Detection of zero day exploits using real-time social media streams

Abstract

Detection of zero day exploits is a challenging problem. Vulnerabilities that are known only by attackers but not by software vendors and neither by users have severe impact on security of systems and networks. Such vulnerabilities are exploited to intrude systems and often cause leakage of confidential data. Due to the hitherto unknown pattern of the exploitation, real-time detection is hardly possible. Hence, often an incident is detected only long time after it took place, if it is detected at all. More timely detection of attacks is necessary to trigger suitable counter-measures like reconfiguration of firewalls and sending alerts to administrators of other vulnerable targets. Therefore, to know the attributes of a novel attack’s target system supports the protection of other vulnerable systems.We suggest a novel approach of post-incident intrusion detection system, to be precise-a crowd-based intrusion detection system. To accomplish this, we take advantage of social media users’ postings about incidents that affect their user accounts of attacked target systems or their observations about misbehaving online services. Combining knowledge of the attacked systems and reported incidents, we should be able to recognize patterns that define the attributes of vulnerable systems. Furthermore, by matching detected attribute sets with those attributes of well-known attacks, we should be able to link attacks to already existing entries in the Common Vulnerabilities and Exposures database. If a link to an existing entry is not found, we can assume to have detected an exploitation of an unknown vulnerability, i.e., a zero day exploit or the result of an advanced persistent threat. This finding could also be used to direct efforts of examining vulnerabilities of attacked systems and simultaneously lead to faster patch deployment.