Patrol: Revealing Zero-Day Attack Paths through Network-Wide System Object Dependencies

Dai, Jun; Sun, Xiaoyan; Liu, Peng

doi:10.1007/978-3-642-40203-6_30

Cited by 18 publications

(10 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In literature [49], a model called System Object Dependency Graph (SOGD) is proposed to reveal zero-day attack paths. Nodes in SODG represent system objects, such as files, processes and sockets.…”

Section: A System Object Dependency Graph (Sodg)mentioning

confidence: 99%

“…System Object Dependency Graph [49]: If the system call trace for the i − th host is denoted as i , then the SODG for the host is a directed graph G(V i , E i ), where:…”

Section: A System Object Dependency Graph (Sodg)mentioning

confidence: 99%

“…Next, to obtain the complete SODG, different SODGs should be connected together if and only if there is at least one same directed edge that appears in different graphs simultaneously. Since it is difficult to discover zero-day vulnerabilities alone, zero-day attacks are identified by calculating the risk probability of Suspicious Intrusion Propagation Paths (SIPPs) [49]. SIPPs can be divided into path metric, and the definition of SIPPs is given below.…”

Section: ) Applying Sodg To Uvramentioning

confidence: 99%

“…SIPPs can be divided into path metric, and the definition of SIPPs is given below. Suspicious Intrusion Propagation Paths [49]: If the networkwide SODG is denoted as ∪G( and E = E ∪ {(obj → obj )}. lat(obj ) maintains the latest access time to obj by edges in E ;…”

Section: ) Applying Sodg To Uvramentioning

confidence: 99%

See 3 more Smart Citations

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

2019

IEEE Access

View full text Add to dashboard Cite

Nowadays, vulnerability attacks occur frequently. Due to the information asymmetry between attackers and defenders, vulnerabilities can be divided into known and unknown. Existing researches mainly focus on the risk assessment of known vulnerabilities. However, unknown vulnerabilities are more threatening and harder to detect. Therefore, unknown vulnerability risk assessment deserves the widespread attention. To model the exploit process, directed graph models are applied to vulnerability risk assessment. And security metrics are used to quantify the exploitability of vulnerabilities. In this paper, according to the data source of nodes, related works of unknown vulnerability risk assessment based on directed graph models are divided into two types. One is based on network-level data, the other is based on system-level data. The former is to visualize the network status, while the latter is to reflect the running process of the system. The concept and purpose of these directed graph models are given at first. Then, these models are analyzed from three aspects, including advantages, flaws and solutions. After that, challenges and solutions of unknown vulnerability risk assessment based on directed graph models are given. Meantime, security metrics for unknown vulnerability risk assessment based on directed graph models are summarized and classified. Finally, future work directions of unknown vulnerability risk assessment are discussed from the perspective of techniques and application trends. Consequently, this paper can fill in the lack of current survey on unknown vulnerability risk assessment based on directed graph models. INDEX TERMS Directed graph model, risk assessment, security metric, unknown vulnerability.

show abstract

Section: A System Object Dependency Graph (Sodg)mentioning

confidence: 99%

“…System Object Dependency Graph [49]: If the system call trace for the i − th host is denoted as i , then the SODG for the host is a directed graph G(V i , E i ), where:…”

Section: A System Object Dependency Graph (Sodg)mentioning

confidence: 99%

Section: ) Applying Sodg To Uvramentioning

confidence: 99%

Section: ) Applying Sodg To Uvramentioning

confidence: 99%

See 2 more Smart Citations

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

2019

IEEE Access

View full text Add to dashboard Cite

show abstract

“…Our work lands on a different cloud environment and takes a reverse strategy by using BN to infer the stealthy bridges, which are unknown in nature. In the future, the inference of stealthy bridges can be further extended to identify the zero-day attack paths in cloud, as in [10] for traditional networks.…”

Section: Related Workmentioning

confidence: 99%

Probabilistic Inference of the Stealthy Bridges between Enterprise Networks in Cloud

Sun¹,

Dai²,

Singhal³

et al. 2018

ICST Transactions on Security and Safety

Self Cite

View full text Add to dashboard Cite

Cloud computing, with the paradigm of computing as a utility, has the potential to significantly tranform the IT industry. Attracted by the high efficiency, low cost, and great flexibility of cloud, enterprises began to migrate large parts of their networks into cloud. The cloud becomes a public space where multiple "tenants" reside. Except for some public services, the enterprise networks in cloud should be absolutely isolated from each other. However, some "stealthy bridges" could be established to break such isolation due to two features of the public cloud: virtual machine image sharing and virtual machine co-residency. This paper proposes to use cross-layer Bayesian networks to infer the stealthy bridges existing between enterprise network islands. Cloud-level attack graphs are firstly built to capture the potential attacks enabled by stealthy bridges and reveal hidden possible attack paths. Cross-layer Bayesian networks are then constructed to infer the probability of stealthy bridge existence. The experiment results show that the cross-layer Bayesian networks are capable of inferring the existence of stealthy bridges given supporting evidence from other intrusion steps in a multi-step attack.

show abstract