Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths

  • Xiaoyan Sun
  • Jun Dai
  • Peng LiuEmail author
  • Anoop Singhal
  • John Yen


This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.



This work was supported by ARO W911NF-15-1-0576, ARO W911NF-13-1-0421 (MURI), CNS-1422594, NIETP CAE Cybersecurity Grant, and NIST 60NANB16D241.


  1. 1.
    V. Chandola, A. Banerjee, V. Kumar, in Anomaly Detection: A Survey. ACM Computing Surveys (CSUR) (2009)Google Scholar
  2. 2.
    C. Kruegel, D. Mutz, F. Valeur, G. Vigna, in On the Detection of Anomalous System Call Arguments. ESORICS (2003)Google Scholar
  3. 3.
    S. Bhatkar, A. Chaturvedi, R. Sekar, in Dataflow Anomaly Detection. IEEE S&P (2006)Google Scholar
  4. 4.
    S. Jajodia, S. Noel, B. O’Berry, in Topological Analysis of Network Attack Vulnerability. Managing Cyber Threats (2005)Google Scholar
  5. 5.
    P. Ammann, D. Wijesekera, S. Kaushik, in Scalable, Graph-Based Network Vulnerability Analysis. ACM CCS (2002)Google Scholar
  6. 6.
    X. Ou, W.F. Boyer, M.A. McQueen, in A Scalable Approach to Attack Graph Generation. ACM CCS (2006)Google Scholar
  7. 7.
    X. Ou, S. Govindavajhala, A.W. Appel, in MulVAL: A Logic-Based Network Security Analyzer. USENIX security (2005)Google Scholar
  8. 8.
    S.T. King, Z.M. Mao, D.G. Lucchetti, P.M. Chen, in Enriching intrusion alerts through multi-host causality. NDSS (2005)Google Scholar
  9. 9.
    Y. Zhai, P. Ning, J. Xu, in Integrating IDS Alert Correlation and OS-Level Dependency Tracking. IEEE Intelligence and Security Informatics (2006)Google Scholar
  10. 10.
    J. Dai, X. Sun, P. Liu, in Patrol: Revealing Zero-Day Attack Paths Through Network-Wide System Object Dependencies. ESORICS (2013)Google Scholar
  11. 11.
    X. Sun, J. Dai, P. Liu, A. Singhal, J. Yen, in Towards Probabilistic Identification of Zero-day Attack Paths, IEEE Conference on Communications and Network Security (CNS 2016), Philadelphia, PA USA (2016)Google Scholar
  12. 12.
    S.T. King, P.M. Chen, in Backtracking Intrusions. ACM SIGOPS (2003)Google Scholar
  13. 13.
    X. Xiong, X. Jia, P. Liu, in Shelf: Preserving Business Continuity and Availability in an Intrusion Recovery System. ACSAC (2009)Google Scholar
  14. 14.
  15. 15.
  16. 16.
  17. 17.
    P. Xie, J. H. Li, X. Ou, P. Liu, R. Levy, in Using Bayesian Networks for Cyber Security Analysis. DSN (2010)Google Scholar
  18. 18.
  19. 19.
  20. 20.
  21. 21.
  22. 22.
  23. 23.
  24. 24.
    O.J. Mengshoel, Understanding the scalability of Bayesian network inference using clique tree growth curves. Artif. Intell. 174(12), 984–1006 (2010)CrossRefzbMATHMathSciNetGoogle Scholar
  25. 25.
    V. Krishna Namasivayam, V.K. Prasanna, in Scalable parallel implementation of exact inference in Bayesian networks. ICPADS (2006)Google Scholar
  26. 26.
    A. Darwiche, Recursive conditioning Artif. Intell. 126(1), 5–41 (2001)zbMATHMathSciNetGoogle Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Xiaoyan Sun
    • 1
  • Jun Dai
    • 1
  • Peng Liu
    • 2
    Email author
  • Anoop Singhal
    • 3
  • John Yen
    • 2
  1. 1.California State UniversitySacramentoUSA
  2. 2.The Pennsylvania State UniversityUniversity ParkUSA
  3. 3.Computer Security DivisionNISTGaithersburgUSA

Personalised recommendations