Deep Ahead-of-Threat Virtual Patching

  • Fady CoptyEmail author
  • Andre Kassis
  • Sharon Keidar-Barner
  • Dov Murik
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11398)


Many applications have security vulnerabilities that can be exploited. It is practically impossible to find all of them due to the NP-complete nature of the testing problem. Security solutions provide defenses against these attacks through continuous application testing, fast-patching of vulnerabilities, automatic deployment of patches, and virtual patching detection techniques deployed in network and endpoint security tools. These techniques are limited by the need to find vulnerabilities before the ‘black hats’. We propose an innovative technique to virtually patch vulnerabilities before they are found. We leverage testing techniques for supervised-learning data generation, and show how artificial intelligence techniques can use this data to create predictive deep neural-network models that read an application’s input and predict in real time whether it is a potential malicious input. We set up an ahead-of-threat experiment in which we generated data on old versions of an application, and then evaluated the predictive model accuracy on vulnerabilities found years later. Our experiments show ahead-of-threat detection on LibXML2 and LibTIFF vulnerabilities with 91.3% and 93.7% accuracy, respectively. We expect to continue work on this field of research and provide ahead-of-threat virtual patching for more libraries. Success in this research can change the current state of endless racing after application vulnerabilities and put the defenders one step ahead of the attackers.


Virtual patching Application vulnerability Deep learning 



This project has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 740787 (SMESEC). We would like to thank Ayman Jarrous and Tamer Salman for fruitful discussions, and Ben Liderman for help in building the automated framework.


  1. 1.
    Aljawarneh, S., Aldwairi, M., Yassein, M.B.: Anomaly-based intrusion detection system through feature selection analysis and building hybrid efficient model. J. Comput. Sci. 25, 152–160 (2018). Scholar
  2. 2.
    American Fuzzy Lop (AFL) Fuzzer. Accessed 22 July 2018
  3. 3.
    Ashfaq, R.A.R., Wang, X.Z., Huang, J.Z., Abbas, H., He, Y.L.: Fuzziness based semi-supervised learning approach for intrusion detection system. Inf. Sci. 378, 484–497 (2017). Scholar
  4. 4.
    Chollet, F.: Keras (2015). Accessed 13 Aug 2018
  5. 5.
    Exploit Database. Accessed 22 July 2018
  6. 6. TIFF samples. Accessed 22 July 2018
  7. 7.
  8. 8.
    Kim, G., Lee, S., Kim, S.: A novel hybrid intrusion detection method integrating anomaly detection with misuse detection. Expert Syst. Appl. 41(4), 1690–1700 (2014). Scholar
  9. 9.
    Li, Z., Sun, W., Wang, L.: A neural network based distributed intrusion detection system on cloud platform. In: Proceedings of the 2nd International Conference on Cloud Computing and Intelligent Systems (CCIS), pp. 75–79. IEEE Press, New York (2012).
  10. 10.
    LibTIFF. Accessed 22 July 2018
  11. 11.
    LibXML2. Accessed 22 July 2018
  12. 12.
    Mishra, P., Pilli, E.S., Varadharajan, V., Tupakula, U.: Intrusion detection techniques in cloud environment: a survey. J. Netw. Comput. Appl. 77, 18–47 (2017). Scholar
  13. 13.
  14. 14.
    Pandeeswari, N., Kumar, G.: Anomaly detection system in cloud environment using fuzzy clustering based ANN. Mob. Netw. Appl. 21(3), 494–505 (2016). Scholar
  15. 15.
    Pedregosa, F., et al.: Scikit-learn: machine learning in python. JMLR 12, 2825–2830 (2011)MathSciNetzbMATHGoogle Scholar
  16. 16.
    Raff, E., Barker, J., Sylvester, J., Brandon, R., Catanzaro, B., Nicholas, C.: Malware detection by eating a whole exe. arXiv preprint (2017)Google Scholar
  17. 17.
    Saxe, J., Berlin, K.: Deep neural network based malware detection using two dimensional binary program features. In: Proceedings of the 10th International Conference on Malicious and Unwanted Software (MALWARE), pp. 11–20. IEEE Press, New York (2015).
  18. 18.
    Snort Network Intrusion Detection & Prevention System. Accessed 23 July 2018
  19. 19.
    Srivastava, P.R., Kim, T.H.: Application of genetic algorithm in software testing. Int. J. Softw. Eng. Appl. 3(4), 87–96 (2009)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Fady Copty
    • 1
    Email author
  • Andre Kassis
    • 1
  • Sharon Keidar-Barner
    • 1
  • Dov Murik
    • 1
  1. 1.IBM ResearchHaifaIsrael

Personalised recommendations