Abstract
The focus of this research is a knowledge-based intrusion detection technique that utilizes contextual relations between known attacks to identify zero-day attacks, which are exploits of unknown software vulnerabilities. The proposed technique uses information entropy and linear data transformation to generate feature-based and linear function-based attack profiles. It systematically creates contextual relationships between known attacks to generate attack profiles that capture most likely combinations of activities an attacker might exploit to initiate zero-day attacks. We utilize the similarity among the features of the incoming network connections and these profiles to discover zero-day attacks. Our experiments on benchmark intrusion detection datasets indicate that utilizing contextual relationships to generate attack profiles leads to a satisfactory detection rate of zero-day attacks from network data at different levels of granularity.
Keywords
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Song, J., Takakura, H., Kwon, Y.: A Generalized feature extraction scheme to detect 0-day attacks via IDS alerts. In: Proceedings of the International Symposium on Applications and the Internet, pp. 55–61. IEEE Press (2008)
Common Vulnerabilities and Exposures, http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5616
Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)
Binkley, J.R., Singh, S.: An algorithm for anomaly-based Botnet detection. In: Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 43–48 (2006)
Shon, T., Moon, J.: A hybrid machine learning approach to network anomaly detection. Inf. Sci. 177, 3799–3821 (2007)
Guan, Y., Ghorbani, A.A., Belacel, N.: Y-means: a clustering method for intrusion detection. In: IEEE Canadian Conference on Electrical and Computer Engineering, pp. 1083–1086. IEEE, New York (2003)
Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM (2004)
Hendry, G.R., Yang, S.J.: Intrusion signature creation via clustering anomalies. In: Proceedings of SPIE Security and Defense Symposium, Bellingham, WA, pp. 69730C–69731 (2008)
Portnoy, L.: Intrusion detection with unlabeled data using clustering. Technical report, Department of Computer Science, Columbia University (2001)
Zhichun, L., Manan, S., Yan, C., Ming-Yang, K., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy, pp. 15–47. IEEE Press, New York (2006)
Song, J., Ohba, H., Takakura, H., Okabe, Y., Ohira, K., Kwon, Y.-J.: A comprehensive approach to detect unknown attacks via intrusion detection alerts. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 247–253. Springer, Heidelberg (2007)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010)
Lincoln Laboratory, Massachusetts Institute of Technology. http://www.ll.mit.edu/mission/communications/cyber/CSTcorpora/ideval/docs/index.html
Gupta, K.K., Nath, B., Kotagiri, R.: Layered approach using conditional random fields for intrusion detection. IEEE Trans. Dependable Secure Comput. 7, 35–49 (2010)
Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: a comparative evaluation. In: Proceedings of the Eighth SIAM International Conference on Data Mining, pp. 243–254 (2008)
Aleroud, A., Karabatis, G., Sharma, P., He, P.: Context and semantics for detection of cyber attacks. Int. J. Inf. Comput. Secur. 6, 63–92 (2014)
Mika, S., Ratsch, G., Weston, J., Scholkopf, B., Mullers, K.R.: Fisher discriminant analysis with kernels. In: Proceedings of the IEEE Signal Processing Society Workshop, pp. 41–48. IEEE Press, New York (1999)
Tuerk, A.: Implicit softmax transforms for dimensionality reduction. In: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP’08), pp. 1973–1976. IEEE (2008)
Sperotto, A., Sadre, R., van Vliet, F., Pras, A.: A labeled data set for flow-based intrusion detection. In: Nunzi, G., Scoglio, C., Li, X. (eds.) IPOM 2009. LNCS, vol. 5843, pp. 39–50. Springer, Heidelberg (2009)
Guo, C., Zhou, Y.-J., Ping, Y., Luo, S.-S., Lai, Y.-P., Zhang, Z.-K.: Efficient intrusion detection using representative instances. Comput. Secur. 39, 255–267 (2013)
Sabhnani, M., Serpen, G.: Application of machine learning algorithms to kdd intrusion detection dataset within misuse detection context. In: Proceedings of the International Conference on Machine Learning: Models, Technologies, and Applications, pp. 209–215. CSREA Press (2003)
Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31, 357–374 (2012)
Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.: Poseidon: A 2-tier anomaly-based intrusion detection system. In: Fourth IEEE International Workshop on Information Assurance, pp. 146–156 (2005)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer International Publishing Switzerland
About this paper
Cite this paper
Aleroud, A., Karabatis, G. (2014). Detecting Zero-Day Attacks Using Contextual Relations. In: Uden, L., Fuenzaliza Oshee, D., Ting, IH., Liberona, D. (eds) Knowledge Management in Organizations. KMO 2014. Lecture Notes in Business Information Processing, vol 185. Springer, Cham. https://doi.org/10.1007/978-3-319-08618-7_36
Download citation
DOI: https://doi.org/10.1007/978-3-319-08618-7_36
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-08617-0
Online ISBN: 978-3-319-08618-7
eBook Packages: Computer ScienceComputer Science (R0)