Two-Level Automated Approach for Defending Against Obfuscated Zero-Day Attacks

详细信息    查看全文

• 关键词：Zero ; day attacks ; Unknown attacks ; Obfuscation ; Signature generation ; Push technology
• 刊名：Lecture Notes in Computer Science
• 出版年：2015
• 出版时间：2015
• 年：2015
• 卷：8924
• 期：1
• 页码：164-179
• 全文大小：1,543 KB
• 参考文献：1.Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of ACM Conference on Computer and Communications Security, pp. 833鈥?44. ACM Press, New York (2012)
  2.Symantec鈥檚 Internet Threat Report of 2013. https://鈥媠cm.鈥媠ymantec.鈥媍om/鈥媟esources/鈥媔str18_鈥媏n.鈥媝df
  3.Mohammed, M.M.Z.E., Chan, H.A., Ventura, N.: Honeycyber: automated signature generation for zero-day polymorphic worms. In: Proceedings of the IEEE Military Communications Conference (MILCOM 2008), pp. 1鈥?. IEEE Computer Society, Washington (2008)
  4.Mohammed, M.M.Z.E., Chan, H.A., Ventura, N., Hashim, M., Amin, I., Bashier, E.: Detection of zero-day polymorphic worms using principal component analysis. In: Proceedings of the 6th IEEE International Conference on Networking and Services, pp. 277鈥?81. IEEE Computer Society, Washington (2010)
  5.Newsome, J., Karp, B., Song, D.: Polygraph: automatically generating signatures for polymorphic worms. In: Proceedings of the IEEE Symposium on Security and Privacy, pp. 226鈥?41. IEEE Press, New York (2005)
  6.Portokalidis, G., Bos, H.: SweetBait: zero-hour worm detection and containment using low-and high-interaction honeypots. J. Comput. Telecommun. Netw. 51(5), 1256鈥?274 (2007)View Article MATH
  7.Wang, L., Li, Z., Chen, Y., Fu, Z., Li, X.: Thwarting zero-day polymorphic worms with network-level length-based signature generation. J. IEEE/ACM Trans. Netw. 18(1), 53鈥?6 (2010)View Article
  8.Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Network-level polymorphic shellcode detection using emulation. J. Comput. Virol. 2(4), 257鈥?74 (2006)View Article
  9. Leita, C., Dacier, M.: SGNET: A Distributed Infrastructure to Handle Zero-day Exploits. Research report, EURECOM institute (2007)
  10.Ting, C., Xiaosong, Z., Zhi, L.: A hybrid detection approach for zero-day polymorphic shellcodes. In: International Conference on E-Business and Information System Security, pp. 1鈥?. IEEE, Wuhan (2009)
  11.Li, Z., Sanghi, M., Chen, Y., Kao M.Y., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: Symposium on Security and Privacy, pp. 15鈥?7. IEEE, Oakland (2006)
  12.A 0-Day Attack Lasts On Average 10 Months. http://鈥媓ackmageddon.鈥媍om/鈥?012/鈥?0/鈥?9/鈥媋-0-day-attack-lasts-on-average-10-months/鈥?/span>
  13. Polychronakis, M., Anagnostakis, K.G., Markatos, E.P.: Emulation-based detection of non-self-contained polymorphic shellcode. In: Kruegel, C., Lippmann, R., Clark, A. (eds.) RAID 2007. LNCS, vol. 4637, pp. 87鈥?06. Springer, Heidelberg (2007) View Article
  14.Alazab, M., Venkatraman, S., Watters, P., Alazab, M.: Zero-day malware detection based on supervised learning algorithms of api call signatures. In: Proceedings of the 9th IEEE Australasian Data Mining Conference (AusDM 2011), Australia, pp. 171鈥?82 (2011)
  15.Aleroud, A., Karabtis G.: A contextual anomaly detection approach to discover zero-day attacks. In: IEEE International Conference on Cyber Security (CYBERSECURITY 2012), pp. 40鈥?5, Washington (2012)
  16.Jain, P., Sardana, A., Defending against internet worms using honeyfarm. In: CUBE International Information Technology Conference (CUBE 2012), Pune, India, pp. 795鈥?00. ACM Press, New York (2012)
  17.Comar, P.M., Liu, L., Saha, S., Tan, P.N., Nucci A.: Combining supervised and unsupervised learning for zero-day malware detection. In: Proceedings of INFOCOM, pp. 2022鈥?030. IEEE Press, Turin (2013)
  18.Aleroud, A., Karabatis G.: Toward zero-day attack identification using linear data transformation techniques. In: Proceedings of the 7th IEEE International Conference on Software Security and Reliability (SERE 2013), pp. 159鈥?68. IEEE Press, MD (2013)
  19.Kim, I., et al.: A case study of unknown attack detection against zero-day worm in the honeynet environment. In: Proceedings of the 11th IEEE International Conference on Advanced Communication Technology (ICACT 2009), pp. 1715鈥?720. IEEE Press, Ireland (2009)
  20.Sophos Security Threat Report of 2014. http://鈥媤ww.鈥媠ophos.鈥媍om/鈥媏n-us/鈥媘edialibrary/鈥婸DFs/鈥媜ther/鈥媠ophos-security-threat-report-2014.鈥媝df
  21. Kaur, R., Singh, M.: Automatic evaluation and signature generation technique for thwarting zero-day attacks. In: Mart铆nez P茅rez, G., Thampi, S.M., Ko, R., Shu, L. (eds.) SNDS 2014. CCIS, vol. 420, pp. 298鈥?09. Springer, Heidelberg (2014) View Article
  22.Kaur, R., Singh, M.: A survey on zero-day polymorphic worm detection techniques. J. IEEE Commun. Surv. Tutorials 99, 1鈥?0 (2014)
  23.Cavallaro, L., Lanzi, A., Mayer, L., Monga, M.: Lisabeth: automated content-based signature generator for zero-day polymorphic worms. In: Proceedings of the 4th ACM International Workshop on Software Engineering for Secure Systems, pp. 41鈥?8. ACM Press, Germany (2008)
  24.Karp, R.M., Rabin, M.O.: Efficient randomized pattern-matching algorithms. J IBM J. Res. Dev. 31(2), 249鈥?60 (1987)View Article MATH MathSciNet
  25.VX Heavens, VX Heavens Site. http://鈥媣xheaven.鈥媜rg/鈥?/span>
  
• 作者单位：Ratinder Kaur (16)
  Maninder Singh (16)
  
  16. Computer Science and Engineering Department, Thapar University, Patiala, 147004, India
  
• 丛书名：Risks and Security of Internet and Systems
• ISBN：978-3-319-17127-2
• 刊物类别：Computer Science
• 刊物主题：Artificial Intelligence and Robotics
  Computer Communication Networks
  Software Engineering
  Data Encryption
  Database Management
  Computation by Abstract Devices
  Algorithm Analysis and Problem Complexity
  
• 出版者：Springer Berlin / Heidelberg
• ISSN：1611-3349

文摘

A zero-day attack is one that exploits a vulnerability for which no patch is readily available and the developer or vendor may or may not be aware. They are very expensive and powerful attack tools to defend against. Since the vulnerability is not known in advance, there is no reliable way to guard against zero-day attacks before they happen. Attackers take advantage of the unknown nature of zero-day exploits and use them in conjunction with highly sophisticated and targeted attacks to achieve stealthiness with respect to standard intrusion detection techniques. This paper presents a novel combination of anomaly, behavior and signature based techniques for detecting such zero-day attacks. The proposed approach detects obfuscated zero-day attacks with two-level evaluation, generates a new signature automatically and updates other sensors by using push technology via global hotfix feature.