Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths

Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths

Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, d...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on information forensics and security 2018-10, Vol.13 (10), p.2506-2521
Hauptverfasser: Sun, Xiaoyan, Dai, Jun, Liu, Peng, Singhal, Anoop, Yen, John
Format: Artikel
Sprache:eng
Schlagworte:
Bayes methods
Bayesian networks
Computer networks
computer security
Electronic mail
Intrusion detection
network security
Probabilistic logic
probability
Prototypes
Security
Sockets
system call
zero-day attack
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
container_end_page 2521
container_issue 10
container_start_page 2506
container_title IEEE transactions on information forensics and security
container_volume 13
creator Sun, Xiaoyan
Dai, Jun
Liu, Peng
Singhal, Anoop
Yen, John
description Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.
doi_str_mv 10.1109/TIFS.2018.2821095
format Article
fullrecord <record><control><sourceid>crossref_RIE</sourceid><recordid>TN_cdi_ieee_primary_8327913</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>8327913</ieee_id><sourcerecordid>10_1109_TIFS_2018_2821095</sourcerecordid><originalsourceid>FETCH-LOGICAL-c265t-458b55fa9ce471bd847e99f52a9a6198d31d4053f053d8be0f3a44df2d2adfb3</originalsourceid><addsrcrecordid>eNo9kE1LAzEQhoMoWKs_QLzkD2zN5GObPdZqtVC0Yr14WWY3icbWjSQB6b-3S0sPwwwv7zOHh5BrYCMAVt2u5rO3EWegR1zzXaBOyACUKouScTg93iDOyUVK34xJCaUekNf35LtPeodbmzx29NnmvxDXiboQ6TKGBhu_8Sn7ls6N7bJ3vsXsQ0eDox82huIet3SSM7ZrusT8lS7JmcNNsleHPSSr2cNq-lQsXh7n08miaHmpciGVbpRyWLVWjqExWo5tVTnFscISKm0EGMmUcLsxurHMCZTSOG44GteIIYH92zaGlKJ19W_0Pxi3NbC6V1L3SupeSX1QsmNu9oy31h77WvBxBUL8AzMqXhg</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths</title><source>IEEE Electronic Library (IEL)</source><creator>Sun, Xiaoyan ; Dai, Jun ; Liu, Peng ; Singhal, Anoop ; Yen, John</creator><creatorcontrib>Sun, Xiaoyan ; Dai, Jun ; Liu, Peng ; Singhal, Anoop ; Yen, John</creatorcontrib><description>Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2018.2821095</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>IEEE</publisher><subject>Bayes methods ; Bayesian networks ; Computer networks ; computer security ; Electronic mail ; Intrusion detection ; network security ; Probabilistic logic ; probability ; Prototypes ; Security ; Sockets ; system call ; zero-day attack</subject><ispartof>IEEE transactions on information forensics and security, 2018-10, Vol.13 (10), p.2506-2521</ispartof><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c265t-458b55fa9ce471bd847e99f52a9a6198d31d4053f053d8be0f3a44df2d2adfb3</citedby><cites>FETCH-LOGICAL-c265t-458b55fa9ce471bd847e99f52a9a6198d31d4053f053d8be0f3a44df2d2adfb3</cites><orcidid>0000-0002-0321-2338 ; 0000-0002-6890-6429 ; 0000-0002-5091-8464</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/8327913$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,27924,27925,54758</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/8327913$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Sun, Xiaoyan</creatorcontrib><creatorcontrib>Dai, Jun</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><creatorcontrib>Singhal, Anoop</creatorcontrib><creatorcontrib>Yen, John</creatorcontrib><title>Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.</description><subject>Bayes methods</subject><subject>Bayesian networks</subject><subject>Computer networks</subject><subject>computer security</subject><subject>Electronic mail</subject><subject>Intrusion detection</subject><subject>network security</subject><subject>Probabilistic logic</subject><subject>probability</subject><subject>Prototypes</subject><subject>Security</subject><subject>Sockets</subject><subject>system call</subject><subject>zero-day attack</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2018</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNo9kE1LAzEQhoMoWKs_QLzkD2zN5GObPdZqtVC0Yr14WWY3icbWjSQB6b-3S0sPwwwv7zOHh5BrYCMAVt2u5rO3EWegR1zzXaBOyACUKouScTg93iDOyUVK34xJCaUekNf35LtPeodbmzx29NnmvxDXiboQ6TKGBhu_8Sn7ls6N7bJ3vsXsQ0eDox82huIet3SSM7ZrusT8lS7JmcNNsleHPSSr2cNq-lQsXh7n08miaHmpciGVbpRyWLVWjqExWo5tVTnFscISKm0EGMmUcLsxurHMCZTSOG44GteIIYH92zaGlKJ19W_0Pxi3NbC6V1L3SupeSX1QsmNu9oy31h77WvBxBUL8AzMqXhg</recordid><startdate>201810</startdate><enddate>201810</enddate><creator>Sun, Xiaoyan</creator><creator>Dai, Jun</creator><creator>Liu, Peng</creator><creator>Singhal, Anoop</creator><creator>Yen, John</creator><general>IEEE</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0002-0321-2338</orcidid><orcidid>https://orcid.org/0000-0002-6890-6429</orcidid><orcidid>https://orcid.org/0000-0002-5091-8464</orcidid></search><sort><creationdate>201810</creationdate><title>Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths</title><author>Sun, Xiaoyan ; Dai, Jun ; Liu, Peng ; Singhal, Anoop ; Yen, John</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c265t-458b55fa9ce471bd847e99f52a9a6198d31d4053f053d8be0f3a44df2d2adfb3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2018</creationdate><topic>Bayes methods</topic><topic>Bayesian networks</topic><topic>Computer networks</topic><topic>computer security</topic><topic>Electronic mail</topic><topic>Intrusion detection</topic><topic>network security</topic><topic>Probabilistic logic</topic><topic>probability</topic><topic>Prototypes</topic><topic>Security</topic><topic>Sockets</topic><topic>system call</topic><topic>zero-day attack</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Sun, Xiaoyan</creatorcontrib><creatorcontrib>Dai, Jun</creatorcontrib><creatorcontrib>Liu, Peng</creatorcontrib><creatorcontrib>Singhal, Anoop</creatorcontrib><creatorcontrib>Yen, John</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Sun, Xiaoyan</au><au>Dai, Jun</au><au>Liu, Peng</au><au>Singhal, Anoop</au><au>Yen, John</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2018-10</date><risdate>2018</risdate><volume>13</volume><issue>10</issue><spage>2506</spage><epage>2521</epage><pages>2506-2521</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of zero-day attacks. Due to the information asymmetry between attackers and defenders, detecting zero-day attacks remains a challenge. Instead of targeting individual zero-day exploits, revealing them on an attack path is a substantially more feasible strategy. Such attack paths that go through one or more zero-day exploits are called zero-day attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for zero-day attack path identification. In our approach, a zero-day attack path is essentially a graph. To capture the zero-day attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the zero-day attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the zero-day attack path. The experiment results demonstrate the effectiveness of ZePro for zero-day attack path identification.</abstract><pub>IEEE</pub><doi>10.1109/TIFS.2018.2821095</doi><tpages>16</tpages><orcidid>https://orcid.org/0000-0002-0321-2338</orcidid><orcidid>https://orcid.org/0000-0002-6890-6429</orcidid><orcidid>https://orcid.org/0000-0002-5091-8464</orcidid></addata></record>
fulltext fulltext_linktorsrc
identifier ISSN: 1556-6013
ispartof IEEE transactions on information forensics and security, 2018-10, Vol.13 (10), p.2506-2521
issn 1556-6013
1556-6021
language eng
recordid cdi_ieee_primary_8327913
source IEEE Electronic Library (IEL)
subjects Bayes methods
Bayesian networks
Computer networks
computer security
Electronic mail
Intrusion detection
network security
Probabilistic logic
probability
Prototypes
Security
Sockets
system call
zero-day attack
title Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths
url https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2024-12-27T05%3A09%3A01IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-crossref_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Using%20Bayesian%20Networks%20for%20Probabilistic%20Identification%20of%20Zero-Day%20Attack%20Paths&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Sun,%20Xiaoyan&rft.date=2018-10&rft.volume=13&rft.issue=10&rft.spage=2506&rft.epage=2521&rft.pages=2506-2521&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2018.2821095&rft_dat=%3Ccrossref_RIE%3E10_1109_TIFS_2018_2821095%3C/crossref_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_id=info:pmid/&rft_ieee_id=8327913&rfr_iscdi=true