Skip to main content
SpringerLink
Log in

Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths

  • Chapter
  • First Online:
Network Security Metrics

Abstract

This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 139.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. V. Chandola, A. Banerjee, V. Kumar, in Anomaly Detection: A Survey. ACM Computing Surveys (CSUR) (2009)

    Google Scholar 

  2. C. Kruegel, D. Mutz, F. Valeur, G. Vigna, in On the Detection of Anomalous System Call Arguments. ESORICS (2003)

    Google Scholar 

  3. S. Bhatkar, A. Chaturvedi, R. Sekar, in Dataflow Anomaly Detection. IEEE S&P (2006)

    Google Scholar 

  4. S. Jajodia, S. Noel, B. O’Berry, in Topological Analysis of Network Attack Vulnerability. Managing Cyber Threats (2005)

    Google Scholar 

  5. P. Ammann, D. Wijesekera, S. Kaushik, in Scalable, Graph-Based Network Vulnerability Analysis. ACM CCS (2002)

    Google Scholar 

  6. X. Ou, W.F. Boyer, M.A. McQueen, in A Scalable Approach to Attack Graph Generation. ACM CCS (2006)

    Google Scholar 

  7. X. Ou, S. Govindavajhala, A.W. Appel, in MulVAL: A Logic-Based Network Security Analyzer. USENIX security (2005)

    Google Scholar 

  8. S.T. King, Z.M. Mao, D.G. Lucchetti, P.M. Chen, in Enriching intrusion alerts through multi-host causality. NDSS (2005)

    Google Scholar 

  9. Y. Zhai, P. Ning, J. Xu, in Integrating IDS Alert Correlation and OS-Level Dependency Tracking. IEEE Intelligence and Security Informatics (2006)

    Google Scholar 

  10. J. Dai, X. Sun, P. Liu, in Patrol: Revealing Zero-Day Attack Paths Through Network-Wide System Object Dependencies. ESORICS (2013)

    Google Scholar 

  11. X. Sun, J. Dai, P. Liu, A. Singhal, J. Yen, in Towards Probabilistic Identification of Zero-day Attack Paths, IEEE Conference on Communications and Network Security (CNS 2016), Philadelphia, PA USA (2016)

    Google Scholar 

  12. S.T. King, P.M. Chen, in Backtracking Intrusions. ACM SIGOPS (2003)

    Google Scholar 

  13. X. Xiong, X. Jia, P. Liu, in Shelf: Preserving Business Continuity and Availability in an Intrusion Recovery System. ACSAC (2009)

    Google Scholar 

  14. Wireshark. https://www.wireshark.org/.

  15. Snort. https://www.snort.org/.

  16. Tcpdump. http://www.tcpdump.org/.

  17. P. Xie, J. H. Li, X. Ou, P. Liu, R. Levy, in Using Bayesian Networks for Cyber Security Analysis. DSN (2010)

    Google Scholar 

  18. GraphViz. http://www.graphviz.org/.

  19. SamIam. http://reasoning.cs.ucla.edu/samiam/.

  20. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166

  21. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692

  22. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4089

  23. Nessus, http://www.tenable.com/products/nessus-vulnerability-scanner

  24. O.J. Mengshoel, Understanding the scalability of Bayesian network inference using clique tree growth curves. Artif. Intell. 174(12), 984–1006 (2010)

    Article  MATH  MathSciNet  Google Scholar 

  25. V. Krishna Namasivayam, V.K. Prasanna, in Scalable parallel implementation of exact inference in Bayesian networks. ICPADS (2006)

    Google Scholar 

  26. A. Darwiche, Recursive conditioning Artif. Intell. 126(1), 5–41 (2001)

    MATH  MathSciNet  Google Scholar 

Download references

Acknowledgements

This work was supported by ARO W911NF-15-1-0576, ARO W911NF-13-1-0421 (MURI), CNS-1422594, NIETP CAE Cybersecurity Grant, and NIST 60NANB16D241.

Author information

Authors and Affiliations

  1. California State University, Sacramento, CA, 95819, USA

    Xiaoyan Sun & Jun Dai

  2. The Pennsylvania State University, University Park, PA, 16802, USA

    Peng Liu & John Yen

  3. Computer Security Division, NIST, Gaithersburg, MD, 20899, USA

    Anoop Singhal

Authors
  1. Xiaoyan Sun
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Jun Dai
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Peng Liu
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. John Yen
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Peng Liu .

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

Sun, X., Dai, J., Liu, P., Singhal, A., Yen, J. (2017). Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-66505-4_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-66504-7

  • Online ISBN: 978-3-319-66505-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation