A Hybrid Real-time Zero-day Attack Detection and Analysis System

Full Text (PDF, 668KB), PP.19-31

Views: 0 Downloads: 0


Ratinder Kaur 1,* Maninder Singh 1

1. Computer Science and Engineering Department, Thapar University, Patiala, 147004, India

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2015.09.03

Received: 16 Dec. 2014 / Revised: 10 Mar. 2015 / Accepted: 11 May 2015 / Published: 8 Aug. 2015

Index Terms

Zero-day Attacks, Unknown Attacks, Intrusion Detection, One-Class SVM, Malware Analysis, Network Security


A zero-day attack poses a serious threat to the Internet security as it exploits zero-day vulnerabilities in the computer systems. Attackers take advantage of the unknown nature of zero-day exploits and use them in conjunction with highly sophisticated and targeted attacks to achieve stealthiness with respect to standard intrusion detection techniques. Thus, it's difficult to defend against such attacks. Present research exhibits various issues and is not able to provide complete solution for the detection and analysis of zero-day attacks. This paper presents a novel hybrid system that integrates anomaly, behavior and signature based techniques for detecting and analyzing zero-day attacks in real-time. It has layered and modular design which helps to achieve high performance, flexibility and scalability. The system is implemented and evaluated against various standard metrics like True Positive Rate (TPR), False Positive Rate (FPR), F-Measure, Total Accuracy (ACC) and Receiver Operating Characteristic (ROC) curve. The result shows high detection rate with nearly zero false positives. Additionally, the proposed system is compared with Honeynet system.

Cite This Paper

Ratinder Kaur, Maninder Singh,"A Hybrid Real-time Zero-day Attack Detection and Analysis System", International Journal of Computer Network and Information Security(IJCNIS), vol.7, no.9, pp.19-31, 2015. DOI:10.5815/ijcnis.2015.09.03


[1]Symantec, “Internet Security Threat Report,” Security Response Publications, vol. 19, April 2014. http://www.symantec.com/content/en/us/enterprise/other_resources/bistr_main_report_v19_21291018.en-us.pdf.
[2]Sophos, “Security Threat Report: Smarter, Shadier, Stealthier Malware” Sophos Publications, 2014.
[3]R. Kaur and M. Singh, “A Survey on Zero-Day Polymorphic Worm Detection Techniques”, in IEEE Communications Surveys & Tutorials, vol. 16, no. 3, pp. 1520-1549, March 2014.
[4]W. C. Sun and Y. M. Chen, “A Rough Set Approach for Automatic Key Attributes Identification of Zero-day Polymorphic Worms”, in Expert Systems with Applications: An International Journal, vol. 36, no. 3, pp. 4672-4679, April 2009.
[5]S. Almotairi, A. Clark and G. Mohay and J. Zimmermann, “A Technique for Detecting New Attacks in Low-Interaction Honeypot Traffic”, Proc. of the IEEE 4th International Conference on Internet Monitoring and Protection, Washington DC, USA, 2009, pp. 7-13.
[6]J. Song, H. Takakura and Y. Kwon, “A Generalized Feature Extraction Scheme to Detect 0-day Attacks via IDS Alerts”, Proc. of the IEEE International Symposium on Applications and the Internet, Washington, DC, USA, 2008, pp. 55-61.
[7]J. Newsome, B. Karp and D. Song, “Polygraph: Automatically Generating Signatures for Polymorphic Worms”, Proc. of the IEEE Symposium on Security and Privacy (S&P’05), Oakland, CA, 2005, pp. 226-241.
[8]Z. Li, M. Sanghi, Y. Chen, M.Y. Kao and B. Chavez, “Hamsa: Fast Signature Generation for Zero-day Polymorphic Worms with Provable Attack Resilience”, Proc. of the IEEE Symposium on Security and Privacy (S&P’06), Berkeley/Oakland, CA, 2006, pp. 15-47.
[9]G. Portokalidis and H. Bos, “SweetBait: Zero-hour Worm Detection and Containment using Low-and High-Interaction Honeypots”, in Computer Networks: The International Journal of Computer and Telecommunications Networking, vol. 51, no. 5, pp. 1256-1274, April 2007.
[10]C. Kruegel, E. Kirda, D. Mutz, W. Robertson and G. Vigna, “Polymorphic Worm Detection using Structural Information of Executables”, Proc. of the LNCS Springer 8th International Symposium on Recent Advances in Intrusion Detection (RAID’05), Seattle, 2005, pp. 207-227.
[11]L. Wang, Z. Li, Y. Chen, Z. Fu and X. Li, “Thwarting Zero-day Polymorphic Worms with Network-level Length-based Signature Generation”, in IEEE/ACM Transactions on Networking (TON), vol. 18, no. 1, pp. 53-66, February 2010.
[12]M. Polychronakis, K. G. Anagnostakis and E. P. Markatos, “Network-level Polymorphic Shellcode Detection using Emulation”, in Journal in Computer Virology, vol. 2, no. 4, pp. 257-274, July 2006.
[13]A. Abbasi, J. Wetzels, W. Bokslag, E. Zambon and S. Etalle, “On Emulation-Based Network Intrusion Detection Systems”, Proc. of the LNCS, Springer 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID’14), Gothenburg, Sweden, 2014, pp. 384-404.
[14]C. Ting, Z. Xiaosong and L. Zhi, “A Hybrid Detection Approach for Zero-day Polymorphic Shellcodes”, Proc. of the IEEE International Conference on E-Business and Information System Security, Wuhan, 2009, pp. 1-5.
[15]P. Jain and A. Sardana, “Defending against Internet Worms using Honeyfarm”, Proc. CUBE International Information Technology Conference (CUBE’12), Pune, India, 2012, pp. 795-800.
[16]M. Alazab, S. Venkatraman, P. Watters and M. Alazab, “Zero-day Malware Detection based on Supervised Learning Algorithms of API call Signatures”, Proc. 9th Australasian Data Mining Conference (AusDM’11), Ballarat, Australia, 2011, pp. 171-182.
[17]A. AlEroud and G. Karabatis, “A Contextual Anomaly Detection Approach to Discover Zero-Day Attacks”, Proc. IEEE International Conference on Cyber Security (CYBERSECURITY’12), Washington, DC, 2012, pp. 40-45.
[18]A. AlEroud and G. Karabatis, “Detecting Zero-Day Attacks Using Contextual Relations”, Proc. of the LNBIP, Springer 9th International Conference on Knowledge Management in Organizations (KMO’14), Santiago, Chile, 2014, pp. 373-385.
[19]A. AlEroud and G. Karabatis, “Toward Zero-Day Attack Identification Using Linear Data Transformation Techniques”, Proc. 7th IEEE International Conference on Software Security and Reliability (SERE'13), Gaithersburg, MD, 2013, pp. 159-168.
[20]P. M. Comar, L. Liu, S. Saha, P. N. Tan and A. Nucci, “Combining supervised and unsupervised learning for zero-day malware detection”, Proc. of the IEEE INFOCOM'13, Turin, 2013, pp. 2022–2030.
[21]J. Song, H. Takakura, Y. Okabe and Y. Kwon, “Unsupervised Anomaly Detection Based on Clustering and Multiple One-class SVM”, in IEICE Transactions on Communications, vol. E92-B, no. 6, pp.1981–1990, June 2009.
[22]J. Song, H. Takakura, Y. Okabe and K. Nakao, “Toward a More Practical Unsupervised Anomaly Detection System”, in Information Sciences, vol. 231, pp. 4-14, May 2013.
[23]G. Kim, S. Lee and S. Kim, “A novel hybrid intrusion detection method integrating anomaly detection with misuse detection”, in Expert Systems with Applications, vol. 41, no. 4, pp. 1690–1700, March 2014.
[24]I. Santos, F. Brezo, X. Ugarte-Pedrero and P. G. Bringas, “Opcode sequences as representation of executables for data-mining-based unknown malware detection”, in Information Sciences, vol. 231, pp. 64–82, May 2013.
[25]L. Cavallaro, A. Lanzi, L. Mayer and M. Monga, “LISABETH: Automated Content-based Signature Generator for Zero-day Polymorphic Worms”, Proc. of the ACM 4th International Workshop on Software Engineering for Secure Systems, Leipzig, German, 2008, pp. 41-48.
[26]M. M. Z. E. Mohammed, H. A. Chan and N. Ventura, “Honeycyber: Automated Signature Generation for Zero-day Polymorphic Worms”, Proc. of the IEEE Military Communications Conference (MILCOM’ 2008), San Diego, CA, 2008, pp. 1-6.
[27]M. M. Z. E. Mohammed, H. A. Chan, N. Ventura, M. Hashim, I. Amin and E. Bashier, “Detection of Zero-day Polymorphic Worms using Principal Component Analysis”, Proc. of the IEEE 6th International Conference on Networking and Services, Cancun, 2010, pp. 277-281.
[28]I. Kim, D. Kim, B. Kim, Y. Choi, S. Yoon, J. Oh and J. Jang, “A Case Study of Unknown Attack Detection against Zero-day Worm in the Honeynet Environment”, Proc. of the IEEE 11th International Conference on Advanced Communication Technology (ICACT’ 2009), Phoenix Park, 2009, pp. 1715-1720.
[29]M. Polychronakis, K. G. Anagnostakis and E. P. Markatos, “Emulation-based Detection of Non-self-contained Polymorphic Shellcode”, Proc. of the LNCS Springer 10th International Conference on Recent Advances in Intrusion Detection (RAID’07), Gold Goast, Australia, 2007, pp. 87-106.
[30]C. Leita and M. Dacier, SGNET: A Distributed Infrastructure to Handle Zero-day Exploits, Technical Report EURECOM+2164, EURECOM institute, France, 2007.
[31]H. Lu, X. Wang, B. Zhao, F. Wang and J. Su, “ENDMal: An anti-obfuscation and collaborative malware detection system using syscall sequences”, in Mathematical and Computer Modelling, vol. 58, no. 5, pp. 1140–1154, September 2013.
[32]Y. Hou, J.W. Zhuge, D. Xin and W. Feng, “SBE - A Precise Shellcode Detection Engine Based on Emulation and Support Vector Machine”, Proc. of the LNCS, Springer 10th International Conference on Information Security Practice and Experience (ISPEC’14), Fuzhou, China, 2014, pp. 159-171.
[33]M. Zolotukhin and T. Hamalainen, “Detection of zero-day malware based on the analysis of opcode sequences”, Proc. of the IEEE 11th International Conference on Consumer Communications and Networking Conference (CCNC’14), Las Vegas, Nevada, USA, 2014, pp. 386-391.
[34]M. Roesch, “Snort lightweight intrusion detection for networks”, Proc. of the 13th Systems Administration Conference USENIX LISA’99, Seattle, Washington, USA, 1999, pp. 229–238.
[35]V. Vapnik, The nature of statistical learning theory, Springer Verlag, 1999.
[36]V. Vapnik, Statistical Learning Theory, Wiley-Interscience, 1998.
[37]B. Sch?lkopf, J. Platt, J. Shawe-Taylor, A. Smola and R. Williamson, “Estimating the support of a high-dimensional distribution”, in Neural Computation, vol. 13, no. 7, pp. 1443-1471, 2001.
[38]VirusTotal, Public API v2.0, VirusTotal Community, https://www.virustotal.com/en/documentation/public-api/.
[39]VX Heavens, VX Heavens Site, http://vxheaven.org/.
[40]R. Kaur and M. Singh, “Automatic Evaluation and Signature Generation Technique for Thwarting Zero-Day Attacks”, in Recent Trends in Computer Networks and Distributed Systems Security, CCIS, vol. 420, pp. 298-309, March 2014.
[41]R. Kaur and M. Singh, “Two-Level Automated Approach for Defending Against Obfuscated Zero-Day Attacks”, in Risks and Security of Internet and Systems, LNCS, vol. 8924, pp 164-179, April 2015.