A Novel Approach on Zero Day Attack Safety Using Different Scenarios

(1)

IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 1

A Novel Approach on Zero Day Attack Safety Using Different

Scenarios

1Shaik Yedulla Peer,2N. Mahesh,3R. Lakshmi Tulasi

2

Assist Professor,3 Head of The Department [email protected]

Abstract-A zero day attack is the type of attack where people make use of flaw in the software developed by various companies. There is no patch available so it is difficult to tackle such types of attacks even when developers of the company are known to this. Research on this maticx has been hindered by unknown vulnerability

since they are not quantifiable & that’s

why they are unpredictable. This paper

resolves this issue of Zero – day

security here in place of ranking the vulnerability a count is maintain which shows that how vulnerabilities are acceptable for compromising with network assets .Count is directly

proportional with unknown

vulnerabilities . In this we are devising heuristic algorithms to make out intractable issues.

I.Introduction

The internet network is growing with very rate and so is the case with network security threats .Main issues in securing computer networks are the

insufficient methods for directly

measuring the effectiveness of security solutions in a network , since “one can’t improve what one can't measure” itrusion detection system or firewall are not effective in this case for

real world . Matrix method is accepted since it has the ability to directly measure and compare the amounts of security is been provided by different security solutions ,but it has some us tackled issues which need to be handle . This paper proposes a

security metric, k-zero day safety, which addresses these issues. Here instead of measuring which unknown vulnerabilities are more likely to exist, we begin with the worst case that this is not measurable and then metric simply counts number of zero-day vulnerabilities that are required to compromise with a network. Matrics count is directly proportional to the security of the network .Base of our implementation is an abstract model of

networks and zero-day attacks.

Considerations in our implementation are the complexity of computing the metric and design heuristic algorithms addressing this complexity in some special cases and we think metrics approach is the best way.

Encryption

Encryption is converting useful data into such format so that nobody can understand it. This has four different methods.

Wireless Encryption (WE)

Wireless Encryption is done on wireless network. Various wireless algorithms are developed to implement this encryption.

(2)

Wired Equivalent Privacy (WEP)

This also called as Wireless

Encryption Protocol. This is the

method which states that malicious link should not use.

Wi-Fi Protected Access (WPA)

This generally used to encrypt the secure and source traffic by efficient.

Pre-shared Key (PSK)

In this method the sharing key will be done in the two different machines and security is provided.

User ID

Here it uses the Username and ID to

identify the permitted user and

according to it he has the rights to access.

Authentication

Authentication has three types. 1) One Factor 2) Two Factor 3) Three Factor. In one factor user knows something to access the network. In two factor anything that user has to physically access the network. In three factor something that user needs like retina scan or finger prints.

Firewall

Firewall blocks unwanted packets and it also analyze the network traffic. It checks incoming packets and give authority that to allow this packets or not.

Physical Security

When somebody breaks something by

going physically there. Web

applications basically deals with such problems which needs services to run those applications. Web application with injection flaw is widely occurring in the network. Researcher wants to find it from many years to understand it.

Existed Systems

Common Weakness Scoring System (CWSS) is the system where it counts the known vulnerability but say very little about the unknown. Sometimes it was recommended that to merge this into firewall so as client side would not

need external security. Modeling

network graph can be way to demolish it and has been tested over 40000 hosts to check its compatibility with network [1]. Even if many methods are available to lower down this attacks but no method nearly predict the exact risk of the threat which are acting on the network [2]. NetSPA was one of the tool which uses attack graph to model this threats [3]. It scans the network for the vulnerability and from the preferable input it draws the attack

graph to know that vulnerability

present over the network [3].

Topological Vulnerability Analysis

(TVA) is one of the attack prevention methods which is powerful [4]. This vulnerability can be depending on each other of the different network system. User sometimes even cannot

know that how this thing are

happening as there is large abstraction in the given applications. In this approach the network is configured and tested for the sequences of the vulnerability. This is shown in the Fig. 2. Vulnerability Discovery Model is also one of the models to detect count of the vulnerability in any software [5]. So there is always one question can arise that is there any database for measuring the risk of attacks [2]. The attacks related to the exploitation of the vulnerability are common but to make patch of such vulnerability is difficult and cost effective.

II.Related work

Firewall allows all the outgoing

(3)

the incoming requests to host 2. Main security issue here is whether any Of the attacker on host 0 can obtain root control on host 2. Under this we have 2 policies on which we are working

Policy 1 : The iptables rules and

regulation are left in a default setup that accepts all the given requests .

Policy 2 : The iptables rules and

regulation are configured which allows specific IPs, excluding host 0, to have access to the ssh service. Now network is considered already secure in policy 1. Conclusions drawn after comparing these 2 policies For policy 1  The attacker on host 0 exploits zero-day vulnerability in HTTP service of host 1 and then use it to exploit another vulnerability in the secure service of host 2.

 Host 0 exploits zero-day vulnerability in secure service on both of the hosts (1 & 2) .

 Host 0 exploited zero-day

vulnerability in the firewall (e.g., a default password) to create

problems in the traffic blocking it before it compromises host 2. The 1st and 3rd case require 2 different and

distinct zero-day vulnerabilities,

instead the second requires one zero-day vulnerability (in the secure shell

service). That’s why, the network may

be compromised with at least one zero-day attack under policy 1. For policy 2

 1st and 3rd points are same as that of policy 1

 Attacker on host 0 can exploit zero-day

vulnerability to create problems in the iptables rules before exploiting the secured service on both hosts(1 & 2) The important observation in this concern is that considering a network’s resistance to zero-day vulnerabilities can assist in the relative security of

different network configurations.

Standardization efforts:- There exit multiple standardization efforts on

security metrics for vulnerability

tracking , like the Common

Vulnerability Scoring System (CVSS) and, more recent, the Common Weakness Scoring System

(CWSS). If will focuses on software weaknesses as vulnerability. CVSS & CWSS do not address their over all impact of vulnerability on system these efforts founded a foundation for research on security metrics, as they provide standard way for assigning

numerical scores to known

vulnerabilities that are already

available in public vulnerability

database,

similar to the National Vulnerability Database. Network security metrics :- In previous work a security metric was proposed as time and efforts required by potential adversaries based on the of a Markov model of attack stages .

another work was based on ,

parameters that consider a security metric that measure the amount of security of networks in which , the length of shortest attack paths, in number of exploits, conditions, or both .

Disadvantage :- These work generally don’t take certain factors under consideration and those were the relative severity of vulnerabilities . Solution :- Compromise Percentage

Metric (NCP) which shows the

percentage of network assets that can be compromised by attackers and now in more recent work Page Rank Algorithm is introduced This focus on the percentage of network assets that can be compromised and for that assumption made is that , the

attackers would progress along

different paths in an attack graph in a random fashion and another more recent research replaced an attack trees with more advanced attack graphs and replace its attack paths

(4)

with attack scenarios of the system . More recently authors proposed a framework for grouping such metrics based on their relative importance and some risk management framework for quantifying the chances of attacks and for developing a security mitigation and management plans are also proposed . Zero-day attack :- Attacks that exploits a previously unknown vulnerability in a computer system application, one that developer had no time to address & patch them are

called as Zero – day attack because

programmer has Zero day to fix these kind of flaws. Security metrics :- Security metrics have been proposed in fields other than network security which measures that how a software is vulnerable to attacks , based on the degree of exposure Our focuses is on ranking, instead of quantifying, security threats at network and system level essentially allow us to work with weaker assumptions that actually stem from such immeasurability results

III.APPROACHES OF ZERO DAY MODEL

The zero day safety comes under the firewall security methods. Firewall blocks the unknown packets which are always roaming in the corresponding network. For this type it is further divided into five types of security. It is shown in Fig 3.

k-Zero Day

In this model, the various connected host are measured and different services related to it are detected [1]. The services in which vulnerability can be possible are to be found out. Such count is measured and then it is informed to the corresponding network administrator. The remote services are accessed remotely over the network.

Fig2. Zero day vulnerability

The above system check’s the existing known vulnerabilities and unnecessary

services, which seam’s innocent

enough at first , affect the k-zero day safety of a network. The case study

also demonstrates that patching

known vulnerabilities does not always improve the networks resistance to zero-day attacks; a formal approach, thus, becomes necessary to check how effective such patching tasks are. In the upper half of Fig, assume no known vulnerabilities and we are mainly concerned on host 5 and the root privileges assigned to it. Host 4 is suppose to be an client administrator, and now we check the effect of unneeded ssh service running on host 4 and the effect of adding a known vulnerability into that part of the system. For an attack graph-based analytic system, these may seem to not pose threat the security of host 5 because host 5 cannot be reached from host 0 anyway (due to firewall 3). However, by applying this metric, we will reach different

conclusions. The lower half of Fig shows two attack sequences leading to the root privilege on host 5 . The edges in dashed lines correspond to attacks that become possible after introducing the ssh service and the

corresponding known vulnerability

mentioned. Mathematical Model Input(I)={No of Network , No of Host }

(5)

IJCSIET-ISSUE5-VOLUME3-SERIES1 Page 5 No of Networks(N)={N1,N2,N3,..,Nn} Network(N)={Host(H),Services(S),Privil eges(P)} Host(H)={H1,H2,………,Hn ,Firewall } Services(S)={ssh,HTTP,Iptable} Attack Packets(AP)={AP1,AP2,AP3,…,APn} AP1={Host(H),Network(N),Data(D)} Output(O)={ K, Attack Graph , Iptable } Processing :-

1) Mappings from for Iptable :-

Hosts to sets of services serv() :H 2S and

privileges priv:P : H 2P 2) Value Of K

L is logical proposition of asserts L=l1 v l2 v...ln

k=min(K0d(Fi union E0,fi)) Fi=Exploits

1<=i<=n

K={0,1,2,3,…,n}

Fig3. Sequence of zero day attack Consider these 2 iptables tables policy:-

1) POLICY 1:- The rules defined in iptables are suppose to be in default setting ,which accepts all requests. 2) POLICY 2:- The rules defined in iptables are configured to only specific IP’s,excluding hostzero ,to access ssh service.

There are many flaws in the existing system so there is need of new system which tracks down the flaws in the existing system. Before proceeding it is necessary to know all the services

are active on the network. The scenario proposed below is novel scenario and if we go through procedure in then it is easy to count the number of vulnerability possible in the network. Now let’s see what is happening in each phase. Sequences Every service works differently as according to program that are written into it. Thus, make the different sequences of such services by using set theory. Example if host 1 can exploit the vulnerability on host 2 then in the matrix of n x n we will going to make corresponding field as 1(n is number of host).

Fig5. Architecture of computing

Computing is nothing but counting the

number of vulnerabilities in the

network by deriving various logic

propositions rigorousness of the

network is determined and

vulnerabilities are kept aside. The assets related to it are taken away separately and attack graph tells the exact process of the services [3]. For the next phase determine safety for zero day upto the particular threshold by applying recursive methods. Its complexity will leads to the polynomial in size of zero day attack graph [3]. It means that whatever network assets are available it need to try that this assets would compromise the network upto certain threshold. There are many chances where value of k will become constant. The third phase consists of finding the shortest path via acyclic directed graph (DAG). As the

remotely computer requires the

privileges, same kind of zero day are arranged in a relation. Any algorithm can be applied to find out shortest path in the attack graph. It would

(6)

check from node to node and from each node there will be edge for knowing the connections statistics. There should be checking of each node visited or not and the statistic of

such visited node have to be

considered. Applying Here it shows the potential of the metric by applying

it to the network hardening. It

increases security and it can be done by changing some configuration. It also provides some solutions related to it so that security of the network will increase.

This type of solutions could be valid or invalid thus only valid solutions would be taken into consideration. It takes care of the disabling services then in the network diversity it could be done by taking special care and by

terminating each tree services.

Counting is process of making final attack graph and determines the number of zero day attacks. This

would inform to the network

administrator to change settings or disabling the services which are acting currently and making vulnerabilities in it [7]. Currently all are taking efforts on making the attack graph which is little bit different kind to search the network security. The metric is varying day by day as the exploitation of the vulnerability is increasing. The concept of network hardening is currently stayed away but works also in the way to solve [7]. Empirical analysis has been done to know the actual effect of the attack [8]. The most of all are working on to provide security to particular applications but as the

network sharing is increased

everybody found that to work for the applications which are commonly used. The work was done only on one way to the system but it has to be done parallely. There are some tools need to be there to find it parallel this has been taken in account. Empirical

study is aware of the vulnerability occur for the particular time period. Injections of attacks are generally considered as temporary task but it can be blocked by using solution of ant viruses sometimes [9]. The main thing is finding the location of an attacker so as to track such path via different locations [10]. Knowing the IP address of the system of an attacker it can be done but first it needs to find what was the path of the packet which

was transmitted from the long

distance.

IV.Conclusion

In this proposed paper of the k-zero day safety as a novel of network security metric ,specifically, we have defined the k-zero day safety model and the metric satisfied the required algebraic properties of a metric

function. We gone through the

complexity of computing the metric and we have proposed efficient algorithms for determining the metric value . We are able to catch the total

count of known and dynamic

vulnerabilities in network which affect our system security. In previous system we are not able to calculate the risk of vulnerability as well as not able to rank the vulnerabilities for network hardening, this system provide this function. In this model we are using

collaborative filtering for ranking

vulnerabilities. In this model we are design practical model for firewall system. We configure optimal list of firewall rule list to make our system more secure and find the known as

well as unknown and dynamic

vulnerabilities in network. The scope of our metric is limited by the three basic

assumptions about zero-day

vulnerabilities (the existence of

network connectivity, vulnerable

(7)

privilege on source host). The model will be more suitable for application to the evaluation of penetration attacks launched by human attackers or network propagation of worms or bots

in mission critical networks. An

important future work is to broaden the scope by accommodating other types of attacks.

REFERENCES

[1] P. Mell, K. Scarfone, and S. Romanosky, “Common Vulnerability Scoring System,” IEEE Security and Privacy, vol. 4, no. 6, pp. 85-89, Nov./Dec. 2006.(24)

[2] MITRE Corp., “Common Weakness

Scoring System (CWSS),”

http://cwe.mitre. org/cwss/, 2010.(37) [3] M. Frigault, L. Wang, A. Singhal,

and S. Jajodia, “Measuring Network

Security Using Dynamic Bayesian

Network,” Proc. Fourth ACM

Workshop Quality of

Protection (QoP ’08), 2008.(9)

[4] Kaur, R.; Singh, M., "Efficient hybrid technique for

detecting zero-day polymorphic

worms," Advance

Computing Conference (IACC), 2014 IEEE International

,pp.95,100, 21-22 Feb. 2014.

[5] J. Homer, X. Ou, and D. Schmidt, “A Sound And Practical

Approach to Quantifying Security Risk in Enterprise

Networks,” technical report, Kansas State Univ., 2009.(12)

[6] R. Lippmann, K. Ingols, C. Scott, K. Piwowarski, K.

Kratkiewicz, M. Artz, and R.

Cunningham, “Validating and

Restoring Defense in Depth Using Attack Graphs,” Proc.

IEEE Conf. Military Comm. (MILCOM’ 06), pp. 981-990,

2006.(20)

[7] N. Poolsappasit, R. Dewri, and I. Ray, “Dynamic Security

Risk Management Using Bayesian Attack Graphs,” IEEE

Trans. Dependable Secure

Computing, vol. 9, no. 1, pp. 61- 74, Jan. 2012.(31

[8] L. Wang, S. Jajodia, A. Singhal, and S. Noel, “k-Zero Day

Safety: Measuring the Security Risk of Networks against

Unknown Attacks,” Proc. 15th

European Conf. Research

Computer Security (ESORICS ’10), pp. 573-587, 2010.(41)

[9] Mohammed, M.M.Z.E.; Chan, H.A; Ventura, N.; Pathan,

A-S.K., "An Automated Signature Generation Method for

Zero-Day Polymorphic Worms Based on Multilayer

Perceptron Model," Advanced

Computer Science

Applications and Technologies

(ACSAT), 2013

International Conference on , vol., no., pp.450,455, 23-24

Dec. 2013

[10] Alosefer, Y.; Rana, O.F.,

"Predicting client-side attacks via behavior analysis using honeypot data," Next Generation

Web Services Practices (NWeSP), 2011 7th International

Conference on Next Generation Web Services Practices,

pp.31,36, 19-21 Oct. 2011.

[11] D. Balzarotti, M. Monga, and S. Sicari, “Assessing the Risk

of Using Vulnerable Components,” Proc. ACM Second

Workshop Quality of Protection (QoP ’05), pp. 65-78,