Abstract
Many applications have security vulnerabilities that can be exploited. It is practically impossible to find all of them due to the NP-complete nature of the testing problem. Security solutions provide defenses against these attacks through continuous application testing, fast-patching of vulnerabilities, automatic deployment of patches, and virtual patching detection techniques deployed in network and endpoint security tools. These techniques are limited by the need to find vulnerabilities before the ‘black hats’. We propose an innovative technique to virtually patch vulnerabilities before they are found. We leverage testing techniques for supervised-learning data generation, and show how artificial intelligence techniques can use this data to create predictive deep neural-network models that read an application’s input and predict in real time whether it is a potential malicious input. We set up an ahead-of-threat experiment in which we generated data on old versions of an application, and then evaluated the predictive model accuracy on vulnerabilities found years later. Our experiments show ahead-of-threat detection on LibXML2 and LibTIFF vulnerabilities with 91.3% and 93.7% accuracy, respectively. We expect to continue work on this field of research and provide ahead-of-threat virtual patching for more libraries. Success in this research can change the current state of endless racing after application vulnerabilities and put the defenders one step ahead of the attackers.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aljawarneh, S., Aldwairi, M., Yassein, M.B.: Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J. Comput. Sci. 25, 152–160 (2018). https://doi.org/10.1016/j.jocs.2017.03.006
American Fuzzy Lop (AFL) Fuzzer. http://lcamtuf.coredump.cx/afl/. Accessed 22 July 2018
Ashfaq, R.A.R., Wang, X.Z., Huang, J.Z., Abbas, H., He, Y.L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. 378, 484–497 (2017). https://doi.org/10.1016/j.ins.2016.04.019
Chollet, F.: Keras (2015). https://keras.io. Accessed 13 Aug 2018
Exploit Database. https://www.exploit-db.com/. Accessed 22 July 2018
FileFormat.info TIFF samples. http://www.fileformat.info/format/tiff/sample/. Accessed 22 July 2018
Infosecurity Magazine. https://www.infosecurity-magazine.com/news/companies-average-120-days-patch/. Accessed 22 July 2018
Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014). https://doi.org/10.1016/j.eswa.2013.08.066
Li, Z., Sun, W., Wang, L.: A neural network based distributed intrusion detection system on cloud platform. In: Proceedings of the 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), pp. 75–79. IEEE Press, New York (2012). https://doi.org/10.1109/ccis.2012.6664371
LibTIFF. http://www.simplesystems.org/libtiff/. Accessed 22 July 2018
LibXML2. http://xmlsoft.org/. Accessed 22 July 2018
Mishra, P., Pilli, E.S., Varadharajan, V., Tupakula, U.: Intrusion detection techniques in cloud environment: a survey. J. Netw. Comput. Appl. 77, 18–47 (2017). https://doi.org/10.1016/j.jnca.2016.10.015
ModSecurity virtual patching. https://www.linkedin.com/pulse/fix-without-touching-virtual-patching-web-modsecurity-rafael-pinto/. Accessed 22 July 2018
Pandeeswari, N., Kumar, G.: Anomaly detection system in cloud environment using fuzzy clustering based ANN. Mob. Netw. Appl. 21(3), 494–505 (2016). https://doi.org/10.1007/s11036-015-0644-x
Pedregosa, F., et al.: Scikit-learn: machine learning in python. JMLR 12, 2825–2830 (2011)
Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.: Malware detection by eating a whole exe. arXiv preprint (2017)
Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE), pp. 11–20. IEEE Press, New York (2015). https://doi.org/10.1109/malware.2015.7413680
Snort Network Intrusion Detection & Prevention System. https://www.snort.org/. Accessed 23 July 2018
Srivastava, P.R., Kim, T.H.: Application of genetic algorithm in software testing. Int. J. Softw. Eng. Appl. 3(4), 87–96 (2009)
Acknowledgements
This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 740787 (SMESEC). We would like to thank Ayman Jarrous and Tamer Salman for fruitful discussions, and Ben Liderman for help in building the automated framework.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Switzerland AG
About this paper
Cite this paper
Copty, F., Kassis, A., Keidar-Barner, S., Murik, D. (2019). Deep Ahead-of-Threat Virtual Patching. In: Fournaris, A., Lampropoulos, K., Marín Tordera, E. (eds) Information and Operational Technology Security Systems. IOSec 2018. Lecture Notes in Computer Science(), vol 11398. Springer, Cham. https://doi.org/10.1007/978-3-030-12085-6_9
Download citation
DOI: https://doi.org/10.1007/978-3-030-12085-6_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-12084-9
Online ISBN: 978-3-030-12085-6
eBook Packages: Computer ScienceComputer Science (R0)