Efficient Zero-day Attacks Detection Techniques

Abstract

Root cause of any security loophole on all kinds of networks lies within a developer's realm. As security is not seriously considered in soft- ware development eff ort, more and more vulnerabilities are getting discovered every single day. Software vulnerabilities are of two types: known and unknown. Known vulnerabilities are the one which has been identified and fi xed. On the other hand, unknown vulnerabilities are the one for which there is no prior knowledge of the flaw and therefore, no patch or fix is available for it. These are also known as zero-day vulnerabilities, which are extremely dangerous and unpredictable. Zero-day vulnerabilities provide a backdoor into any operating system or application and represents a serious threat. A cyber attack that targets or exploits zero-day vulnerability(ies) is known as zero-day attack.

The major contribution of the thesis is a system called RADAR. RADAR stands for Real-time Zero-day Attack Detection Analysis and Reporting system. RADAR uses a hybrid approach and is capable of detecting zero-day attacks. It does so by identifying benign traffic based on important tra ffic features and creating a baseline to seek unknown deviations. RADAR also implements a stub to analyze zero-day binary in parallel. The analysis and reporting stub integrates existing malware analysis functionalities and utilities in a component based architecture. RADAR demonstrates following main features: (a) Bridging the gap between the detection and analysis phase to deliver the first inclusive behavioral report about a zero-day attack. (b) Combines features of existing zero-day attack detection techniques (anomaly detection, signature-based detection and behavior-based detection) and fi nally offers better sensitivity and speci ficity. (c) It is based on a layered architecture where each layer is dedicated to a single functionality and works in parallel to improve system performance. Detection layer uses machine learning to detect zero-day attacks. Analysis layer combines static and dynamic malware analysis functionality to analyze the captured binary. Step by step manual analysis can also be done to help malware analyst in case of manual intervention is required. Resource layer supports the working of above two layers. (d) Implements a kernel based monitoring to track system objects during dynamic analysis in a reliable way. (e) Generates comprehensive report on zero-day malware behavior in HTML and PDF format. RADAR is implemented and evaluated against various standard IDS evaluation metrics. The results shows high sensitivity and speci ficity. Also in this research work, reports generated by RADAR are com- pared to the information provided by online virus and behavioral scan engines. Results are published to research community in form of peer- reviewed journal and conference publications.