Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths

Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John Yen

Research output: Chapter in Book/Report/Conference proceedingChapter

2 Citations (Scopus)

Abstract

This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.

Original languageEnglish (US)
Title of host publicationNetwork Security Metrics
PublisherSpringer International Publishing
Pages95-115
Number of pages21
ISBN (Electronic)9783319665054
ISBN (Print)9783319665047
DOIs
StatePublished - Nov 15 2017

Fingerprint

Bayesian networks
Electric fuses
Network security
Industry

All Science Journal Classification (ASJC) codes

  • Computer Science(all)

Cite this

Sun, X., Dai, J., Liu, P., Singhal, A., & Yen, J. (2017). Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths. In Network Security Metrics (pp. 95-115). Springer International Publishing. https://doi.org/10.1007/978-3-319-66505-4_5
Sun, Xiaoyan ; Dai, Jun ; Liu, Peng ; Singhal, Anoop ; Yen, John. / Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths. Network Security Metrics. Springer International Publishing, 2017. pp. 95-115
@inbook{423917602c0742c6a7ac7e340dd39207,
title = "Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths",
abstract = "This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.",
author = "Xiaoyan Sun and Jun Dai and Peng Liu and Anoop Singhal and John Yen",
year = "2017",
month = "11",
day = "15",
doi = "10.1007/978-3-319-66505-4_5",
language = "English (US)",
isbn = "9783319665047",
pages = "95--115",
booktitle = "Network Security Metrics",
publisher = "Springer International Publishing",

}

Sun, X, Dai, J, Liu, P, Singhal, A & Yen, J 2017, Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths. in Network Security Metrics. Springer International Publishing, pp. 95-115. https://doi.org/10.1007/978-3-319-66505-4_5

Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths. / Sun, Xiaoyan; Dai, Jun; Liu, Peng; Singhal, Anoop; Yen, John.

Network Security Metrics. Springer International Publishing, 2017. p. 95-115.

Research output: Chapter in Book/Report/Conference proceedingChapter

TY - CHAP

T1 - Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths

AU - Sun, Xiaoyan

AU - Dai, Jun

AU - Liu, Peng

AU - Singhal, Anoop

AU - Yen, John

PY - 2017/11/15

Y1 - 2017/11/15

N2 - This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.

AB - This chapter studies the zero-day attack path identification problem. Detecting zero-day attacks is a fundamental challenge faced by enterprise network security defense. A multi-step attack involving one or more zero-day exploits forms a zero-day attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for zero-day attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the zero-day attack paths. This chapter evaluated the effectiveness of ZePro for zero-day attack path identification.

UR - http://www.scopus.com/inward/record.url?scp=85042706016&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85042706016&partnerID=8YFLogxK

U2 - 10.1007/978-3-319-66505-4_5

DO - 10.1007/978-3-319-66505-4_5

M3 - Chapter

AN - SCOPUS:85042706016

SN - 9783319665047

SP - 95

EP - 115

BT - Network Security Metrics

PB - Springer International Publishing

ER -

Sun X, Dai J, Liu P, Singhal A, Yen J. Using Bayesian networks to fuse intrusion evidences and detect zero-day attack paths. In Network Security Metrics. Springer International Publishing. 2017. p. 95-115 https://doi.org/10.1007/978-3-319-66505-4_5