Abstract
A zero-day attack is one that exploits a vulnerability for which no patch is readily available and the developer or vendor may or may not be aware. They are very expensive and powerful attack tools to defend against. Since the vulnerability is not known in advance, there is no reliable way to guard against zero-day attacks before they happen. Attackers take advantage of the unknown nature of zero-day exploits and use them in conjunction with highly sophisticated and targeted attacks to achieve stealthiness with respect to standard intrusion detection techniques. This paper presents a novel combination of anomaly, behavior and signature based techniques for detecting such zero-day attacks. The proposed approach detects obfuscated zero-day attacks with two-level evaluation, generates a new signature automatically and updates other sensors by using push technology via global hotfix feature.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 833–844. ACM Press, New York (2012)
Symantec’s Internet Threat Report of 2013. https://scm.symantec.com/resources/istr18_en.pdf
Mohammed, M.M.Z.E., Chan, H.A., Ventura, N.: Honeycyber: automated signature generation for zero-day polymorphic worms. In: Proceedings of the IEEE Military Communications Conference (MILCOM 2008), pp. 1–6. IEEE Computer Society, Washington (2008)
Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Hashim, M., Amin, I., Bashier, E.: Detection of zero-day polymorphic worms using principal component analysis. In: Proceedings of the 6th IEEE International Conference on Networking and Services, pp. 277–281. IEEE Computer Society, Washington (2010)
Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226–241. IEEE Press, New York (2005)
Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low-and high-interaction honeypots. J. Comput. Telecommun. Netw. 51(5), 1256–1274 (2007)
Wang, L., Li, Z., Chen, Y., Fu, Z., Li, X.: Thwarting zero-day polymorphic worms with network-level length-based signature generation. J. IEEE/ACM Trans. Netw. 18(1), 53–66 (2010)
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. J. Comput. Virol. 2(4), 257–274 (2006)
Leita, C., Dacier, M.: SGNET: A Distributed Infrastructure to Handle Zero-day Exploits. Research report, EURECOM institute (2007)
Ting, C., Xiaosong, Z., Zhi, L.: A hybrid detection approach for zero-day polymorphic shellcodes. In: International Conference on E-Business and Information System Security, pp. 1–5. IEEE, Wuhan (2009)
Li, Z., Sanghi, M., Chen, Y., Kao M.Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Symposium on Security and Privacy, pp. 15–47. IEEE, Oakland (2006)
A 0-Day Attack Lasts On Average 10 Months. http://hackmageddon.com/2012/10/19/a-0-day-attack-lasts-on-average-10-months/
Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)
Alazab, M., Venkatraman, S., Watters, P., Alazab, M.: Zero-day malware detection based on supervised learning algorithms of api call signatures. In: Proceedings of the 9th IEEE Australasian Data Mining Conference (AusDM 2011), Australia, pp. 171–182 (2011)
Aleroud, A., Karabtis G.: A contextual anomaly detection approach to discover zero-day attacks. In: IEEE International Conference on Cyber Security (CYBERSECURITY 2012), pp. 40–15, Washington (2012)
Jain, P., Sardana, A., Defending against internet worms using honeyfarm. In: CUBE International Information Technology Conference (CUBE 2012), Pune, India, pp. 795–800. ACM Press, New York (2012)
Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of INFOCOM, pp. 2022–2030. IEEE Press, Turin (2013)
Aleroud, A., Karabatis G.: Toward zero-day attack identification using linear data transformation techniques. In: Proceedings of the 7th IEEE International Conference on Software Security and Reliability (SERE 2013), pp. 159–168. IEEE Press, MD (2013)
Kim, I., et al.: A case study of unknown attack detection against zero-day worm in the honeynet environment. In: Proceedings of the 11th IEEE International Conference on Advanced Communication Technology (ICACT 2009), pp. 1715–1720. IEEE Press, Ireland (2009)
Sophos Security Threat Report of 2014. http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf
Kaur, R., Singh, M.: Automatic evaluation and signature generation technique for thwarting zero-day attacks. In: MartÃnez Pérez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014. CCIS, vol. 420, pp. 298–309. Springer, Heidelberg (2014)
Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. J. IEEE Commun. Surv. Tutorials 99, 1–30 (2014)
Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the 4th ACM International Workshop on Software Engineering for Secure Systems, pp. 41–48. ACM Press, Germany (2008)
Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. J IBM J. Res. Dev. 31(2), 249–260 (1987)
VX Heavens, VX Heavens Site. http://vxheaven.org/
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Kaur, R., Singh, M. (2015). Two-Level Automated Approach for Defending Against Obfuscated Zero-Day Attacks. In: Lopez, J., Ray, I., Crispo, B. (eds) Risks and Security of Internet and Systems. CRiSIS 2014. Lecture Notes in Computer Science(), vol 8924. Springer, Cham. https://doi.org/10.1007/978-3-319-17127-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-17127-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-17126-5
Online ISBN: 978-3-319-17127-2
eBook Packages: Computer ScienceComputer Science (R0)