Effective Defence Against Zero-Day Exploits Using Bayesian Networks

Li, Tingting; Hankin, Chris

doi:10.1007/978-3-319-71368-7_11

Cited by 8 publications

(12 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…On the validity issue of CVE/NVD, Johnson et al conducted the assessment of several well-known vulnerability databases and concluded that NVD was actually the most trustworthy database [20]; we used NVD in this paper. Some existing work [15] [16] [21] studied malware propagation based on attack graphs to assess the risk of malware along with specific attack paths and network topology. Attack graphs have been extensively studied in the community to express the exploitation conditions of vulnerabilities.…”

Section: Related Workmentioning

confidence: 99%

Scalable Approach to Enhancing ICS Resilience by Network Diversity

Feng

Hankin

2020

2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Self Cite

View full text Add to dashboard Cite

Network diversity has been widely recognized as an effective defense strategy to mitigate the spread of malware. Optimally diversifying network resources can improve the resilience of a network against malware propagation. This work proposes a scalable method to compute such an optimal deployment, in the context of upgrading a legacy Industrial Control System with modern IT infrastructure. Our approach can tolerate various constraints when searching for optimal diversification, such as outdated products and strict configuration policies. We explicitly measure the vulnerability similarity of products based on the CVE/NVD, to estimate the infection rate of malware between products. A Stuxnet-inspired case demonstrates our optimal diversification in practice, particularly when constrained by various requirements. We then measure the improved resilience of the diversified network in terms of a well-defined diversity metric and Meantime to compromise (MTTC), to verify the effectiveness of our approach. Finally, we show the competitive scalability of our approach in finding optimal solutions within a couple of seconds to minutes for networks of large scales (up to 10,000 hosts) and high densities (up to 240,000 edges).

show abstract

Section: Related Workmentioning

confidence: 99%

Scalable Approach to Enhancing ICS Resilience by Network Diversity

Feng

Hankin

2020

2020 50th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Self Cite

View full text Add to dashboard Cite

show abstract

“…detecting anomalous behaviours of programs [24] [25] [26], botnet detection [27] and intrusion detection in Internet of Things [28]. Although conventional defensive measures may be adapted and strategically deployed to protect ICS from cyber attacks [29] [30], there are several difficulties that hinder this tactic. The survey paper [31] provides a taxonomy and metrics for SCADA-specific intrusion detection and prevention systems.…”

Section: Related Workmentioning

confidence: 99%

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Feng

Chana

2017

2017 47th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN)

Self Cite

183

105

View full text Add to dashboard Cite

We outline an anomaly detection method for industrial control systems (ICS) that combines the analysis of network package contents that are transacted between ICS nodes and their time-series structure. Specifically, we take advantage of the predictable and regular nature of communication patterns that exist between so-called field devices in ICS networks. By observing a system for a period of time without the presence of anomalies we develop a base-line signature database for general packages. A Bloom filter is used to store the signature database which is then used for package content level anomaly detection. Furthermore, we approach time-series anomaly detection by proposing a stacked Long Short Term Memory (LSTM) networkbased softmax classifier which learns to predict the most likely package signatures that are likely to occur given previously seen package traffic. Finally, by the inspection of a real dataset created from a gas pipeline SCADA system, we show that an anomaly detection scheme combining both approaches can achieve higher performance compared to various current stateof-the-art techniques.

show abstract

“…In literature [34], tolerance is defined as a metric to capture the required zero-day attack effort. However, they only consider individual zero-day weakness under different targets and ignore the multiple zero-day exploits.…”

Section: ) Applying Ag To Uvramentioning

confidence: 99%

“…With the consideration of temporal metrics of CVSS, Equation (29) and (30) are changed to (34) and (35). The definition of Bayesian decision network is given after (35).…”

Section: The Nodes In the First Slice Of A 2tbn Do Not Have Any Parammentioning

confidence: 99%

“…To investigate the possibility of improving the tolerance for Industrial Control Systems (ICSs) with zero-day attack by defending against known weakness, in literature [34], a model called Bayesian Risk Network (BRN) is proposed. In this model, nodes represent different meanings, including target nodes, attack nodes and requirement nodes.…”

Section: ) Applying Bn To Uvramentioning

confidence: 99%

See 1 more Smart Citation

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

2019

IEEE Access

View full text Add to dashboard Cite

Nowadays, vulnerability attacks occur frequently. Due to the information asymmetry between attackers and defenders, vulnerabilities can be divided into known and unknown. Existing researches mainly focus on the risk assessment of known vulnerabilities. However, unknown vulnerabilities are more threatening and harder to detect. Therefore, unknown vulnerability risk assessment deserves the widespread attention. To model the exploit process, directed graph models are applied to vulnerability risk assessment. And security metrics are used to quantify the exploitability of vulnerabilities. In this paper, according to the data source of nodes, related works of unknown vulnerability risk assessment based on directed graph models are divided into two types. One is based on network-level data, the other is based on system-level data. The former is to visualize the network status, while the latter is to reflect the running process of the system. The concept and purpose of these directed graph models are given at first. Then, these models are analyzed from three aspects, including advantages, flaws and solutions. After that, challenges and solutions of unknown vulnerability risk assessment based on directed graph models are given. Meantime, security metrics for unknown vulnerability risk assessment based on directed graph models are summarized and classified. Finally, future work directions of unknown vulnerability risk assessment are discussed from the perspective of techniques and application trends. Consequently, this paper can fill in the lack of current survey on unknown vulnerability risk assessment based on directed graph models. INDEX TERMS Directed graph model, risk assessment, security metric, unknown vulnerability.

show abstract

Effective Defence Against Zero-Day Exploits Using Bayesian Networks

Cited by 8 publications

References 14 publications

Scalable Approach to Enhancing ICS Resilience by Network Diversity

Scalable Approach to Enhancing ICS Resilience by Network Diversity

Multi-level Anomaly Detection in Industrial Control Systems via Package Signatures and LSTM Networks

Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey

Contact Info

Product

Resources

About