Automatic Evaluation and Signature Generation Technique for Thwarting Zero-Day Attacks

  • Ratinder Kaur
  • Maninder Singh
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 420)


Zero-day attack is a cyber-attack which exploits vulnerabilities that have not been disclosed publicly. Zero-day attacks are very expensive and powerful attack tools. They are used in conjunction with highly sophisticated and targeted attacks to achieve stealthiness with respect to standard intrusion detection techniques. Zero-day attacks are unknown and have no signature so they are difficult to detect. This paper presents a novel and efficient technique for detecting zero-day attacks. The proposed technique detects obfuscated zero-day attacks with two-level evaluation, generates signature for new attack automatically and updates other sensors by using push technology via global hotfix feature.


Zero-Day Attack Honeynet Obfuscation Signature Generation Push Technology 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Bilge, L., Dumitras, T.: Before We Knew It: An Empirical Study of Zero-Day Attacks In The Real World. In: ACM Conference on Computer and Communications Security, pp. 833–844. ACM Press, New York (2012)Google Scholar
  2. 2.
    Symantec’s Internet Threat Report of 2013 (2013),
  3. 3.
    Crandall, J.R., Su, Z., Wu, S.F.: On Deriving Unknown Vulnerabilities from Zero-day Polymorphic and Metamorphic Worm Exploits. In: 12th ACM Conference on Computer and Communications Security, pp. 235–248. ACM Press, New York (2005)Google Scholar
  4. 4.
    Cheetancheri, S.: Collaborative Defense against Zero-day and Polymorphic Worms: Detection, Response and an Evaluation Framework. PhD Thesis, University of California (2007)Google Scholar
  5. 5.
    Schoelkopf, B., Platt, J., Shawe-Taylor, J., Smola, A., Williamson, R.: Estimating the Support of a High-Dimensional Distribution. J. Neural Computation 13(7), 1443–1471 (2001)CrossRefzbMATHGoogle Scholar
  6. 6.
    Sun, W.C., Chen, Y.M.: A Rough Set Approach for Automatic Key Attributes Identification of Zero-day Polymorphic Worms. J. Expert Systems with Applications 36(3), 4672–4679 (2009)CrossRefGoogle Scholar
  7. 7.
    Almotairi, S., Clark, A., Mohay, G., Zimmermann, J.: A Technique for Detecting New Attacks in Low-Interaction Honeypot Traffic. In: 4th International Conference on Internet Monitoring and Protection, pp. 7–13. IEEE Computer Society, Washington, DC (2009)Google Scholar
  8. 8.
    Newsome, J., Karp, B., Song, D.: Polygraph: Automatically Generating Signatures for Polymorphic Worms. In: IEEE Symposium on Security and Privacy, pp. 226–241. IEEE Press, New York (2005)Google Scholar
  9. 9.
    Portokalidis, G., Bos, H.: SweetBait: Zero-hour Worm Detection and Containment using Low-and High-Interaction Honeypots. J. Computer and Telecommunications Networking 51(5), 1256–1274 (2007)zbMATHGoogle Scholar
  10. 10.
    Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous Payload-based Worm Detection and Signature Generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Kruegel, C., Kirda, E., Mutz, D., Robertson, W., Vigna, G.: Polymorphic Worm Detection using Structural Information of Executables. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 207–226. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  12. 12.
    Wang, L., Li, Z., Chen, Y., Fu, Z., Li, X.: Thwarting Zero-day Polymorphic Worms with Network-level Length-based Signature Generation. J. IEEE/ACM Transactions on Networking (TON) 18(1), 53–66 (2010)CrossRefGoogle Scholar
  13. 13.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level Polymorphic Shellcode Detection using Emulation. J. Computer Virology 2(4), 257–274 (2006)CrossRefGoogle Scholar
  14. 14.
    Leita, C., Dacier, M.: SGNET: A Distributed Infrastructure to Handle Zero-day Exploits. Research Report, EURECOM institute (2007)Google Scholar
  15. 15.
    Ting, C., Xiaosong, Z., Zhi, L.: A hybrid detection approach for zero-day polymorphic shellcodes. In: International Conference on E-Business and Information System Security, pp. 1–5. IEEE, Wuhan (2009)Google Scholar
  16. 16.
    Li, Z., Sanghi, M., Chen, Y., Kao, M.Y., Chavez, B.: Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience. In: Symposium on Security and Privacy, pp. 15–47. IEEE, Oakland (2006)Google Scholar
  17. 17.
  18. 18.
    Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-Based Detection of Non-self-contained Polymorphic Shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87–106. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Alazab, M., Venkatraman, S., Watters, P., Alazab, M.: Zero-day Malware Detection based on Supervised Learning Algorithms of api call signatures. In: 9th Australasian Data Mining Conference (AusDM 2011), Ballarat, Australia, pp. 171–182 (2011)Google Scholar
  20. 20.
    Aleroud, A., Karabtis, G.: A Contextual Anomaly Detection Approach to Discover Zero-day Attacks. In: IEEE International Conference on Cyber Security (CYBERSECURITY 2012), Washington, pp. 40–15 (2012)Google Scholar
  21. 21.
    Jain, P., Sardana, A.: Defending Against Internet Worms Using Honeyfarm. In: CUBE International Information Technology Conference (CUBE 2012), Pune, India, pp. 795–800 (2012)Google Scholar
  22. 22.
    Tang, Y., Chen, S.: An Automated Signature-based Approach against Polymorphic Internet Worms. J. IEEE Transactions on Parallel and Distributed Systems 18(7), 879–892 (2007)CrossRefMathSciNetGoogle Scholar
  23. 23.
    Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci, A.: Combining Supervised and Unsupervised Learning for Zero-day Malware Detection. In: IEEE INFOCOM, Turin, pp. 2022–2030 (2013)Google Scholar
  24. 24.
    Aleroud, A., Karabtis, G.: Toward Zero-Day Attack Identification Using Linear Data Transformation Techniques. In: 7th IEEE International Conference on Software Security and Reliability (SERE 2013), Gaithersburg, MD, pp. 159–168 (2013)Google Scholar
  25. 25.
    Paul, S., Mishra, B.K.: PolyS: Network-based Signature Generation for Zero-day Polymorphic Worms. International Journal of Grid and Distributed Computing 6(4), 63–74 (2013)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Ratinder Kaur
    • 1
  • Maninder Singh
    • 1
  1. 1.Computer Science and Engineering DepartmentThapar UniversityPatialaIndia

Personalised recommendations