International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019 (Special Issue)

© Research India Publications. http://www.ripublication.com

Design and Analysis of a Hybrid Security Framework for Zero-Day Attack

Author 1
Dehkontee Chea Cuppah
Research Scholar, Department of Computer Science and Applications,
Bangalore University, Jnanabharathi Campus,
560056, Bangalore, India.

Author 2
Ambrish G.
Guest Faculty, Department of Computer Science and Applications,
Bangalore University, Jnanabharathi Campus,
560056, Bangalore, India.

Author 3
Dr. M. Hanumanthappa
Chairperson, Department of Computer Science and Applications,
Bangalore University, Jnanabharathi Campus,
560056, Bangalore, India.

and these devices or software may include unexpected

Abstract vulnerabilities that widely accepted or well-known security
The greatest threats against computer systems around the world methods may not be able to identify thus compromising the
come from the cyberspace in the form of cyber-attacks and the systems overall security.
zero-day attack is one of such threats faced by computer Some security personnel based the security level of their system
systems around the world. A vulnerability in system firmware, on the number of vulnerabilities they have identified and the
software, or hardware that is still unknown to the developers or
Intrusion detection system they have in place and this action
people responsible for it is known as zero-day vulnerability. A
zero-day attack is an attack by hackers in which zero-day leaves their systems defenseless as the security of a system goes
exploits are applied on a zero-day vulnerability in system beyond identified vulnerabilities and having an intrusion
firmware, software or hardware before specific security and detection system in place. A system that is susceptible to zero-
preventive mechanisms can be identified and set for such day attacks cannot be considered secure. Zero-day attacks are
vulnerability. This kind of attack is very challenging to defend more dangerous to a system than most attacks as it exploits
against because those responsible for the security of such unknown vulnerabilities in the system. The zero-day attack can
vulnerabilities are unaware of it. Zero-day attacks have been
cause grave harm throughout the system as the patches to cover
taking a serious upward surge of late and identifying such
attacks in real time and quarantining it before it causes more the vulnerabilities being exploited are unavailable. Due to the
damages to the system is a big problem that computer security less predictable nature of these vulnerabilities, the security risk
personnel are faced with. This research will seek to identify level associated with it can be difficult to measure.
ways in which zero-day attacks can be identified in real time by
using a hybrid model that will be proposed. The Signature As indicated by the 2014 Internet Security Report [1] from
based defense technique and the Behavior based defense
Symantec, 2013 presented more zero-day vulnerabilities than
technique are two current security methods that have been
identified and this paper will analyze these methods in any earlier year and that the 23 zero-day vulnerabilities that
individually and try to find a way in which they can be were identified represented an increase of 61 percent when
combined to form a proposed hybrid model. compared to 2012 and are more than the two earlier years
consolidated.
Keywords: Zero-day exploits, Zero-day attack, Zero-day In 2014, upward surge of zero-day vulnerabilities from the
Vulnerability, Zero-day Vulnerability. previous year came to a standstill as only 24 attacks (up from
23 from 2013) were reported but in the period between 2015
Introduction
and October 2016, the zero-day vulnerabilities exploded
As the world is transitioning to a global village, the usage of greatly as a whopping 137 vulnerabilities were identified and
network services and devices has grown rapidly over the years reported.
and such usage also comes with great security challenges. On a
regular basis, computer systems face new security challenges
as new devices and software are introduced into the systems

Page 140 of 144

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019 (Special Issue)
© Research India Publications. http://www.ripublication.com

As indicated by the 2016 Internet Threat Report [2] from Definition of terms
Symantec. targeted attacks have increased by 125 percent from i. Zero-day attack: an attack by hackers in which zero-
the year before 2015. Each week, on average, a new zero - day day exploits are applied on a zero-day vulnerability in system
vulnerability was found in 2015 firmware, software or hardware before specific security and
A zero-day attack is an attack by hackers in which zero-day preventive mechanisms can be identified and set for such
exploits are applied on a zero-day vulnerability in system vulnerability.
firmware, software or hardware before specific security and ii. Zero-day exploit: an exploit that is meant to trigger a
preventive mechanisms can be identified and set for such zero-day vulnerability to gain access to a target system.
vulnerability. iii. Zero-day Vulnerability: a vulnerability in system
With the current traditional security mechanisms that are in firmware, software, or hardware that is still unknown to the
place, it is very difficult to detect zero-day attacks in real time developers or people responsible for it.
as these mechanisms focus on already known signatures of
malware and being that there are no signatures associated with Literature Review
zero-day attacks, they will not be detected. Exploits can go
An attack that exploits the unknown vulnerability in a system
months or years before they can be identified, and this gives the
is called zero-day attack. It takes advantage of this identified
attacker enough time to cause a lot of harm to the system. Using vulnerability before a patch can be developed by the vendor.
information obtained from the Zero-day danger report [3] from The most dangerous attacks that are more difficult to detect,
FireEye Security, cybercrime discovered vulnerabilities remain according to Kaur & Singh [4], are polymorphic worms that
unknown to the public for an average of 310 days, including show distinct behaviors and worms pose a serious threat to
software vendors. network security. These worms have been rapidly propagating
Defending against an unknown vulnerability is a very difficult and increasingly threatening Internet hosts and services by
exploiting unknown vulnerabilities, and on each new infection
task and although there are security mechanisms like antivirus,
they can also change their own representations.
Intrusion Detection Systems and Intrusion Prevention Systems,
and continuous upgrade and patching of software, it is still
difficult to mitigate zero-day attacks.
As it relates to the categorization of vulnerabilities, Joshi et al.
Figure 1 shows the timeline of zero-day attack from the [5] evaluates some of the prominent taxonomies and this
assessment helps to properly categorize the vulnerabilities
discovery of the vulnerability to the time it is patched.
present in the network system environment and proposes a five
- dimensional vulnerability categorization approach [6] with
vector attack, defense, vulnerability exploitation methodology,
vulnerability impact on the system, and the target of attack. For
the identification and assessment of vulnerabilities, there are a
lot of tools available and the selection of any one of those tools
is important in the security of a network but the downside to
these tools is that they don't detect zero-day vulnerabilities as
these vulnerabilities are not known yet.
Zhichun Li et al [7] proposed for polymorphic worms an attack
– resilient, noise - tolerant and fast network - based automated
signature generation system called Hamsa; which enables the
signature generation algorithm to provide analytical assault
resilience guarantees.
Figure 1: Zero-Day attack Timeline

With most current security mechanism being powerless against CURRENT DEFENSES AGAINST ZERO-DAY
the zero-day exploit, this research paper will analyze danger ATTACKS
associated with zero-day attacks and propose a hybrid model
that will not only seek to identify zero-day attacks but also All networks that are connected to the have a common threat of
zero-day attacks. Some of the reasons behind these attacks are
defend against it in real time. This proposed model will use the
stealing confidential information, disruption of activities on the
behavior-based detection technique and the signature-based system or monitoring the target's network. In this section, some
detection technique to detect vulnerabilities that are known and of the major defense techniques that are currently being used to
unknown. Lastly, the paper will make a recommendation on defend against zero-day attacks by organizations will be
some practical steps that should be followed to reduce the analyzed in-depth.
occurrence of zero-day attacks.

Page 141 of 144

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019 (Special Issue)
© Research India Publications. http://www.ripublication.com

Security personnel and researchers have broadly classified 4. Hybrid-based technique

these techniques into four (4) categories namely Statistical- The hybrid-based technique can be obtained from the
based technique, Signature-based technique, Behavior-based combination of any of the three above-listed defense
technique, and Hybrid Technique. techniques. The aim of combination either two or all the
above-listed techniques is to use the strengths of one to
1. Statistical-based technique overcome the weaknesses of the other [4].
The statistical-based technique retains a log of all past This research paper will focus more on this technique.
zero-day exploits that are known, and it uses information
from this log to create profiles that generate new 1.2 RECENTLY IDENTIFIED ZERO-DAY
parameters to detect attacks. In simpler terms, this VULNERABILITIES
technique determines which network traffic or activities
to allow based on its past profile and which traffic or A zero-day attack is one of the biggest threats to network
activities to block. To do this, it must first determine systems around the world and some of the recently identified
which traffic is normal and which traffic is suspicious. zero-day attacks have served as a wakeup call that these attacks
Network traffic is matched against the log to verify if are now getting more sophisticated and can easily bypass
suspicious traffic is on it or not. The log must be updated network defenses thus making the detection and prevention of
regularly to record all suspicious traffic and the longer it zero-day attacks in real time very crucial [10].
is used on a network, the more effective and accurate it
becomes as it would have fully understood the traffic flow Some of the zero-day vulnerabilities that were detected in
of a network thus enabling it to determine normal recent years were mostly done by FireEye [11] and the ones
activities and suspicious activities [8]. The downside to they identified were:
this technique is that profiles that are created from
information on the log are static and cannot detect zero- Vulnerabilities
day attacks in real time if such an attack has not been CVE-2017-8759-SOAP WSDL parser code injection
saved on the log.

2. Signature-based technique CVE-2017-0261-EPS “restore” Use-After-Free

The signature-based technique is mostly used in software
packages for antivirus to defend a network or system from
malicious attacks in the form of worms or Trojan horse. The CVE-2017-0262-Type Confusion in EPS
signature library must be updated constantly with newly
CVE-2017-0263-win32k!xxxDestroyWindow Use-
identified virus signatures and for each time a new virus
After-Free
infection is detected or identified, the signature of such
virus is stored on the signature database and this signature CVE-2017-0199: In the Wild Attacks Leveraging
can now be matched against traffic coming into the HTA Handler
network. The signature-based detection technique is sub- CVE-2016-4117 Flash Zero-day Exploited in the Wild
divided into three categories [4] namely vulnerability- CVE-2016-0167 Microsoft Windows Zero-Day Local
driven signatures, content-based signature, and semantic- Privilege Escalation
based signatures. The downside to this technique is that the
CVE-2016-1019 Security Advisory for Adobe Flash
signature of the attack or payload needs to be in the
Player
signature library before the system can detect it and with
CVE-2015-6585 Hangul Word Processor
zero-day attacks not having known signatures, this
technique is not effective in defending against such attacks. CVE-2015-2545 MS Office, CVE-2015-2546 MS
Windows
3. Behavior-based technique Adobe Flash Zero-Day: CVE-2015-3113
The behavior-based technique tries to predict how the CVE-2015-1641
traffic on a network flow. The aim of this is to predict the CVE-2015-2424
network behavior in order to detect and prevent an CVE-2015-1701
anomalous behavior of network traffic on the network. The CVE-2015-1671
prediction done by the behavior-based technique can be CVE-2014-0322
achieved with the help of a machine learning approach that
analyses current and past network activities on the victim Internet Explorer 9 through 11 Exploit: CVE-2014-
machine, web server or server [9]. This is the only 1776
technique that can determine the major characteristics of CVE-2014-4148
viruses or worms by examining the byte patterns of the CVE-2014-4113
payload [4]. CVE-2014-0502
CVE-2014-4114

Table 1: Recently Identified Zero-day Vulnerabilities

Page 142 of 144

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019 (Special Issue)
© Research India Publications. http://www.ripublication.com

Proposed Hybrid Model Benefits of the Signature-Behavior based Hybrid Model

Zero-day attacks can be carryout from the time the vulnerability • It strengthens the the signature-based technique and
is identified and exploited to the time the vendor develop a the behaviour-based technique by combining the advantages of
patch to secure the vulnerability and counter the attack. The the both techniques to minimize the disadvantages of each
length of time such an attack may last for cannot really be technique.
determined as it is difficult to determine when the vulnerability
• This technique will be able to detect zero-day attacks
was first identified.
in real-time and will also be able to manage it before major
The proposed framework will combine both the signature- harm is done.
based technique and the behaviour-based technique. It will be
Conclusion
used to monitor the traffic flow coming into the network to
determine whether such traffic contains malicious threats or All networks or software may have vulnerabilities, but the ones
not. hackers target are ones that are widely used or that will cause
Figure 2 shows the proposed system architecture and it will great impact. The weakest link to any network system is
consist of six (6) main components: A Packet acquisition through humans and most of the vulnerabilities that have been
module, Packet extraction, and disassembly module, analysis identified have either been in Adobe Flash or Internet Explorer
and evaluation module, signature generation, signature and these platforms are frequented mostly by employees of
matching, and behaviour analysis. organizations. Maintaining a secure network is difficult as
networks are dynamic and have lots of uncertainties, therefore
organizations should continuously seek new methods to defend
their network in order to prevent hackers from exploiting
vulnerabilities in the system. The proposed Signature-
Behaviour based hybrid technique will thoroughly scrutinize
any packet before allowing it into the network in real-time
using machine learning approach to identify the attacks and
does not require prior knowledge of the attack. Packets will be
broken down and be analysed individually and if an anomaly is
detected no matter how small, the entire traffic will be denied
from entering the system/network.

Conflict of Interest
The authors declare that there is no conflict of interest as it
Figure 2: Signature-Behaviour based hybrid technique relates to this paper.
Once new traffic flows into the network, the packet acquisition
module will collate all packet belong to the same flow and Acknowledgment
forward it to the extraction and disassembly module. Once it It is a great pleasure to express my gratitude to all those who
gets to this module, individual packets will be extracted and inspired and helped me in completing this paper.
disassembled and forwarded to the Analysis and Evaluation I would like to express my immense gratitude to Dr.
module. This module will use an Intrusion Detection Hanumanthappa M, Chairperson of the Department of
System/Intrusion Prevention System to perform a deep packet Computer Science and Applications, Bangalore University, for
inspection to identify any malware in the packets. Once this is his valuable assistance and co-operation.
done, the packets will be reassembled and forwarded for It is pleasure to thank Ambrish G. who has given me ideas and
signature generation. Once generated, the signature will then be guidance during the duration of the research.
matched against the signature database and if it does not match It is also pleasure to express my gratitude to all Teaching and
any signature in the database, the traffic will then be forwarded Non- Teaching staff members of Department of Computer
to the behaviour analysis module for traffic flow analysis by Science and Applications for their encouragement and
using Hidden Markov Model machine learning approach. If no providing valuable requirements.
anomaly is detected in the traffic, it will then be permitted to With a deep sense of indebtedness I convey my heartiest thanks
enter the network but if an anomaly is detected no matter how to my parents who have taken effort and given me such an
small, the traffic will be blocked from entering the network. opportunity to acquire knowledge and gain experience in my
life. As well as my friends who have helped for this
The objective of this model is to detect anomalities and isolate
accomplished task.
all malicious content to prevent it from entering the network.
This can only be achieved with the help of a machine learning
based malware detection which will be placed in the behaviour
analysis module.

Page 143 of 144

International Journal of Applied Engineering Research ISSN 0973-4562 Volume 14, Number 15, 2019 (Special Issue)
© Research India Publications. http://www.ripublication.com

References
[1] Symantec Corporation, “Internet security threat report"
Retrieved from
http://www.symantec.com/content/en/us/enterprise/other
_resources/b-istr_main_report_ v19_21291018.en-
us.pdf, 2014
[2] Symantec Internet Security Threat Report, Internet Report
Volume 21, APRIL 2016.
[3] FireEye Security, "ZERO-DAY DANGER: A Survey of
Zero-Day Attacks and What They Say About the
Traditional Security Model‖ ", 2015.
[4] Kaur, Ratinder.; Singh, Maninder., "Efficient hybrid
technique for detecting zero-day polymorphic worms,"
Advance Computing Conference (IACC), 2014 IEEE
International, pp.95-100, 21-22 Feb. 2014.
[5] Joshi, Chanchala; Singh, Umesh Kumar; Tarey, Kapil, “A
Review on Taxonomies of Attacks and Vulnerability in
Computer and Network System". International Journal of
Advanced Research in Computer Science and Software
Engineering (IJRCSSE) Volume 5, Issue 1, January 2015,
pp 742-747.
[6] Joshi, Chancala; Singh, Umesh Kumar "ADMIT- A Five-
Dimensional Approach towards Standardization of
Network and Computer Attack Taxonomies".
International Journal of Computer Application (IJCA,
0975 – 8887), Volume 100, Issue 5, August 2014, pp 30-
36
[7] Li, Zhichun; Sanghi, Manan; Chen, Yan; Kao, Ming-Yang;
Chavez, Brian, "Hamsa: Fast Signature Generation for
Zero-day Polymorphic Worms with Provable Attack
Resilience", Proceedings of the 2006 IEEE Symposium
on Security and Privacy (S&P'06).
[8] Albanese, Massimiliano; Jajodia, Sushil; Noel, Steven, "A
time-efficient approach to cost-effective network
hardening using attack graphs” in Proceedings of DSN'12,
2012, pp. 1– 12.
[9] Alosefer, Yaser; Rana, Omer F., "Predicting client-side
attacks via behavior analysis using honeypot data," Next
Generation Web Services Practices (NWeSP), 2011 7th
International Conference on Next Generation Web
Services Practices, pp.31,36, 19-21 Oct. 2011.
[10] Hammarberg, David, "The Best Defenses against Zero-
day Exploits for Various-sized Organizations", Retrieved
from https://www.sans.org/reading-
room/whitepapers/bestprac/defenses-zero-day-exploits-
various-sized-organizations-35562, 2014.
[11] FireEye Security, “Recent Zero-Day Exploits".
Retrieved from: https://www.fireeye.com/current-
threats/recent-zero-day-attacks.html

Page 144 of 144