Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths

Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John Yen

Research output: Contribution to journalArticle

9 Citations (Scopus)

Abstract

Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.

Original languageEnglish (US)
Pages (from-to)2506-2521
Number of pages16
JournalIEEE Transactions on Information Forensics and Security
Volume13
Issue number10
DOIs
StatePublished - Oct 2018

Fingerprint

Bayesian networks
Intrusion detection
Computer networks
Experiments

All Science Journal Classification (ASJC) codes

  • Safety, Risk, Reliability and Quality
  • Computer Networks and Communications

Cite this

@article{6722f42e4d86470387f1402dcf5c541f,
title = "Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths",
abstract = "Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.",
author = "Xiaoyan Sun and Jun Dai and Peng Liu and Anoop Singhal and John Yen",
year = "2018",
month = "10",
doi = "10.1109/TIFS.2018.2821095",
language = "English (US)",
volume = "13",
pages = "2506--2521",
journal = "IEEE Transactions on Information Forensics and Security",
issn = "1556-6013",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "10",

}

Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths. / Sun, Xiaoyan; Dai, Jun; Liu, Peng; Singhal, Anoop; Yen, John.

In: IEEE Transactions on Information Forensics and Security, Vol. 13, No. 10, 10.2018, p. 2506-2521.

Research output: Contribution to journalArticle

TY - JOUR

T1 - Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths

AU - Sun, Xiaoyan

AU - Dai, Jun

AU - Liu, Peng

AU - Singhal, Anoop

AU - Yen, John

PY - 2018/10

Y1 - 2018/10

N2 - Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.

AB - Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.

UR - http://www.scopus.com/inward/record.url?scp=85044761756&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85044761756&partnerID=8YFLogxK

U2 - 10.1109/TIFS.2018.2821095

DO - 10.1109/TIFS.2018.2821095

M3 - Article

AN - SCOPUS:85044761756

VL - 13

SP - 2506

EP - 2521

JO - IEEE Transactions on Information Forensics and Security

JF - IEEE Transactions on Information Forensics and Security

SN - 1556-6013

IS - 10

ER -