Abstract
Identifying attack paths in enterprise network is strategically necessary and critical for security defense. However, there has been insufficient efforts in studying how to identify an attack path that goes through unknown security holes. In this paper, we define such attack paths as zero-day attack paths, and propose a prototype system named Patrol to identify them at runtime. Using system calls, Patrol builds a network-wide system object dependency graph that captures dependency relations between OS objects, and identifies suspicious intrusion propagation paths in it as candidate zero-day attack paths through forward and backward tracking from intrusion symptoms. Patrol further identifies highly suspicious candidates among these paths, by recognizing indicators of unknown vulnerability exploitations along the paths through rule-based checking. Our evaluation shows that Patrol can work accurately and effectively at runtime with an acceptable performance overhead.
Chapter PDF
Similar content being viewed by others
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
Sheyner, O., Haines, J., Jha, S.: Automated generation and analysis of attack graphs. IEEE Oakland (2002)
Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. Managing Cyber Threats: Issues, Approaches and Challanges (2003)
Ou, X., Govindavajhala, S., Appel, A.W.: MulVAL: A logic-based network security analyzer. In: USENIX Security (2005)
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S.: k-Zero day safety: A network security metric for measuring the risk of unknown vulnerabilities. In: TDSC (2013)
Albanese, M., Jajodia, S., Singhal, A., Wang, L.: An efficient approach to assessing the risk of zero-day vulnerabilities. In: SECRYPT (2013)
Long, J.: Google Hacking for Penetration Testers. Syngress (2007)
McClure, S.: Hacking Exposed: Network Security Secrets and Solutions. McGraw-Hill (2009)
Network Penetration Testing. MosaicSecurity.com. https://mosaicsecurity.com/categories
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Valdes, A., Skinner, K.: Probabilistic alert correlation. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 54–68. Springer, Heidelberg (2001)
Forrest, S., Hofmeyr, S.A., Somayaji, A., Longstaff, T.A.: A sense of self for unix processes. IEEE Oakland (1996)
Lee, W., Stolfo, S.J., Chan, P.K.: Learning patterns from unix process execution traces for intrusion detection. In: AI Approaches to Fraud Detection and Risk Management (1997)
Kosoresow, A.P., Hofmeyer, S.A.: Intrusion detection via system call traces. IEEE Software (1997)
Hofmeyr, S.A., Forrest, S., Somayaji, A.: Intrusion detection using sequences of system calls. Journal of Computer Security (1998)
Wagner, D., Dean, D.: Intrusion Detection via Static Analysis. IEEE Oakland (2001)
Kruegel, C., Mutz, D., Valeur, F., Vigna, G.: On the detection of anomalous system call arguments. In: Snekkenes, E., Gollmann, D. (eds.) ESORICS 2003. LNCS, vol. 2808, pp. 326–343. Springer, Heidelberg (2003)
Tandon, G., Chan, P.: Learning rules from system call arguments and sequences for anomaly detection. In: ICDM DMSEC (2003)
Bhatkar, S., Chaturvedi, A., Sekar, R.: Dataflow anomaly detection. IEEE Oakland (2006)
Sekar, R., Gupta, A., Frullo, J., Shanbhag, T.: Specification-based Anomaly Detection: A New Approach for Detecting Network Intrusions. In: ACM CCS (2002)
Ko, C., Ruschitzka, M., Levitt, K.: Execution Monitoring of Security-Critical Programs in Distributed Systems: A Specification-Based Approach. IEEE Oakland (1997)
Snort. Sourcefire, Inc., http://www.snort.org
Tripwire. Tripwire, Inc., http://www.tripwire.com
King, S.T., Chen, P.M.: Backtracking intrusions. In: ACM SOSP (2003)
Xiong, X., Jia, X., Liu, P.: Shelf: Preserving business continuity and availability in an intrusion recovery system. In: ACSAC (2009)
Goel, A., Po, K., Farhadi, K., Li, Z., de Lara, E.: The taser intrusion recovery system. In: ACM SOSP (2005)
Knuth, D.E.: The Art Of Computer Programming (1997)
CWE. MITRE, http://cwe.mitre.org
CAPEC. MITRE, http://capec.mitre.org
Graphviz, http://www.graphviz.org
Nessus. Tenable Network Security, http://www.tenable.com
Oval. MITRE, http://oval.mitre.org
Wireshark. Wireshark Foundation, http://www.wireshark.org
Ntop, http://www.ntop.org
Bilge, L., Dumitras, T.: An Empirical Study of Zero-Day Attacks In The Real World. In: ACM CCS (2012)
NVD. MITRE, http://nvd.nist.gov
McVoy, L.W., Staelin, C.: lmbench: Portable Tools for Performance Analysis. In: USENIX (1996)
King, S.T., Mao, Z.M., Lucchetti, D.G., Chen, P.M.: Enriching intrusion alerts through multi-host causality. In: NDSS (2005)
Zhai, Y., Ning, P., Xu, J.: Integrating IDS alert correlation and OS-Level dependency tracking. In: IEEE Intelligence and Security Informatics (2006)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2013 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dai, J., Sun, X., Liu, P. (2013). Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies. In: Crampton, J., Jajodia, S., Mayes, K. (eds) Computer Security – ESORICS 2013. ESORICS 2013. Lecture Notes in Computer Science, vol 8134. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-40203-6_30
Download citation
DOI: https://doi.org/10.1007/978-3-642-40203-6_30
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-40202-9
Online ISBN: 978-3-642-40203-6
eBook Packages: Computer ScienceComputer Science (R0)