The Experts below are selected from a list of 31899 Experts worldwide ranked by ideXlab platform
Peng Liu - One of the best experts on this subject based on the ideXlab platform.
-
Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths
IEEE Transactions on Information Forensics and Security, 2018Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of Zero-Day Attacks. Due to the information asymmetry between Attackers and defenders, detecting Zero-Day Attacks remains a challenge. Instead of targeting individual Zero-Day exploits, revealing them on an Attack path is a substantially more feasible strategy. Such Attack paths that go through one or more Zero-Day exploits are called Zero-Day Attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for Zero-Day Attack path identification. In our approach, a Zero-Day Attack path is essentially a graph. To capture the Zero-Day Attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the Zero-Day Attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the Zero-Day Attack path. The experiment results demonstrate the effectiveness of ZePro for Zero-Day Attack path identification.
-
Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths
Network Security Metrics, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:This chapter studies the Zero-Day Attack path identification problem. Detecting Zero-Day Attacks is a fundamental challenge faced by enterprise network security defense. A multi-step Attack involving one or more Zero-Day exploits forms a Zero-Day Attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for Zero-Day Attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the Zero-Day Attack paths. This chapter evaluated the effectiveness of ZePro for Zero-Day Attack path identification.
-
Theory and Models for Cyber Situation Awareness - Enterprise-Level Cyber Situation Awareness
Theory and Models for Cyber Situation Awareness, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Anoop Singhal, Peng LiuAbstract:This chapter begins with a literature review of situation awareness (SA) concepts, and a study on how to apply SA to the cyber field for enterprise-level network security diagnosis. With the finding that an isolation problem exists between the individual perspectives of different technologies, this chapter introduces a cyber SA model named SKRM, which is proposed to integrate the isolated perspectives into a framework. Based on one of the SKRM layers, called Operating System Layer, this chapter presents a runtime system named Patrol, that reveals Zero-Day Attack paths in the enterprise-level networks. To overcome the limitation of Patrol and achieve better accuracy and efficiency, this chapter further illustrates the usage of Bayesian Networks at the low level of Operating System to reveal Zero-Day Attack paths in a probabilistic way.
-
CNS - Towards probabilistic identification of Zero-Day Attack paths
2016 IEEE Conference on Communications and Network Security (CNS), 2016Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Zero-Day Attacks continue to challenge the enterprise network security defense. A Zero-Day Attack path is formed when a multi-step Attack contains one or more Zero-Day exploits. Detecting Zero-Day Attack paths in time could enable early disclosure of Zero-Day threats. In this paper, we propose a probabilistic approach to identify Zero-Day Attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the Zero-Day Attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the Zero-Day Attack paths. The experiment results show that our system can effectively identify Zero-Day Attack paths.
-
ESORICS - Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies
Lecture Notes in Computer Science, 2013Co-Authors: Jun Dai, Xiaoyan Sun, Peng LiuAbstract:Identifying Attack paths in enterprise network is strategically necessary and critical for security defense. However, there has been insufficient efforts in studying how to identify an Attack path that goes through unknown security holes. In this paper, we define such Attack paths as Zero-Day Attack paths, and propose a prototype system named Patrol to identify them at runtime. Using system calls, Patrol builds a network-wide system object dependency graph that captures dependency relations between OS objects, and identifies suspicious intrusion propagation paths in it as candidate Zero-Day Attack paths through forward and backward tracking from intrusion symptoms. Patrol further identifies highly suspicious candidates among these paths, by recognizing indicators of unknown vulnerability exploitations along the paths through rule-based checking. Our evaluation shows that Patrol can work accurately and effectively at runtime with an acceptable performance overhead.
Xiaoyan Sun - One of the best experts on this subject based on the ideXlab platform.
-
Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths
IEEE Transactions on Information Forensics and Security, 2018Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of Zero-Day Attacks. Due to the information asymmetry between Attackers and defenders, detecting Zero-Day Attacks remains a challenge. Instead of targeting individual Zero-Day exploits, revealing them on an Attack path is a substantially more feasible strategy. Such Attack paths that go through one or more Zero-Day exploits are called Zero-Day Attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for Zero-Day Attack path identification. In our approach, a Zero-Day Attack path is essentially a graph. To capture the Zero-Day Attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the Zero-Day Attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the Zero-Day Attack path. The experiment results demonstrate the effectiveness of ZePro for Zero-Day Attack path identification.
-
Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths
Network Security Metrics, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:This chapter studies the Zero-Day Attack path identification problem. Detecting Zero-Day Attacks is a fundamental challenge faced by enterprise network security defense. A multi-step Attack involving one or more Zero-Day exploits forms a Zero-Day Attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for Zero-Day Attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the Zero-Day Attack paths. This chapter evaluated the effectiveness of ZePro for Zero-Day Attack path identification.
-
Theory and Models for Cyber Situation Awareness - Enterprise-Level Cyber Situation Awareness
Theory and Models for Cyber Situation Awareness, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Anoop Singhal, Peng LiuAbstract:This chapter begins with a literature review of situation awareness (SA) concepts, and a study on how to apply SA to the cyber field for enterprise-level network security diagnosis. With the finding that an isolation problem exists between the individual perspectives of different technologies, this chapter introduces a cyber SA model named SKRM, which is proposed to integrate the isolated perspectives into a framework. Based on one of the SKRM layers, called Operating System Layer, this chapter presents a runtime system named Patrol, that reveals Zero-Day Attack paths in the enterprise-level networks. To overcome the limitation of Patrol and achieve better accuracy and efficiency, this chapter further illustrates the usage of Bayesian Networks at the low level of Operating System to reveal Zero-Day Attack paths in a probabilistic way.
-
CNS - Towards probabilistic identification of Zero-Day Attack paths
2016 IEEE Conference on Communications and Network Security (CNS), 2016Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Zero-Day Attacks continue to challenge the enterprise network security defense. A Zero-Day Attack path is formed when a multi-step Attack contains one or more Zero-Day exploits. Detecting Zero-Day Attack paths in time could enable early disclosure of Zero-Day threats. In this paper, we propose a probabilistic approach to identify Zero-Day Attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the Zero-Day Attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the Zero-Day Attack paths. The experiment results show that our system can effectively identify Zero-Day Attack paths.
-
ESORICS - Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies
Lecture Notes in Computer Science, 2013Co-Authors: Jun Dai, Xiaoyan Sun, Peng LiuAbstract:Identifying Attack paths in enterprise network is strategically necessary and critical for security defense. However, there has been insufficient efforts in studying how to identify an Attack path that goes through unknown security holes. In this paper, we define such Attack paths as Zero-Day Attack paths, and propose a prototype system named Patrol to identify them at runtime. Using system calls, Patrol builds a network-wide system object dependency graph that captures dependency relations between OS objects, and identifies suspicious intrusion propagation paths in it as candidate Zero-Day Attack paths through forward and backward tracking from intrusion symptoms. Patrol further identifies highly suspicious candidates among these paths, by recognizing indicators of unknown vulnerability exploitations along the paths through rule-based checking. Our evaluation shows that Patrol can work accurately and effectively at runtime with an acceptable performance overhead.
Maninder Singh - One of the best experts on this subject based on the ideXlab platform.
-
Hybrid Real-time Zero-Day Malware Analysis and Reporting System
International Journal of Information Technology and Computer Science, 2016Co-Authors: Ratinder Kaur, Maninder SinghAbstract:To understand completely the malicious intents of a Zero-Day malware there is really no automated way. There is no single best approach for malware analysis so it demands to combine existing static, dynamic and manual malware analysis techniques in a single unit. In this paper a hybrid real-time analysis and reporting system is presented. The proposed system integrates various malware analysis tools and utilities in a component-based architecture. The system automatically provides detail result about Zero-Day malware’s behavior. The ultimate goal of this analysis and reporting is to gain a quick and brief understanding of the malicious activity performed by a Zero-Day malware while minimizing the time frame between the detection of Zero-Day Attack and generation of a security solution. The results are paramount valuable for a malware analyst to perform Zero-Day malware detection and containment.
-
A Hybrid Real-time Zero-Day Attack Detection and Analysis System
International Journal of Computer Network and Information Security, 2015Co-Authors: Ratinder Kaur, Maninder SinghAbstract:A Zero-Day Attack poses a serious threat to the Internet security as it exploits Zero-Day vulnerabilities in the computer systems. Attackers take advantage of the unknown nature of Zero-Day exploits and use them in conjunction with highly sophisticated and targeted Attacks to achieve stealthiness with respect to standard intrusion detection techniques. Thus, it's difficult to defend against such Attacks. Present research exhibits various issues and is not able to provide complete solution for the detection and analysis of Zero-Day Attacks. This paper presents a novel hybrid system that integrates anomaly, behavior and signature based techniques for detecting and analyzing Zero-Day Attacks in real-time. It has layered and modular design which helps to achieve high performance, flexibility and scalability. The system is implemented and evaluated against various standard metrics like True Positive Rate (TPR), False Positive Rate (FPR), F- Measure, Total Accuracy (ACC) and Receiver Operating Characteristic (ROC) curve. The result shows high detection rate with nearly zero false positives. Additionally, the proposed system is compared with Honeynet system.
-
CRiSIS - Two-Level Automated Approach for Defending Against Obfuscated Zero-Day Attacks
Lecture Notes in Computer Science, 2015Co-Authors: Ratinder Kaur, Maninder SinghAbstract:A Zero-Day Attack is one that exploits a vulnerability for which no patch is readily available and the developer or vendor may or may not be aware. They are very expensive and powerful Attack tools to defend against. Since the vulnerability is not known in advance, there is no reliable way to guard against Zero-Day Attacks before they happen. Attackers take advantage of the unknown nature of Zero-Day exploits and use them in conjunction with highly sophisticated and targeted Attacks to achieve stealthiness with respect to standard intrusion detection techniques. This paper presents a novel combination of anomaly, behavior and signature based techniques for detecting such Zero-Day Attacks. The proposed approach detects obfuscated Zero-Day Attacks with two-level evaluation, generates a new signature automatically and updates other sensors by using push technology via global hotfix feature.
-
SNDS - Automatic Evaluation and Signature Generation Technique for Thwarting Zero-Day Attacks
Communications in Computer and Information Science, 2014Co-Authors: Ratinder Kaur, Maninder SinghAbstract:Zero-Day Attack is a cyber-Attack which exploits vulnerabilities that have not been disclosed publicly. Zero-Day Attacks are very expensive and powerful Attack tools. They are used in conjunction with highly sophisticated and targeted Attacks to achieve stealthiness with respect to standard intrusion detection techniques. Zero-Day Attacks are unknown and have no signature so they are difficult to detect. This paper presents a novel and efficient technique for detecting Zero-Day Attacks. The proposed technique detects obfuscated Zero-Day Attacks with two-level evaluation, generates signature for new Attack automatically and updates other sensors by using push technology via global hotfix feature.
Jun Dai - One of the best experts on this subject based on the ideXlab platform.
-
Using Bayesian Networks for Probabilistic Identification of Zero-Day Attack Paths
IEEE Transactions on Information Forensics and Security, 2018Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Enforcing a variety of security measures (such as intrusion detection systems, and so on) can provide a certain level of protection to computer networks. However, such security practices often fall short in face of Zero-Day Attacks. Due to the information asymmetry between Attackers and defenders, detecting Zero-Day Attacks remains a challenge. Instead of targeting individual Zero-Day exploits, revealing them on an Attack path is a substantially more feasible strategy. Such Attack paths that go through one or more Zero-Day exploits are called Zero-Day Attack paths. In this paper, we propose a probabilistic approach and implement a prototype system ZePro for Zero-Day Attack path identification. In our approach, a Zero-Day Attack path is essentially a graph. To capture the Zero-Day Attack, a dependency graph named object instance graph is first built as a supergraph by analyzing system calls. To further reveal the Zero-Day Attack paths hidden in the supergraph, our system builds a Bayesian network based upon the instance graph. By taking intrusion evidence as input, the Bayesian network is able to compute the probabilities of object instances being infected. Connecting the high-probability-instances through dependency relations forms a path, which is the Zero-Day Attack path. The experiment results demonstrate the effectiveness of ZePro for Zero-Day Attack path identification.
-
Using Bayesian Networks to Fuse Intrusion Evidences and Detect Zero-Day Attack Paths
Network Security Metrics, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:This chapter studies the Zero-Day Attack path identification problem. Detecting Zero-Day Attacks is a fundamental challenge faced by enterprise network security defense. A multi-step Attack involving one or more Zero-Day exploits forms a Zero-Day Attack path. This chapter describes a prototype system called ZePro, which takes a probabilistic approach for Zero-Day Attack path identification. ZePro first constructs a network-wide system object instance graph by parsing system calls collected from all hosts in the network, and then builds a Bayesian network on top of the instance graph. The instance-graph-based Bayesian network is able to incorporate the collected intrusion evidence and infer the probabilities of object instances being infected. By connecting the instances with high probabilities, ZePro is able to generate the Zero-Day Attack paths. This chapter evaluated the effectiveness of ZePro for Zero-Day Attack path identification.
-
Theory and Models for Cyber Situation Awareness - Enterprise-Level Cyber Situation Awareness
Theory and Models for Cyber Situation Awareness, 2017Co-Authors: Xiaoyan Sun, Jun Dai, Anoop Singhal, Peng LiuAbstract:This chapter begins with a literature review of situation awareness (SA) concepts, and a study on how to apply SA to the cyber field for enterprise-level network security diagnosis. With the finding that an isolation problem exists between the individual perspectives of different technologies, this chapter introduces a cyber SA model named SKRM, which is proposed to integrate the isolated perspectives into a framework. Based on one of the SKRM layers, called Operating System Layer, this chapter presents a runtime system named Patrol, that reveals Zero-Day Attack paths in the enterprise-level networks. To overcome the limitation of Patrol and achieve better accuracy and efficiency, this chapter further illustrates the usage of Bayesian Networks at the low level of Operating System to reveal Zero-Day Attack paths in a probabilistic way.
-
CNS - Towards probabilistic identification of Zero-Day Attack paths
2016 IEEE Conference on Communications and Network Security (CNS), 2016Co-Authors: Xiaoyan Sun, Jun Dai, Peng Liu, Anoop Singhal, John YenAbstract:Zero-Day Attacks continue to challenge the enterprise network security defense. A Zero-Day Attack path is formed when a multi-step Attack contains one or more Zero-Day exploits. Detecting Zero-Day Attack paths in time could enable early disclosure of Zero-Day threats. In this paper, we propose a probabilistic approach to identify Zero-Day Attack paths and implement a prototype system named ZePro. An object instance graph is first built from system calls to capture the intrusion propagation. To further reveal the Zero-Day Attack paths hiding in the instance graph, our system constructs an instance-graph-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the Zero-Day Attack paths. The experiment results show that our system can effectively identify Zero-Day Attack paths.
-
ESORICS - Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies
Lecture Notes in Computer Science, 2013Co-Authors: Jun Dai, Xiaoyan Sun, Peng LiuAbstract:Identifying Attack paths in enterprise network is strategically necessary and critical for security defense. However, there has been insufficient efforts in studying how to identify an Attack path that goes through unknown security holes. In this paper, we define such Attack paths as Zero-Day Attack paths, and propose a prototype system named Patrol to identify them at runtime. Using system calls, Patrol builds a network-wide system object dependency graph that captures dependency relations between OS objects, and identifies suspicious intrusion propagation paths in it as candidate Zero-Day Attack paths through forward and backward tracking from intrusion symptoms. Patrol further identifies highly suspicious candidates among these paths, by recognizing indicators of unknown vulnerability exploitations along the paths through rule-based checking. Our evaluation shows that Patrol can work accurately and effectively at runtime with an acceptable performance overhead.
Tunay I Tunca - One of the best experts on this subject based on the ideXlab platform.
-
who should be responsible for software security a comparative analysis of liability policies in network environments
Management Science, 2011Co-Authors: Terrence August, Tunay I TuncaAbstract:In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of Zero-Day Attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a Zero-Day Attack is low, or patching costs are small and Zero-Day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the Zero-Day Attack probability is high but can increase both vendor investment in security and social welfare when Zero-Day Attack likelihood is sufficiently low. When the Zero-Day Attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendor investment and improve welfare when patching costs are small. In contrast, in an environment with low Zero-Day Attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if Zero-Day Attack likelihood is sufficiently low. However, if Zero-Day Attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy. This paper was accepted by Sandra Slaughter, information systems.
-
who should be responsible for software security a comparative analysis of liability policies in network environments
2010Co-Authors: Terrence August, Tunay I TuncaAbstract:In recent years, vendor liability for software security vulnerabilities has been the center of an important debate in the software community and a topic gaining government attention in legislative committees and hearings. The importance of this question surrounding vendor security liability is amplified when one considers the increasing emergence of "Zero-Day" Attacks where hackers take advantage of vulnerabilities before the software vendor has a chance to release protective patches. In this paper, we compare the effectiveness of three software liability policies: vendor liability for damages, vendor liability for patching costs, and government imposed security standards. We find that vendor liability for losses is not effective in improving social welfare in the short-run, while liability for patching costs can be effective if either patching costs are large and the likelihood of a Zero-Day Attack is low, or patching costs are small and Zero-Day likelihood is high. In the long run, when the vendor can invest in reducing the likelihood of security vulnerabilities, loss liability is still ineffective when the Zero-Day Attack probability is high but canincrease both vendor investment in security and social welfare when Zero-Day Attack likelihood is sufficiently low. When the Zero-Day Attack probability is high, patch liability is ineffective if user patching costs are large, but partial patch liability can boost vendorinvestment and improve welfare when patching costs are small. In contrast, in an environment with low Zero-Day Attack probability, full vendor patch liability can be optimal. Finally, comparing the effectiveness of the three liability policies under study, we find that government imposed standards on software security investment can be preferable to both patching and loss liability on the vendor, if Zero-Day Attack likelihood is sufficiently low. However, if Zero-Day Attacks are a common occurrence and patching costs are not too high, partial patch liability is the most effective policy.
