Visible to the public A Novel Framework for Zero-Day Attacks Detection and Response with Cyberspace Mimic Defense Architecture

TitleA Novel Framework for Zero-Day Attacks Detection and Response with Cyberspace Mimic Defense Architecture
Publication TypeConference Paper
Year of Publication2017
AuthorsLiu, W., Chen, F., Hu, H., Cheng, G., Huo, S., Liang, H.
Conference Name2017 International Conference on Cyber-Enabled Distributed Computing and Knowledge Discovery (CyberC)
KeywordsAnomaly statistics and analysis, CMD architecture, composability, Cyberspace Mimic Defense, cyberspace mimic defense architecture, defense, distributed computing, executive module pool, feedback, honeypot, Intrusion detection and response, Knowledge discovery, Metrics, online redundant heterogeneous functionally equivalent modules, Predictive Metrics, pubcrawl, recurrent attack, relational databases, Resiliency, security of data, signature based defense, traditional defense methods, unknown zero-day attacks, Zero day attacks, Zero Day Attacks and Defense, zero-day attack related database, Zero-day attacks

In cyberspace, unknown zero-day attacks can bring safety hazards. Traditional defense methods based on signatures are ineffective. Based on the Cyberspace Mimic Defense (CMD) architecture, the paper proposes a framework to detect the attacks and respond to them. Inputs are assigned to all online redundant heterogeneous functionally equivalent modules. Their independent outputs are compared and the outputs in the majority will be the final response. The abnormal outputs can be detected and so can the attack. The damaged executive modules with abnormal outputs will be replaced with new ones from the diverse executive module pool. By analyzing the abnormal outputs, the correspondence between inputs and abnormal outputs can be built and inputs leading to recurrent abnormal outputs will be written into the zero-day attack related database and their reuses cannot work any longer, as the suspicious malicious inputs can be detected and processed. Further responses include IP blacklisting and patching, etc. The framework also uses honeypot like executive module to confuse the attacker. The proposed method can prevent the recurrent attack based on the same exploit.

Citation Keyliu_novel_2017