Detecting Zero-Day Attacks Using Contextual Relations

  • Ahmed Aleroud
  • George Karabatis
Conference paper
Part of the Lecture Notes in Business Information Processing book series (LNBIP, volume 185)


The focus of this research is a knowledge-based intrusion detection technique that utilizes contextual relations between known attacks to identify zero-day attacks, which are exploits of unknown software vulnerabilities. The proposed technique uses information entropy and linear data transformation to generate feature-based and linear function-based attack profiles. It systematically creates contextual relationships between known attacks to generate attack profiles that capture most likely combinations of activities an attacker might exploit to initiate zero-day attacks. We utilize the similarity among the features of the incoming network connections and these profiles to discover zero-day attacks. Our experiments on benchmark intrusion detection datasets indicate that utilizing contextual relationships to generate attack profiles leads to a satisfactory detection rate of zero-day attacks from network data at different levels of granularity.


Intrusion detection Zero-day attacks Contextual relations Entropy IP flows 


  1. 1.
    Song, J., Takakura, H., Kwon, Y.: A Generalized feature extraction scheme to detect 0-day attacks via IDS alerts. In: Proceedings of the International Symposium on Applications and the Internet, pp. 55–61. IEEE Press (2008)Google Scholar
  2. 2.
  3. 3.
    Wang, K., Cretu, G.F., Stolfo, S.J.: Anomalous payload-based worm detection and signature generation. In: Valdes, A., Zamboni, D. (eds.) RAID 2005. LNCS, vol. 3858, pp. 227–246. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  4. 4.
    Binkley, J.R., Singh, S.: An algorithm for anomaly-based Botnet detection. In: Proceedings of USENIX Steps to Reducing Unwanted Traffic on the Internet Workshop (SRUTI), pp. 43–48 (2006)Google Scholar
  5. 5.
    Shon, T., Moon, J.: A hybrid machine learning approach to network anomaly detection. Inf. Sci. 177, 3799–3821 (2007)CrossRefGoogle Scholar
  6. 6.
    Guan, Y., Ghorbani, A.A., Belacel, N.: Y-means: a clustering method for intrusion detection. In: IEEE Canadian Conference on Electrical and Computer Engineering, pp. 1083–1086. IEEE, New York (2003)Google Scholar
  7. 7.
    Vigna, G., Robertson, W., Balzarotti, D.: Testing network-based intrusion detection signatures using mutant exploits. In: Proceedings of the 11th ACM Conference on Computer and Communications Security, pp. 21–30. ACM (2004)Google Scholar
  8. 8.
    Hendry, G.R., Yang, S.J.: Intrusion signature creation via clustering anomalies. In: Proceedings of SPIE Security and Defense Symposium, Bellingham, WA, pp. 69730C–69731 (2008)Google Scholar
  9. 9.
    Portnoy, L.: Intrusion detection with unlabeled data using clustering. Technical report, Department of Computer Science, Columbia University (2001)Google Scholar
  10. 10.
    Zhichun, L., Manan, S., Yan, C., Ming-Yang, K., Chavez, B.: Hamsa: fast signature generation for zero-day polymorphic worms with provable attack resilience. In: IEEE Symposium on Security and Privacy, pp. 15–47. IEEE Press, New York (2006)Google Scholar
  11. 11.
    Song, J., Ohba, H., Takakura, H., Okabe, Y., Ohira, K., Kwon, Y.-J.: A comprehensive approach to detect unknown attacks via intrusion detection alerts. In: Cervesato, I. (ed.) ASIAN 2007. LNCS, vol. 4846, pp. 247–253. Springer, Heidelberg (2007)Google Scholar
  12. 12.
    Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  13. 13.
    Lincoln Laboratory, Massachusetts Institute of Technology.
  14. 14.
    Gupta, K.K., Nath, B., Kotagiri, R.: Layered approach using conditional random fields for intrusion detection. IEEE Trans. Dependable Secure Comput. 7, 35–49 (2010)CrossRefGoogle Scholar
  15. 15.
    Boriah, S., Chandola, V., Kumar, V.: Similarity measures for categorical data: a comparative evaluation. In: Proceedings of the Eighth SIAM International Conference on Data Mining, pp. 243–254 (2008)Google Scholar
  16. 16.
    Aleroud, A., Karabatis, G., Sharma, P., He, P.: Context and semantics for detection of cyber attacks. Int. J. Inf. Comput. Secur. 6, 63–92 (2014)Google Scholar
  17. 17.
    Mika, S., Ratsch, G., Weston, J., Scholkopf, B., Mullers, K.R.: Fisher discriminant analysis with kernels. In: Proceedings of the IEEE Signal Processing Society Workshop, pp. 41–48. IEEE Press, New York (1999)Google Scholar
  18. 18.
    Tuerk, A.: Implicit softmax transforms for dimensionality reduction. In: IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP’08), pp. 1973–1976. IEEE (2008)Google Scholar
  19. 19.
    Sperotto, A., Sadre, R., van Vliet, F., Pras, A.: A labeled data set for flow-based intrusion detection. In: Nunzi, G., Scoglio, C., Li, X. (eds.) IPOM 2009. LNCS, vol. 5843, pp. 39–50. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  20. 20.
    Guo, C., Zhou, Y.-J., Ping, Y., Luo, S.-S., Lai, Y.-P., Zhang, Z.-K.: Efficient intrusion detection using representative instances. Comput. Secur. 39, 255–267 (2013)CrossRefGoogle Scholar
  21. 21.
    Sabhnani, M., Serpen, G.: Application of machine learning algorithms to kdd intrusion detection dataset within misuse detection context. In: Proceedings of the International Conference on Machine Learning: Models, Technologies, and Applications, pp. 209–215. CSREA Press (2003)Google Scholar
  22. 22.
    Shiravi, A., Shiravi, H., Tavallaee, M., Ghorbani, A.A.: Toward developing a systematic approach to generate benchmark datasets for intrusion detection. Comput. Secur. 31, 357–374 (2012)CrossRefGoogle Scholar
  23. 23.
    Bolzoni, D., Zambon, E., Etalle, S., Hartel, P.: Poseidon: A 2-tier anomaly-based intrusion detection system. In: Fourth IEEE International Workshop on Information Assurance, pp. 146–156 (2005)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2014

Authors and Affiliations

  1. 1.Department of Information SystemsUniversity of Maryland, Baltimore County (UMBC)BaltimoreUSA

Personalised recommendations