Zero-day attacks continue to challenge the enterprise network security defense. A zero-day attack path is formed when a multi- step attack contains one or more zero-day exploits. Detecting zero-day attack paths in time could enable early disclosure of zero-day threats. In this paper, we propose a probabilistic approach to identify zero- day attack paths and implement a prototype system named Pr0bA. A System Object Instance Dependency Graph (SOIDG) is first built from system calls to capture the intrusion propagation. To further reveal the zero- day attack paths hiding in the SOIDG, our system constructs an SOIDG-based Bayesian network. By leveraging intrusion evidence, the Bayesian network can quantitatively compute the probabilities of object instances being infected. The object instances with high infection probabilities reveal themselves and form the candidate zero-day attack paths. The experiment results show that our system can successfully identify zero-day attack paths and the paths are of manageable size.
Conference Dates: October 17-19, 2016
Conference Location: Philadelphia, -1
Conference Title: 2016 IEEE Conference on Communications and Network Security (CNS)
Pub Type: Conferences
Zero Day Attack Paths, Object Dependency Graph, Bayesian Networks, Attack Graphs