Design and Analysis of a Hybrid Security Framework for Zero-Day Attack Research

Summary of Design and Analysis of a Hybrid Security Framework for Zero-Day Attack Research

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019

Dehkontee Chea Cuppah, Ambrish G. &. M. Hanumanthappa.

Abstract

  The greatest threats against computer systems around the world come from the cyberspace in the form of cyber-attacks and the zero-day attack is one of such threats faced by computer systems around the world.  A vulnerability in system firmware, software, or hardware that is still unknown to the developers or people responsible for it is known as zero-day vulnerability. A zero-day attack is an attack by hackers in which zero-day exploits are applied on a zero-day vulnerability in system firmware, software or hardware before specific security and preventive mechanisms can be identified and set for such vulnerability. This kind of attack is very challenging to defend against because those responsible for the security of such vulnerabilities are unaware of it. Zero-day attacks prevention before it causes more damages to the system is a big problem that computer security personnel are faced with. This research will seek to identify ways in which zero-day attacks can be identified in real time by using a hybrid model that will be proposed.

Definition of terms

Zero-day attack: an attack by hackers in which zero-day exploits are applied on a zero-day vulnerability in system firmware, software or hardware before specific security and preventive mechanisms can be identified and set for such vulnerability.

Zero-day exploit: an exploit that is meant to trigger a zero-day vulnerability to gain access to a target system.

Zero-day Vulnerability: a vulnerability in system firmware, software, or hardware that is still unknown to the developers or people responsible for it.

Introduction

As the world is transitioning to a global village, the usage of network services and devices has grown rapidly over the years and such usage also comes with great security challenges. On a regular basis, computer systems face new security challenges as new devices and software are introduced into the systems and these devices or software may include unexpected vulnerabilities that widely accepted or well-known security methods may not be able to identify thus compromising the systems overall security.

A system that is susceptible to zero-day attacks cannot be considered secure. Zero-day attacks are more dangerous to a system than most attacks as it exploits unknown vulnerabilities in the system. The zero-day attack can cause grave harm throughout the system as the patches to cover the vulnerabilities being exploited are unavailable. Due to the less predictable nature of these vulnerabilities, the security risk level associated with it can be difficult to measure.

Hint*

Each week, on average, a new zero - day vulnerability was found in 2015.

Current defences against of Zero-Day Attacks:

All networks that are connected to the internet have a common threat of zero-day attacks.

Some of the reasons behind these attacks are:

- stealing confidential information.

- Disruption of activities on the system or monitoring the target's network.

Security personnel and researchers have broadly classified the current defence techniques into four categories:

The statistical-based technique

It determines which network traffic or activities to allow based on its past profile and which traffic or activities to block.

The downside to this technique is that profiles that are created from information on the log are static and cannot detect zero-day attacks in real time if such an attack has not been saved on the log.

 

Signature-based

Is mostly used in software packages for antivirus to defend a network or system from malicious attacks in the form of worms or Trojan horse.

The signature-based detection technique is sub-divided into three categories

vulnerability-driven signatures

content-based signature

Semantic-based signatures.

 The downside to this technique is that the signature of the attack or payload needs to be in the signature library before the system can detect it and with zero-day attacks not having known signatures, this technique is not effective in defending against such attacks.

 

Behaviour-based technique

Tries to predict how the traffic on a network flow. The aim of this is to predict the network behaviour in order to detect and prevent an anomalous behaviour of network traffic on the network. The prediction done by the behaviour-based technique can be achieved with the help of a machine learning approach that analyses current and past network activities on the victim machine, web server or server.

This is the only technique that can determine the major characteristics of viruses or worms by examining the byte patterns of the payload.

Hybrid-based technique

It can be obtained from the combination of any of the three above-listed defence techniques. The aim of combination either two or all the above-listed techniques is to use the strengths of one to overcome the weaknesses of the other.

 

Proposed Hybrid Model:

  The proposed framework will combine both the signature-based technique and the behaviour-based technique.  It will be used to monitor the traffic flow coming into the network to determine whether such traffic contains malicious threats or not.

Benefits of the Signature-Behaviour based Hybrid Model:

It strengthens the signature-based technique and the behaviour-based technique by combining the advantages of the both techniques to minimize the disadvantages of each technique.

This technique will be able to detect zero-day attacks in real-time and will also be able to manage it before major harm is done.