A framework for contextual information fusion to detect cyber-attacks

Abstract

The focus of this research is a novel contextual approach that will be used in detecting zero-day cyber-attacks, generating possible zero-day attack signatures, and automatically measuring their risk on specific software components. In general, zero-day attacks exploit a software vulnerability that has not been discovered, and it is called zero-day vulnerability. This work proposes an approach to identify both zero-day attacks (in real time) and also zero-day vulnerabilities by examining known software vulnerabilities. The proposed work is an innovative approach, which automatically and efficiently extracts, processes, and takes advantage of contextual information to identify zero-day attacks and vulnerabilities. Contextual information (time, location, etc.) identifies the context that can be used to infer relations between entities, such as cyber-attacks. These relations are called contextual relations. We propose methods to generate zero-day attack signatures using graph-based contextual relations between (1) known attacks and (2) vulnerable software components. These are certainly hard problems to solve, and we doubt that incremental improvements in IDSs will result in a significant solution that drastically improves their effectiveness. Consequently, we propose a substantially different and novel approach: contextual relations, if used intelligently, can reduce the search space in IDSs so that zero-day attacks can be identified in realistic and practical amount of time. There are several reasons that led us to investigate the use of contextual relations to detect zero-day attacks. First, the traditional data mining and pattern recognition techniques lack the desirable effectiveness since they focus on analyzing the data without the use of context. To better identify suspicious activities, direct and indirect contextual paths need to be identified among these activities. These are usually identified manually by domain experts (e.g., identifying relations between cyber-attacks). However, it is quite daunting and challenging to identify all possible relations via manual investigation. Second, there are several contextual relations that need to be identified among vulnerabilities to predict which ones can lead to zero-day attacks and the software modules they are located, thus, empowering us to generate possible signatures for these attacks.