ArticlePDF Available

Analyzing of Zero Day Attack and its Identification Techniques

Authors:
  • Bipin Tripathi Kumaon Institute of Technology Dwarahat INDIA

Abstract

Zero day attack is random attack which cannot be eradicate, it only can identify and avoided, it is also called one day attack, and it is a threat, that tries to exploit computer application and vulnerabilities, as I said above this attack occurs on day zero awareness. This means that the developers have had zero days to address and patch the vulnerability. In a post on its TechNet blog, Microsoft said the attacks observed so far against the vulnerability have been “carefully” carried out against selected computers, largely in the Middle East and south Asia”. It added that the exploit needs some user interaction because it arrives disguised as an Email that tempt potential victims to open a specially crafted Microsoft Word attachment. According to Microsoft, the exploit combines multiple techniques to bypass accomplish mitigation techniques such as data execution prevention(DEP)[1]is a security features included in modern operating systems, it protects against some program errors, and helps prevent certain malicious exploits and address space layout randomization (ASLR) [2]. Protection from buffer overflow attacks.
Analyzing of Zero Day Attack and its
Identification Techniques
Kunwar Singh Vaisla
1
and Reenu Saini
2
1Associate Professor, 2M.Tech Student,
2Department of Computer Science & Engineering,
BT Kumaon Institute of Technology, Dwarahat, District–Almora, Uttarakhand, India
e-mail: 1vaislaks@rediffmail.com, 2reenurkesaini@gmail.com
Abstract—Zero day attack is random attack which
cannot be eradicate, it only can identify and avoided, it is
also called one day attack, and it is a threat, that tries to
exploit computer application and vulnerabilities, as I said
above this attack occurs on day zero awareness. This
means that the developers have had zero days to address
and patch the vulnerability.
In a post on its TechNet blog, Microsoft said the
attacks observed so far against the vulnerability have been
“carefully” carried out against selected computers, largely
in the Middle East and south Asia”. It added that the
exploit needs some user interaction because it arrives
disguised as an Email that tempt potential victims to open
a specially crafted Microsoft Word attachment.
According to Microsoft, the exploit combines multiple
techniques to bypass accomplish mitigation techniques
such as data execution prevention(DEP)[1]is a security
features included in modern operating systems, it protects
against some program errors, and helps prevent certain
malicious exploits and address space layout randomization
(ASLR) [2]. Protection from buffer overflow attacks,
Keywords: Zero Day Attack, DEP, ASLR, Honey Pot,
Cyber Security
I. I
NTRODUCTION
A. What is zero-day Vulnerability?
A zero day susceptibility refers to a hole in
software that is unknown to the vendor. This security
hole is then exploited by hackers before the vendor
become aware and hurries to fix it-this exploit is called
a zero day attack. Users of zero day attacks can include
infiltrating (to secretly become part of an organization)
malware, spyware or allowing unwanted access to user
information. The term “zero day” refers to the unknown
nature of the hole to those outside of the hackers,
specifically, the developers. Once the vulnerability
becomes known, a race begins for the developer, who
must protect users. In order for the vendor to rectify the
vulnerability, the software company must release a
patch. Often patches are released on a regular basis, one
example being Microsoft’s patch. On the second
Tuesday of each month, Microsoft release security fixes
that resolve identified holes. If however, a critical
vulnerability is discovered .a patch may be released
outside of schedule. Zero-day attacks, new (anomalous)
attacks exploiting previously unknown system
vulnerabilities, are a serious threat. Defending against
them is no easy task; However. Having identified
“degree of system knowledge” as one difference
between legitimate and illegitimate users, theorists have
drawn on information theory
We live in a rapidly changing world one of the
forces driving change is the phenomenal increase in
information available via the internat. An additional
challenge is controlling information access. Denning,
discuss the problem, partitioning it into three categories
commonly called CIA [3] Summarizes, they are:
1) Confidentiality
Information is available only to authorize users in
an approved manner and at approved times.
2) Integrity
Information comes only from trusted sources,
without repudiation and can be guaranteed not to have
been altered. As a basis for intrusion detection.
3) Availability
Availability refers, availability of information
unsurprisingly ,information only has a value if the right
people can access it at right times denying access
information has become a very common attack now
days, almost every you can find news about high
profiles websites being taken down by zero day attack,
How does one ensure data availability? Back up is key
B. Types of Worm
Nimda worm.
Slammer worm.
4) Nimda worm
Nimda [4] is a computer worm, also a file infector,
it quickly spread, surpassing the economic damage
caused by previous out breaks such as Code Red,
Nimda utilized several types of propagation technique
and this caused it to become the Internet’s most
widespread virus/worm within 22 minutes,
It infected via
Email.
Open network shares.
Browsing of compromised web sites.
Web server attacks.
C. Slammer worm
SQL Slammer [5] is a computer worm that caused
a denial of services on some internet hosts and
12 u First International Conf erence on Advances in Computing & Communication Engineering (ICACCE-2014)
dramatically slowed down general internet traffic, the
worm infected more than 90 percent of vulnerable hosts
within 10 minutes, causing significant disruption to
financial, transportation, and government institutions
and precluding any human-based response
II. S
TUDY OF ZERO DAY ATTACK
OVER A
P
ERIOD
The unexpected nature of zero-day threats is a
serious concern, especially because they may be used in
targeted attacks and in the propagation of
malicious code.
A. Methodology
Zero-day vulnerabilities are a sub-set of the total
number of vulnerabilities documented over the
reporting period. Zero-day vulnerability is one that
appears to have been exploited in the wild prior to being
publicly known. It may not have been known to the
affected vendor prior to exploitation and, at the time of
the exploit activity, the vendor had not released a patch.
The data for this section consists of the vulnerabilities
that Symantec has identified that meet the
above criteria.
Volume of zero–day vulnerabilities 2006-2011
Fig. 1: Zero Day Vulnerabilities Identified in 2011
B. Commentary
2011 produced the lowest number of zero day
vulnerabilities in the past 6 years. There was a 43%
drop in vulnerabilities seen in 2011 compared with
2010. However the number of vulnerabilities seen in
2010 was somewhat inflated due to W32.Stuxnet,
which itself contributed to four of the zero day
vulnerabilities’ seen in that year.
There was only one zero day browser
vulnerabilities seen in 2011,a drop of 3 from 2012,this
corresponds with the overall drop in browser
vulnerabilities seen in 2010.while browser
vulnerabilities continue to be attractive for attacks
,increased security built into browser have made it more
difficult for attackers to create reliable exploits.
Examples of these security features are address space
layout randomization (ASLR) and data execution
prevention (DEP).
While the overall number of zero day
vulnerabilities is down, attacks using these
vulnerabilities continue to be successful. the majority of
these vulnerabilities are leveraged in targeted attacks.
Adobe Flash and Reader vulnerabilities are widely used
in targeted attacks and account for 50 % of the zero day
vulnerabilities seen in.
5) Techniques
There is several methods to detect the zero day
attack:
Honeyed method,
Network-based signatures,
Vulnerability-based signatures,
Linear Data Transformation Techniques,
Vaccination system
We can increase the warning time for zero day
attack to minimize the impact and losses.
Worminator addresses two broad areas:
Perimeter detection and early warning of
potential worm propagations and precursors to
zero day attack against a secured site,
The impact on network anomaly detection
systems to discover potential new malicious
attacks that have pierced the perimeter
defences, including automating the generation
of zero day attack signatures.
The key requirement for these pursuits is a
distributed set of sensors that can accurately
detect stealthy reconnaissance activities
C. Distributed sensors
Attackers perform port scanning and probing,
Recon is distributed sensor which includes a watch list,
watch list stores detected IPs and used to predicting
future attacks, it might provide early warning
capabilities
D. Zero day protection
Zero day attack exploits the vulnerabilities, and by
exploiting these vulnerabilities, attackers can enter your
network to execute code. In the worst case, an attacker
can exploit these flaws to gain complete control of a
victim’s computer.
To be protected from malicious zero day threats,
you must have proactive zero day defences already in
place when attack is launched. You get this critical level
of protection with the Firefox family [6].
0
2
4
6
8
10
12
14
16
2006 2007 2008 2009 2010 2011
Series 1
Column1
Column2
Analyzing of Zero Day Attack, and its Identification Techniques u 13
Zero day protection means being protected against
anew and unknown threat during the window of
vulnerability timeframe
True zero day protection is built into the Firebox:
The intelligent layered security architecture of the
firebox X combines key security capabilities abele to
defend against whole classes of attacks. Some of these
capabilities include:
6) Protocol anomaly detection
Blocks malicious traffic that does not conform to
established protocol standards
Pattern matching: flags are removes high rick
files, such as and scripting files, virus’s
spyware, and Trojans from the system by fully
inspecting the entire packet.
Behaviour analysis: identifies and stops traffic
from hosts exhibiting suspicious behaviours,
including Dos and DDos attacks port sacns,
and address scan.
What signatures bring to a security solution:
some vendors make zero day claims but in
reality their security solutions rely solely on
signature based scanning.
Signature-based security technologies each new
attack it emerges, so protection comes when this
fingerprint, or signature, is added to The system. This is
not zero day protection. By their nature, signature is
reactive; they cannot protect against new, previously
unknown attacks until an update is available.
Signature–based scanning provides a granular layer
of protection against spyware, virues, worms, Trojans,
and blended threats by identifying known malicious
code within benign-looking traffic and files. But this
technique is only one piece of a complete solution. you
need zero day protection combined with robust
signature-bases scanning to have comprehensive
Unified Threat Management [7]
7) The windows vulnerability
Signature–based solutions block what has already
been identified. Your network is still exposed from the
time a new exploit has been launched until a signature
or patch is developed and then deployed.
Considering the speed and destructiveness of
today’s attacks, even a few minutes without protection
can be devastating, the reality is ,it can sometimes be
hours, days even weeks before a signature or patch is
developed and deployed, making this window of
vulnerability every ,it manager nightmare.
III. C
ONCLUSION
Zero day attack attack find and prevent by
comparative study of above methods and by finding
complexity over the above methods .The scope of this
paper will be to show the advantage of zero day
prevention method of using C# for automatic worm
detection purpose and show how it can be complexity
effective and also provide higher performance. This
prevention method can help improve the performance
of the system by helping the worm’s detectors without
knowing the attackers and hackers. Analyzing
performance of various methods of detecting the zero
day attack, and compare the complexity of other
methods. Measuring the performance of zero day attack
against the performance of other detecting methods.
Implementing the zero day attack method using NAT ()
[8] software, using mathematical logic and C# language
R
EFERENCES
[1] http://en.wikipedia.org/wiki/Data_Execution_Prevention
[2] http://en.wikipedia.org/wiki/Address_space_layout_randomizati
on
[3] http://security.blogoverflow.com/2012/08/confidentiality-
integrity-availability-the-three-components-of-the-cia-triad/
[4] http://dpnm.postech.ac.kr/research/04/nsri/papers/010919-
Analysis-Nimda.pdf
[5] http://cseweb.ucsd.edu/~ savage/papers/IEEESP03.pdf
[6] http://www.watchguard.com/products/zeroday.asp
[7] http://en.wikipedia.org/wiki/Unified_threat_management
[8] Detecting and Analyzing Zero-day Attacks using Honeypots
Constantin Musca, Emma Miri ca, Razvan Deaconescu
Department of Computer Science and Engineering
Univer”Politehnica” of Bucharest {constantin.musca,
emma.mirica}@cti.pub.ro, ra zvan.deaconescu@cs.pub.r sity
... Algorithm (1) SVM is basically a classifier that relies on two-class labels to classify linear data [17]. This is not an indication that SVM can't handle more than two classes, it depends on the training phase. ...
Article
Full-text available
The security of networks and the protection of their users is one of the most prominent security challenges nowadays, especially in recent years, due to the Covid-19 pandemic and mainly the reliance of most of the requirements of life on connecting to networks and the services provided by those networks. Distributed Denial of Service (DDoS) attacks are not a new threat but remain a major security challenge in achieving a secure and secured service and resources in cloud computing. In this paper, we introduce a system to detect and prevent DDOS attacks based on the analysis of the characteristics of incoming packets to the network, train and classify the system through machine learning algorithms based on a number of extracted features that clearly affect the process of data flow. We have implemented the SVM algorithm and compared it to neural networks, evaluated its accuracy, and dealt with the trade-off between accuracy and detection efficiency. Through extensive experiments, the results show that the SVM can detect the attack with 99.0% efficiency and in less time
... Enormous harms and recurrent attacks raise the requirement for precise and well-timed detection methods. Old dynamic and static approaches and techniques do not deliver proficient detection, particularly in cases dealing with zero-day attacks [6]. It is an attack which abuses a possibly serious software security flaw that the manufacturer or designer may be ignorant of. ...
Chapter
Mobile devices are becoming more and more attached part to majority of human’s lives, substituting computers for the use of Internet by permitting operators to run through emails, reach banking services online, use social media at fastest ever speed through WhatsApp, Facebook, Instagram, Linkedin, Twitter, etc. Likewise, the fast emergent attractive and supportive applications in mobile devices with irresistible experience, for example GPS mapping and various other delivery and taxi apps using GPS for locational updates, payment transfer, personal valet generation like Dominos, OLA, Uber, Swiggy, Zomato etc., make mobiles extra likable and engaging to users. During consistent and repetitive utilization of mobiles, confidential and sensitive data like banking passwords, debit card, credit cards, contact details, further personal data remains stored on most of the mobile devices. Considering this set up as a base and an opportunity, now complete hacker industry has twisted their entire attentiveness towards mobile devices, where there lies plenty of potential to achieve ample of their wished data. Existing safety software offers limited solutions against these threats and hence proving incapable in maintaining speed and delivering results w.r.t express advancement in malware industry. Hackers plan implantation of various malicious software variants like virus or spyware. Malware is a specific code developed by cyber attackers and it acts as a shorthand of malicious software. It is aimed to create broad mutilation to system, software and data in order to achieve unsanctioned admittance in the network. The easiest and prevalent means of delivering malware in a mobile set is in the form of a file, link, email or unauthorized websites. ML has already started advancement in malware detection by utilizing several types of networks, data on host and several other anti-malware components. During detection of malware, a formerly unnoticed sample can be a fresh file. Its secreted stuff can be malware (malign) or benign (legitimate). ML follows wide range of methods to identify malware instead of a solo technique. These methods have various abilities and diverse responsibilities which they suit superlatively. Hence, ML may be termed as an exemplar that refer to learning from past experience (that in our case is former mobile data) to advance forthcoming enactment. The solitary emphasis of this field is spontaneous learning techniques. Learning means alteration or upgrading of algorithm automatically based on previous “experiences” deprived of any outside support from human. As on date ML seems to be the best tool which is sharpening itself on its own in order to counter serious and new threats of malware in mobile devices. Hence based on rapid learning ML helps in avoiding similar nature malware attacks and also reacts to varying behavior. In this work compilation, learning and examining various types of malwares prevalent in mobile industry, different malware recognition or detection methods/techniques being used for mobiles OS, are being undertaken. Analyzation of every technique briefing its benefits and merits is covered. An organized and inclusive gestalt of progression of malware detection techniques on the basis of ML and latest study on ML for mobile malware analysis is presented.
Article
Non-parametric Nearest Neighbor is an algorithm seeking for the closest data points based on the Euclidean Norm (the standard distance between two data points in a multidimensional space). The classical K-nearest Neighbor (KNN) algorithm applies this theory to find K data points in a vicinity of the considering data, then uses majority voting to label its category. This paper proposes a modification to the original KNN to improve its accuracy by changing that Euclidean Norm based on Shannon-Entropy theory in the context of Network Intrusion Detecton System. Shannon-Entropy calculates the importance of features based on the labels of those data points, then the distance between data points would be re-calculated through the new weights found for these features. Therefore, it is possible to find the more suitable K data points nearby. NSL - KDD dataset is used in this paper to evaluate the performance of the proposed model. A comparison is drawn between the results of the classic KNN, related work on its improvement and the proposed algorithm as well as novel deep learning approaches to evaluate its effectivenes in different scenarios. Results reveal that the proposed algorithm shows good performance on NSL - KDD data set. Specifically, an accuracy up to 99.73% detecting DoS attacks is obtained, 5.46% higher than the original KNN, and 1.15% higher than the related work of M-KNN. Recalculating the Euclidean-Norm distance retains the contribution of the features with low importance to the data classification, while assuring that features with higher importance will have a higher impact. Thus, the proposal does not raise any concern for losing information, and even achieves high efficiency in the classification of features and data classification.
ResearchGate has not been able to resolve any references for this publication.