Zero-Day Vulnerability

As technology evolves, so do threats, especially malware. A special case of interest is zero-day malware that exploits unknown and unprotected vulnerabilities. A zero-day vulnerability is a vulnerability in a system or device that has been disclosed but is not yet patched. An exploit that attacks a zero-day vulnerability is called a zero-day exploit. Because they were discovered before security researchers and software developers became aware of them—and before they can issue a patch—zero-day vulnerabilities pose a higher risk to users.

Zero-day event consists of three phases:

    • Vulnerability phase (an inherent flaw exists in software code in the system but remains unknown to the system owner),
    • Exploit phase (the vulnerability is exploited, and the system is breached by the attacking entity) and
    • Attack phase (the system is maliciously impacted)[1].

Predicting or detecting system vulnerabilities, understanding their impact and seriousness, and predicting where the attack might happen is crucial. Several techniques have proven effective in solving this problem.

Statistic-based technique is based on historical data, which are static in nature; therefore, they are not able to adopt the dynamic behavior of the network environment.

Signature-based techniques are used by software vendors who will create a library of different malware signatures. They require detailed knowledge on each attack [2].

Differently from them, anomaly detection algorithms first model the
expected behavior of a system. Then, they use this knowledge to find patterns (anomalies) in data. What can affect poorer performance is that they are likely to generate a high amount of False Positives (security alert is activated but no attacks are happening) and False Negatives (attacks going undetected) [3]. This can lead to serious loss or damage. Hence, it is important to achieve extremely high accuracy and extremely low false positive/negative predictions when building the model.

Hybrid-based techniques combine the three previous techniques.
Observing conventional Machine learning algorithms, such as Gaussian Naive Bayes, Quadratic Discriminant Analysis, Logistic Regression, AdaBoost, K-Nearest Neighbors, Decision Tree, and Random Forest, some of them show very high accuracy. The crucial detail is that the classifiers demonstrated an improved accuracy when the given data were standardized. Under those conditions, Random Forest achieved even 99.55%. Naive Bayes and QDA showed poor performance, while all others had more than 97% [4].

The deep learning-based classifiers also give good results. They demonstrate a consistent improvement achieved by building deeper neural networks and additional training [4].

Hence, Machine learning and Deep learning algorithms have proven to be effective in dealing with the problem of detecting zero-day malware. However, these algorithms never achieve 100% accuracy and thus these classifiers might slightly misclassify some of the zero-day malware.

Software supply chain attacks can use a variety of techniques, including zero-day exploits and advanced persistent techniques, to breach the perimeter and carry out malicious activity down the software supply chain. Once the malicious code had been inserted into the software update, the attack spread to other victims in the supply chain and hid by remaining inert until the update was tested and installed [5].

Therefore, this malware can cause severe damage and that is why it is important to protect the system from these attacks, as much as possible. The CYRENE methodology benefits from a hybrid detection scheme that consists of two main components: (1) Signature-based detection, and (2) Anomaly-based detection. The former component is designed and implemented using a rule-based IDS(e.g., Snort) in order to detect known malicious activities while the latter is designed and deployed using unsupervised machine learning algorithms (e.g., clustering, outlier detection) in order to deal with Zero-Days.

References

[1] ”Using Artificial Intelligence To Counter Zero-Day Cyber Attacks: A Security Imperative During The COVID-19 Global Crisis” https://www.linkedin.com/pulse/using-artificial-intelligence-counter-zero-day-cyber-dutta-chowdhury/, Published on March 25, 2020

[2] Umesh Kumar Singh, Chanchala Joshi, Suyash Kumar Singh “Zero day Attacks Defense Technique for Protecting System against Unknown Vulnerabilities” Volume-5, Issue-1, pp.13-18, February (2017) E-ISSN: 2320-7639

[3] Tommaso Zoppi, Andrea Ceccarelli, Andrea Bondavalli “Unsupervised Algorithms to Detect Zero-Day Attacks: Strategy and Application” July 1, 2021. Digital Object Identifier 10.1109/ACCESS.2021.3090957

[4] Faranak Abri, Sima Siami-Namini, Mahdi Adl Khanghah, Fahimeh Mirza Soltani, and Akbar Siami Namin “Can Machine/Deep Learning Classifiers Detect Zero-Day Malware with High Accuracy?” 2019 IEEE International Conference on Big Data (Big Data)

[5] “APTs, Zero Days, and Supply Chain Attacks: Know the Difference and Prepare Accordingly” https://assets.extrahop.com/whitepapers/advanced-threats.pdf

So what do you think?  How does your organisation deal with zero-day vulnerabilities?

Reach out to us and share your views either by using our contact form or by following our social media accounts on Twitter and LinkedIn.

Don’t forget to subscribe to our Newsletter for regular updates!

This blog is signed by: the UNSPMF team

KEY FACTS

Project Coordinator: Sofoklis Efremidis
Institution: Maggioli SPA
Email: info{at}cyrene.eu
Start: 1-10-2020
Duration: 36 months
Participating organisations: 14
Number of countries: 10

TWEETS by

FUNDING

EU flagThis project has received funding from the European Union’s Horizon 2020 Research and Innovation program under grant agreement No 952690. The website reflects only the view of the author(s) and the Commission is not responsible for any use that may be made of the information it contains.