Abstract
This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
V. Chandola, A. Banerjee, V. Kumar, in Anomaly Detection: A Survey. ACM Computing Surveys (CSUR) (2009)
C. Kruegel, D. Mutz, F. Valeur, G. Vigna, in On the Detection of Anomalous System Call Arguments. ESORICS (2003)
S. Bhatkar, A. Chaturvedi, R. Sekar, in Dataflow Anomaly Detection. IEEE S&P (2006)
S. Jajodia, S. Noel, B. O’Berry, in Topological Analysis of Network Attack Vulnerability. Managing Cyber Threats (2005)
P. Ammann, D. Wijesekera, S. Kaushik, in Scalable, Graph-Based Network Vulnerability Analysis. ACM CCS (2002)
X. Ou, W.F. Boyer, M.A. McQueen, in A Scalable Approach to Attack Graph Generation. ACM CCS (2006)
X. Ou, S. Govindavajhala, A.W. Appel, in MulVAL: A Logic-Based Network Security Analyzer. USENIX security (2005)
S.T. King, Z.M. Mao, D.G. Lucchetti, P.M. Chen, in Enriching intrusion alerts through multi-host causality. NDSS (2005)
Y. Zhai, P. Ning, J. Xu, in Integrating IDS Alert Correlation and OS-Level Dependency Tracking. IEEE Intelligence and Security Informatics (2006)
J. Dai, X. Sun, P. Liu, in Patrol: Revealing Zero-Day Attack Paths Through Network-Wide System Object Dependencies. ESORICS (2013)
X. Sun, J. Dai, P. Liu, A. Singhal, J. Yen, in Towards Probabilistic Identification of Zero-day Attack Paths, IEEE Conference on Communications and Network Security (CNS 2016), Philadelphia, PA USA (2016)
S.T. King, P.M. Chen, in Backtracking Intrusions. ACM SIGOPS (2003)
X. Xiong, X. Jia, P. Liu, in Shelf: Preserving Business Continuity and Availability in an Intrusion Recovery System. ACSAC (2009)
Wireshark. https://www.wireshark.org/.
Snort. https://www.snort.org/.
Tcpdump. http://www.tcpdump.org/.
P. Xie, J. H. Li, X. Ou, P. Liu, R. Levy, in Using Bayesian Networks for Cyber Security Analysis. DSN (2010)
GraphViz. http://www.graphviz.org/.
SamIam. http://reasoning.cs.ucla.edu/samiam/.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4089
Nessus, http://www.tenable.com/products/nessus-vulnerability-scanner
O.J. Mengshoel, Understanding the scalability of Bayesian network inference using clique tree growth curves. Artif. Intell. 174(12), 984–1006 (2010)
V. Krishna Namasivayam, V.K. Prasanna, in Scalable parallel implementation of exact inference in Bayesian networks. ICPADS (2006)
A. Darwiche, Recursive conditioning Artif. Intell. 126(1), 5–41 (2001)
Acknowledgements
This work was supported by ARO W911NF-15-1-0576, ARO W911NF-13-1-0421 (MURI), CNS-1422594, NIETP CAE Cybersecurity Grant, and NIST 60NANB16D241.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J. (2017). Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-66505-4_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66504-7
Online ISBN: 978-3-319-66505-4
eBook Packages: Computer ScienceComputer Science (R0)