Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths

Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John Yen

Research output: Contribution to journalArticlepeer-review

103 Scopus citations


Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.

Original languageEnglish (US)
Pages (from-to)2506-2521
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Issue number10
StatePublished - Oct 2018

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications


Dive into the research topics of 'Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths'. Together they form a unique fingerprint.

Cite this