Sun, Xiaoyan

AU - Dai, Jun

AU - Liu, Peng

AU - Singhal, Anoop

AU - Yen, John

PY - 2017/2/21

Y1 - 2017/2/21

N2 - Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.

AB - Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi-step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero-day attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the zero-day attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the zero-day attack paths. The experiment results show that our system can effectively identify zero-day attack paths.

UR - http://www.scopus.com/inward/record.url?scp=85016086274&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85016086274&partnerID=8YFLogxK

U2 - 10.1109/CNS.2016.7860471

DO - 10.1109/CNS.2016.7860471

M3 - Conference contribution

AN - SCOPUS:85016086274

T3 - 2016 IEEE Conference on Communications and Network Security, CNS 2016

SP - 64

EP - 72

BT - 2016 IEEE Conference on Communications and Network Security, CNS 2016

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2016 IEEE Conference on Communications and Network Security, CNS 2016

Y2 - 17 October 2016 through 19 October 2016

ER -

Towards probabilistic identification of zero-day attack paths

Abstract

Publication series

Other

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this