International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp.

10861-10870
© Research India Publications. http://www.ripublication.com

An Enhanced Framework for Identification and Risks Assessment of

Zero-Day Vulnerabilities

Chanchala Joshi*, Umesh Kumar Singh** and Dimitris Kanellopoulos***

*Institute of Computer Science, Vikram University, Ujjain, M.P. India

**Institute of Computer Science, Vikram University, Ujjain, M.P. India

***Department of Mathematics, University of Patras, Greece

Abstract be exploited by a threat actor to gain entry to a target network.

In this way, hackers or attackers can steal sensitive
Nowadays highly-skilled attackers can find the vulnerabilities
information such as legal documents and enterprises data.
of many networked applications. Meanwhile, the risk of a
Cyber criminals are increasing the success rate of attacks by
data breach increases dramatically as a software or
finding and exploiting zero-day vulnerabilities. Regularly, the
application vulnerability always remains without a patch. By
information about vulnerability is not available until zero-day
exploiting such vulnerability (called zero-day), hackers gain
attacks have already taken place. As a result, it is difficult to
entry to the target network and can steal sensitive data. It is
identify and analyze attacks that use zero-day exploits. With
challenging to detect zero-day with traditional defenses
zero-day vulnerability in hand, a hacker has two possible
because signature information in zero-day attacks is
choices:
unknown. Consequently, a novel security solution is required
that will discover zero-day attacks and estimate the severity  He may help the software vendor by providing him
of identified zero-day vulnerability. In our previous work [1], with information about the discovered vulnerability;
we proposed an approch for discovery of unknown
vulnerabilities. This paper enhances the previous approch by  He may sell the crucial information to the black
presenting a framework that constitutes an integrated market broker, who may further sell the identified
approach for detection and prioritization (based on likelihood) exploit at highest rate.
of zero-days attacks. The proposed framework follows a Zero-day exploits have an element of surprise as they are
probabilistic approach for identification of the zero-day attack previously unrevealed; an attacker incorporates the zero-day
path and further to rank the severity of identified zero-day exploit into their charted list of vulnerabilities and once the
vulnerability. It is a hybrid detection-based technique that penetration program process and payload is concocted, attack
detects unknown flaws present in the network that are not is launched. In particular, attackers find a zero-day through
detected yet. To evaluate the performance of the proposed hours, weeks or months of painstaking effort through lines of
framework, we adopted it in the network environment of code, to find some weakness, some flaw that methodically
Vikram university campus, India. The framework is very barrages the target application, for which even developers are
promising as experimental results showed detection rate of not aware of. Attackers can force the network to reveal a
96% for zero-day attacks with 0.3% false positive rate. small crack in its defense that provides them access to secretly
Keywords: Zero-day attacks • Exploit • Vulnerability execute their code. This is how a network is breached through
analysis • Intrusion Detection • Attack graphs • AttackRank zero-day attack.
Actually, there is no protection against zero-day when the
attacks were first observed. Traditional security approaches
INTRODUCTION discover the vulnerabilities by generating signatures, but in
Current organizations and enterprises have taken great care to the case of zero-day, signature information is unknown. So, it
secure their networks. However, they are still at risk even with is extremely difficult to detect zero-day with traditional
responsible and sustained investment in their defenses. This defenses [2]. Attackers are highly-skilled and the discovered
happens because attackers can bypass organization’s security vulnerability can remain unknown to the public for months or
through unknown vulnerabilities, which are not listed by even years. This fact provides plenty of time to attackers to
security persons. In a well-guarded network, a loophole may cause irreparable harm [3, 4]. According to FireEye [5], a
be revealed by the persistent probing of a determined hacker. typical zero-day attack may last for 310 days on average.
Attackers can leverage vulnerabilities which are present in Therefore, dealing with zero-day is clearly a challenging task.
network configuration to penetrate the target network. Zero- Fig. 1 shows the timeline of zero-day vulnerability from
day (0-day) is a software or application vulnerability that can discovery to patch.

10861
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

Figure 1. Timeline of zero-day attack

In our previous work, we presented an approch towards (2) Known malicious packets are detected and filtered at
discovery of unknown vulnerabilities [1]. In this paper we are initial stage. This task significantly manages the
enhancing the previous proposed approch by presenting a heavy network traffic and further avoids the
layered architecture for detection and risks analysis of zero- unnecessary payload.
day attacks. The architecture consists of three layers:
(3) The proposed AttackRank algorithm measures the
(1) Zero-day attack path generator: The first layer is risks of unknown, which helps in designing
liable to detect the unknown vulnerability. remediation plans.
(2) Risk analyzer: The second layer is assigned to The rest of this paper is organized as follows: In Section 2 we
analyze the generated attack. discuss related work, while in Section 3 we present our
framework. In Section 4 we present the experimental setup,
(3) Physical layer: The third layer consists of a
and in Section 5 we discuss the performance evaluation of our
centralized database and a centralized server that are
framework. Finally, Section 6 concludes the paper and gives
used during the information processing of the first
directions for further research.
two layers.
This framework was designed to block attackers by examining
known malware samples. The proposed framework follows a RELATED WORK
probabilistic approach for identification of the zero-day attack
Vulnerabilities are the flaws in system configuration or in
path and further to rank the severity of identified zero-day
network by which an attacker may gain entry to the target
vulnerability. Actually, it is a hybrid detection-based
network [6]. Many framework have developed for
technique that detects unknown flaws present in network that
identification and risks assessment of known vulnerabilities
are not detected yet. In particular, our framework performs the
[7]. However, discovery of unknown vulnerabilities is a big
following tasks during two phases:
issue that is still unsolved. Some of the prominent methods to
 During the first phase, an attack graph is built from protect against zero-day attacks are classified as statistical-
captured network scenario at any time stamp by based, signature-based, behavior-based, and hybrid detection-
levering the favorable attack conditions, collected based techniques [8].
from various information sources. These attack
 Statistical-based techniques generate attack profiles
conditions represent the abnormal system and
from past exploits that are now publically known.
network activities that are noticed by security
From these known exploits, the historical exploit’s
persons or security sensors (e.g., Intrusion Detection
profile parameters are updated to detect new attacks
Systems).
[9]. Statistical-based zero-day detection approaches
 During the second phase, the nodes of the generated [10] cannot be applied at real-time instantaneous
attack graph with higher risks of zero-day detection and protection. They are relying on static
vulnerabilities are discovered. This task is attack profiles, and thus they require a manual
accomplished by using an intelligent algorithm modification of detection settings.
(called AttackRank) that ranks the severity of
 Signature-based detection method compiles a library
identified zero-day vulnerability.
of different malware signatures. These signatures are
The contributions of the proposed framework are: cross-referenced with local files, network files, email
or web downloads depending on settings chosen by
(1) This framework is the first integrated approach for
the user. These libraries are constantly being updated
detection and prioritization (based on likelihood) of
for new signatures that often represent the signatures
zero-days attacks.

10862
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

of new exploited vulnerabilities [11]. Signatures- functionality in parallel. Parallel work of each layer improves
based techniques are broadly used yet, and they need the performance of our approach.
an improvement to generate high-class signatures.
In this paper, we analyze the functionality of each layer.
 Behavior-based techniques sniff essential
characteristics of worms to predict the future
behavior of a web server, server or victim machine in Zero-day Attack Path Generator Layer
order to deny any behaviors that are not expected
The aim of Zero-day Attack Path Generator layer is to identify
[12]. These techniques can predict the flow of
aberrant network behavior, in order to detect unknown
network traffic.
vulnerabilities which are rare to find and have high value. It
 Hybrid-based techniques overcome the weaknesses detects unknown attacks and generates signatures for the
of the above mentioned techniques by using various Snort by analyzing the incoming traffic.
combinations of them [13]. It is noteworthy that Kaur
In particular, it includes four main components:
and Singh [14] proposed a hybrid approach for
identification of zero-day although it is applicable (1) Snort anomaly detector;
only for polymorphic warm detection.
(2) Attack-graph generator;
In works [15], [16], the authors introduced an approach for
(3) Detection engine; and
measuring the risk level of vulnerabilities using Hazard metric
with the involvement of frequency [17] and impact [18] (4) Zero-day attack path generator.
factors. However, the measurement of zero-day attacks risks
The network is initially filtered by Snort Intrusion Detection/
level is like “measuring an immeasurable”. Obviously, we
Prevention System, to block known attacks based on the
cannot measure the severity of vulnerability, while it is not
signatures. In order to lure attackers, we placed honeypot in
known. Therefore, we must consider the degree of
our network with many common services running (like
exploitability, while measuring the risks of zero-day attack.
Apache, share folders etc.) in order to seem more valuable.
The proposed framework provides a method for zero-day Snort analyzes the traffic and performs filtering based on its
detection and estimates the likelihood of system being signatures, the traffic is either dropped or passed as it is
intruded by attacker. Our framework assumes that “an attacker malicious or not. The filtered traffic is then logged by the
can only advance his attack position to a node that has honeypot; honeypot only captures the information and doesn’t
connectivity and vulnerability to be exploited”. do any processing.
Furthermore, our framework is based on the link analysis To capture intrusion propagation, the Attack Graph is built by
algorithm [19] used for personalized web, that measures the capturing the network scenario at specific timestamp. The
probability of visiting a web page by an anonymous web attack graph is generated by sensing the anomalous behavior
surfer. The idea behind link analysis algorithm is that pages or abnormal activities of network that are noticed by security
visited more often are more important and having high persons or security sensors such as IDS. These anomalies
probability of visit. We follow the same approach while represent the probability of host (node) being infected in the
defining AttackRank algorithm to rank nodes in the attack attack graph.
graph in order of their intrusion likelihoods. The ranking
Detection engine is implemented on another protected
determines which attack path is more vulnerable or requires
machine which retrieves the information saved on the
more immediate attention for network protection.
honeypot through a secure channel. The function of Detection
Engine is to sense malicious packets that may cause exploit
and whose signature is not defined previously in Snort
ENHANCED FRAMEWORK FOR RISKS ASSESSMENT
IDS/IPS. The Detection engine analyses the mysterious
OF ZERO-DAY VULNERABILITIES
anomalous activities in parsed attack-graph that could be an
The architecture proposed in our previous work, consists of attack, and suspicious activities are preserved as zero-day
three layers [1]: (1) Zero-day attack path generator; (2) Risk exploit.
analyzer; and (3) Physical layer. Once the generated attack
Fig. 3 shows how the zero-day attack path generator works.
graph is generated, these layers execute dedicated

10863
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

Figure 3. Functioning of zero-day attack path generator layer of proposed framework

Parsing and Dependency Extraction through Snort anomaly information about filtered traffic, the log is used by Detection
detector: The purpose of Snort anomaly detector is to detect Engine to detect suspicious activity.
and filter known attacks from the captured network scenario.
Attack Graph Generation: After filtering the known attacks
This task is achieved through parsing by defining a set of
through parsing, further analysis is done by Snort tagger on
malicious behavior rules that are set up or configured by an
extracted mysterious packets which did not trigger any alert.
administrator. By establishing a “good” network profile, it is
Tagging packets is a way to continue logging packets from a
easier to identify anonymous “bad” behavior. For this
session or host that generated an event in Snort [22]. Tagged
purpose, Snort 2.9.7.6 is programmed as an anomaly detector.
traffic is logged to allow analysis of response codes and post-
Snort is used to detect and filter the known attacks by
attack traffic. The function of Snort tagger is to monitor the
implementing a good network setup [20, 21]. When traffic
traffic, to tag the packets and send them to the Detection
flows through the Snort, it is analyzed by Snort rule-set; if the
engine for further analysis. The tagger creates a new identifier
traffic turns out to be malicious the Snort filters it and does
based on 16-bit hash of a packet. The tag value and label for
not let it pass. The packets that match with the Snort profile
the filtered packet is stored in a table <Tag, Label> for later
are known attacks, and after storing their information in a
use. The Tag value is calculated based on six attributes:
centralized database, these packets are discarded. If the traffic
{arvl_time, source_ip, destination_ip, source_port,
doesn’t match (packets that are partially matched or not
destination_port, protocol}. The Tag value is stored for later
matched) with the rule-set defined using Snort, it flows
use, and an attack graph of extracted nodes (with mysterious
through the network.
conditions) is generated in this module.
We placed honeypot in our network alongside other systems
Detection Engine: The parsing module is not able to respond
like several workstations that run different operating systems,
to an unknown attack. Therefore, run-time analysis is
servers and others hosts. The honeypot system logs
performed by Snort NIDS (Network Intrusion Detection

10864
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

System) to monitor network traffic in order to detect help security persons to locate security flaws. In the second
suspicious activity (e.g., an attack or unauthorized activity). phase, we focus on ranking the nodes of the attack graph,
The Detection Engine receives the parsed packets, compares based on likelihood of an attacker reaching these states. Such
them with existing “good” traffic, and detects unknown ranking determines the most vulnerable attack paths that
observations. The “good” traffic is the collection of traffic require immediate attention for security reasons. The
generated by safe machines on which all possible security proposed approach is based on link analysis algorithm used
mechanisms are applied. Security privileges and policies are for personalized Web [19]. The idea behind using link
defined for these safe systems and they do not participate in analysis is that link analysis algorithm measures the
any malicious activity. A trust value has been assigned to safe probability of visiting a web page by an anonymous web
machines, based upon the past experience. Algorithm 1 surfer. We are following this approach while measuring the
explains the operation of the detection engine. likelihood of vulnerability to be exploited. Conceptually, the
risk of vulnerability exploitability is depending upon two
factors: likelihood of exploit and impact. However, in case of
Algorithm 1 zero-day we can’t measure the impact of vulnerability because
it was unknown and not exploited previously; hence we are
1: Procedure zero_day_detection focusing on measurement of likelihood of exploit which
2: for network_scenario in Network do actually defines a potential vulnerability can be successfully
exploited. In order to find probability of a node to be
3: if (equals(packet_content,snort_rules)) then vulnerable we developed an AttackRank algorithm which is
4: drop current_packet; described in the next section.

5: else Along with AttackRank, for determining the exploitability of

vulnerability, we are examining three prominent attributes:
6: preserve filtered_packet := current_packet; Attack Vector, Attack Complexity, and Authentication of
severity matrix [23].
7: end if
8: tag:= hash (preserve filtered_packet (arvl_time, Attack Vector: The Attack vector includes the difficulty
source_ip, destination_ip, source_port, values required to exploit certain vulnerability from various
access location points. For example, a hacker may exploit
destination_port, protocol));
certain vulnerability by accessing the target local network
9: update_database(tag); remotely. In this case, the value of exploitability vulnerability
will be high.
10: tagged_packet:= preserve filtered_packet;
Attack Complexity: It indicates the level of effort required to
11: if ( NOT ( isMalicious (tagges_packet)) ) then
exploit the vulnerability after an access to the target point is
12: Capture good traffic network scenario from safe gained. The values of attack complexity range between low,
systems medium, and high. For example, a Denial of Service (DoS)
attack in a target network has low complexity since the
13: Extract features and update Snort NIDS database
vulnerability can be exploited once an attacker gains access to
14: else the network. The lower the complexity is, the higher the
exploitability will be.
15: unknown:= tagges_packet;
Authentication: Authentication is defined to measure the
16: insert unknown;
number of privileges required (e.g., multiple instances, single
17: update zero_day_database(unknown); instance or no instance) before network vulnerability can be
exploited.
18: end if
19: end for
AttackRank Algorithm:
20: end procedure
The proposed AttackRank algorithm measures the likelihood
of exploit in the generated attack graph. AttackRank is based
Zero-day Attack Graph Generator: An attack graph estimates on the PageRank algorithm [24]. However, network attacker
the probability of an attacker reaching his goal (a vulnerable behavior is different than web surfer behavior in a manner as
host) in a network, i.e. it ranks the intrusion likelihoods. The during an attack, an attacker has options to continue or quit
ranking determines which attack path is more vulnerable or attacking on a current path because of security privileges and
requires more immediate attention for network protection. policies it is too hard to lead to his goal. In this situation
attacker follows backtracking, i.e. he will start over from one
of the set of initial states to find an alternative path. On the
Risk Analyzer Layer other hand, a web surfer can randomly pick a web page to
visit via its URL while an attacker does not have the same
In our framework, in the first phase, an attack graph is built as freedom. Also, a web surfer can directly type URL to reach at
chains of possible vulnerability exploits. An attack graph can destination page but an attacker requires multiple steps to

10865
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

advance to an attack state that the target system is completely present in the network has a unique name, MAC
down. However, we can simulate the structure of web address, port address and host status information. The
containing web pages as nodes with the network graph status information contains the binary value that
containing hosts as nodes. The PageRank measures the rank represents that the host is either alive or not.
of page to be visited, in the same way by network graph we
(2) Snort Rule-set table (tbl_snort_rule-set): Snort rules
are measuring the likelihood of vulnerability to be exploited.
logically have two parts: (rule_header, rule_option).
AttackRank algorithm is based on the assumption: The rule_header contains information about action and
criteria for matching a rule against data packets. The
Assumption: “If the attacker dumps the current attack
general structure of Snort Rule-set table is:
path, he will find an alternative path by back-tracking (from
tbl_snort_rule-set (action, protocol, source_ip,
one of the set of previous states), and if he continues
source_port, destination_ip, destination_port). The
attacking, he will attempt to each of the possible navigational
rule_option part usually contains an alert message and
states with a probability, based on how hard its vulnerabilities
information about which part of the packet should be
can be exploited”.
used to generate the alert message.
Based on this assumption, the AttackRank algorithm finds the
(3) WireShark Result table (tbl_packet_detail): After Snort
frequency of exploit.
parsing, the transferred packets traffic is analyzed by
Algorithm 2: AttackRank algorithm for likelihood WireShark. Information about packet obtained by
detection of exploit WireShark packet sniffers is stored in this table. The
general structure of this table is tbl_packet_detail (no,
1: procedure AttackRank G(V,E) arrival_time, src_ip, dest_ip, protocol, length, info).
2: I: set of initial states Є V (4) Malicious Packet Detail table (tbl_malicious_packet):
3: for each u, v Є V do After analysis of tbl_packet_detail, good packets are
dropped while suspicious packets information filters
4: if u Є in_link(v) then and stored in temporary table tbl_malicious_packet.
5: attackrank(v):=attackrank(in(u))/ out(v) Information stored in this table is used further to update
Snort table.
6: else if v Є out(v) then attackrank(v):=1-
(attackrankin((u))/ out (v)) (5) Vulnerable Host Path table (tbl_vuln_host): This table
contains information about vulnerable host route,
7: else traced by Nmap.
8: attackrank(v):=1 (6) Zero-day Vulnerability table (tbl_unknown_vuln): It
contains the information about identified suspicious
9: end if
packets. The structure of this table is tbl_unknown_vuln
10:end for (id, attack_vector, attack_complexility, privilege).
11:end procedure
In our framework, database server utilized MySQL database.

Physical Layer
EXPERIMENTAL SETUP
The physical layer contains a centralized database and a
centralized server used during the information processing To test the performance of our framework, we selected a
group of 8 hosts playing miscellaneous roles. These hosts
involved in the first two layers. All of the information along
with attack path, malicious or non-malicious activities, known constitute the test-bed for our case study. Fig. 3 shows the
or unknown exploits is stored in the database server of the structure of the test-bed that is comprised of these hosts in
physical layer. This database is continuously updated by the diverse physical locations. In particular, the test-bed includes:
a network server located at academic block within the contact
records in the audit network data repository that do not yet
range of firewall (208.91.191.121); a server located at School
have any sort of context profile. The centralized database
of Engineering and Technology (128.168.1.4), and other
primarily contains the following six tables:
machines.
(1) Host table (tbl_host): This table contains details of all
Fig. 4 shows the experimental setup of attack scenario. The
hosts present in the network (either up or down). The
attacker uses Kali Linux run on virtual machine; Ubuntu
general structure of host table is tbl_host (host_ip,
Metasploitable Server is used for honeypot system which has
host_name, mac_addr, prt_addr, status). Here, host_ip
many holes available for potential attackers; the web server
is the unique identifier for each host. In our network,
run on windows platform.
we are using IPv4 format. Along with ip, each host

10866
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

Snort
Monitoring

Figure 4. Experimental setup of the test-bed

The strategy of emulation also brings another benefit. The

information for these “known zero-day” vulnerabilities can be
In the developed network architecture, packet enters the
available to verify the correctness of our experiment results.
system from network and goes first through the firewall rules,
if it does not matches to any of those rules it is logged. Snort The basic components of the test-bed (Fig 4) are two servers
analyzes the traffic pass through the firewall and performs for network vulnerabilities scan. 208.91.199.121 performs the
filtering based on its signatures, the traffic is either dropped or external scanning through a router or firewall, by the means of
passed as it is malicious or not. The filtered traffic is then the Nmap and Nessus vulnerability scanner. Nmap placed
logged by the honeypot. Honeypot only captures the within contact range of University, and generates details about
information and doesn’t do any processing. The detection active services, credentials and successful attacks. Fig. 5
engine then analyses the log, identify malicious IPs and block shows the scanning result generated by Nmap at particular
them; every incoming packet from these IPs will be then timestamp.
forwarded to the Honeypot by Activating IP forwarding.
To detect vulnerabilities present in our network we perform
external and internal scan. The External scan is done through
a router or firewall by the means of Nmap [25] and Nessus
[26] vulnerability scanner. The internal scan took place at the
School of Engineering and Technology (SoET) location, and
was plugged into a server that resides inside university’s
network. As shown in Fig. 5, the placement of the blue
scanner is inside the firewall, so it can scan internal
vulnerabilities. On the contrary, the red scanner is used for
external vulnerabilities scan. Both internal and external
vulnerability scans are used to collect data in order to assess
the effectiveness of current security measures taken at the
campus network. The objective of the internal scan is to avoid
external security countermeasures to get a detailed view at
system configurations. The external scan determines the
security posture through Internet users view. The point behind
external scanning is to identify what a hacker would see, if he
were trying to probe Vikram University’s network [27].

PERFORMANCE EVALUATION
Figure 5. Nmap external port scan result
In this section we present the experiments performed in order
to confirm the accuracy and efficiency of our framework. We
built a test-bed network and launched an attack towards it.
Scanning activities result that the server 208.91.199.121 has
Since zero-day exploits are not readily available, we emulated
13 open ports including tcp80 listening to HTTP traffic, and
zero-day vulnerabilities with known vulnerabilities. For
tcp22 listening to SSH traffic. The SSH connection allows
example, we treated CVE-2016-5387 as zero-day
system administrators to do maintenance work remotely from
vulnerabilities by assuming the current time is Dec 31, 2015.
within the subnet administration.

10867
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

The SSH service has three vulnerabilities: CVE-2012-5975,

CVE-2014-6271 and CVE-2015-5600. CVE-2012-5975
allows remote attackers to bypass authentication via a crafted
session involving entry of blank passwords. CVE-2015-5600
does not properly restrict the processing of keyboard-
interactive devices within a single connection, which makes it
easier for remote attackers to conduct brute-force attacks or
cause a denial of service. CVE-2014-6271 allows remote
attackers to execute arbitrary code via a crafted environment.
The HTTP service has two vulnerabilities: CVE-2016-5387
and CVE-2015-3183. CVE-2016-5387 allows remote
attackers to redirect an application's outbound HTTP traffic to
an arbitrary proxy server via a crafted Proxy header in an
HTTP request; and CVE-2015-3183 allows remote attackers
to conduct HTTP request smuggling attacks via a crafted
request. Both HTTP service vulnerabilities are present in the
Apache HTTP Server.
To capture intrusion propagation, an attack graph was built by
capturing the network scenario at specific timestamp. Fig. 6
shows the TraceRoute result generated by Nmap, with this
Figure 7. Snapshot of WireShark packet sniffer
information of captured network scenario at any time stamp,
an attack graph is built. Nodes of attach graph represent the
hosts within network, while edges represent the favorable
Polymorphic engines ADMmutate, clet, Alpha2, CountDown,
attack conditions.
JumpCallAdditive and Pex were applied to the unencrypted
exploits. True Positive Rate (TPR), False Positive Rate (FPR)
and Receiver Operating Characteristics (ROC) Curve
parameters were used to evaluate performance and accuracy
of the proposed framework. Fig. 8 and Fig. 9 represent true
detection rate and false positive rate of zero-day attack
correspondingly.

Figure 6. Input for Attack path generation through Nmap

Figure 8. True Positive Rate
The attack graph was generated by sensing the anomalous
behavior (or abnormal activities) of network that are noticed
by security persons or security sensors such as IDS. These
anomalies represent the probability of host being infected in
an attack graph.
After Snort filtering of the known attacks, Wireshark sniffs
the filtered traffic in order to detect unknown malicious
packets having unexpected behavior. Fig. 7 shows the
snapshot of Wireshark. Wireshark sniffs essential
characteristics of a packet in order to deny any behaviors that
are not expected. It predicts the flow of network traffic.

Figure 9. False Positive Rate

10868
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

Fig. 10 shows ROC curve that is drawn by taking the average Proceedings of the Network and Distributed System
value of TPR. In Fig. 10, it is clearly shown that ROC is Security Symposium (2008).
closer to 1, which proves the efficiency of our proposed
[5] White Paper: ZERO-DAY DANGER: a survey of zero-
approach.
day attacks and what they say about the traditional
security model. FireEye Security Raimagined (2015).
[6] Singh, U. K., Joshi, C.: Comparative Study of
Information Security Risk Assessment Frameworks,
International Journal of Computer Application (IJCA),
ISSN 2250-1797, UGC No. 64190, Vol. 8, No. 2,
April 2018, pp.82-89, impact factor: 3.12
[7] Joshi, C., Singh, U. K.: Layered Architecture for
Security Vulnerabilities Assessment - A Cornerstone of
Effective Security Planning, International Journal of
Creative Research Thoughts, Vol 6, N0 2, pp. 668-700,
April 2018.
[8] Singh, U. K., Joshi, C., Singh, S. K: Zero day attacks
defense technique for protecting system against
unknown vulnerabilities. International Journal of
Scientific Research in Computer Science and
Engineering. 5(1), 13-18, (2017).
Figure 10. Average value of ROC curve [9] Singh, A. P.: A study on zero day malware attack.
International Journal of Advanced Research in
CONCLUSION Computer and Communication Engineering. 6(1), 391-
392 (2017).
In this paper we proposed a novel security approach that
assesses the security risks of zero day vulnerabilities for [10] Kaur, R., Singh, M.: Automatic evaluation and
compromising a network asset and measures the capability of signature generation technique for thwarting zero-day
hardening a network against zero day vulnerabilities. The attacks. Second International Conference, SNDS 2014,
proposed method developed a probabilistic attack graphs India, (pp.298-309), March 13-14 (2014).
which encode probabilistic and temporal knowledge of the [11] Holm, H.: Signature based intrusion detection for zero-
attacker’s behavior and determine the risks of exploit. We day attacks: (not) a closed chapter?, 47th International
designed our experiments to verify the efficiency of our Conference on System Science, Hawaii (2014).
proposed approach by using various standard parameters. In
our experiments, it was observed that the best (or truest) [12] Hammarberg, D.: The best defenses against zero-day
detection rate was 96% and the false positive rate was 0.3%. exploits for various-sized organizations. SANS
The proposed algorithm results efficient performance for both Institute Reading Room, (Sep. 2014).
detection and prediction of zero-day vulnerabilities. [13] Kaur, R., Singh, M.: Efficient hybrid technique for
detecting zero-day polymorphic worms. Advance
Computing Conference (IACC), 2014 IEEE
REFERENCES International, pp.95-100, 21-22 Feb. (2014).
[1] Singh, U. K., Joshi, C.: Scalable Approach towards [14] Kaur, R., Singh, M.: A survey on zeroday polymorphic
Discovery of Unknown Vulnerabilities, International worm detection techniques. IEEE Communication
Journal of Network Security, Vol. 20, No. 5, pp. 827- Surveys & Tutorials. 16(3), 1520-1549 (2014).
835, (2018).
[15] Joshi, C., Singh, U. K.: Quantifying security risk by
[2] Joshi, C., Singh, U. K., Singh, S. K.: ZDAR system: critical network vulnerabilities assessment.
defending against the unknown. International Journal International Journal of Computer Applications.
of Computer Science and Mobile Computing. 5(12), 156(13), 26-33 (2016).
143-149 (2016).
[16] Joshi, C., Singh, U. K.: Information security risk
[3] Yang, Y., Zhu, S., Cao, G.: Improving sensor network management framework for university computing
immunity under worm attacks: a software diversity environment. International Journal of Network
approach. In: Proceedings of the 9th ACM International Security. 19(5), 742-751 (2017).
Symposium on Mobile Ad Hoc Networking and
Computing. ACM, (pp.149–158) (2008). [17] Joshi, C., Singh, U. K.: Quantitative security risk
evaluation using CVSS metrics by estimation of
[4] Caballero, J., Kampouris, T., Song, D., Wang, J.: frequency and maturity of exploit. The World Congress
Would diversity really increase the robustness of the
routing infrastructure against software defects?. In:

10869
 International Journal of Applied Engineering Research ISSN 0973-4562 Volume 13, Number 12 (2018) pp. 10861-10870
© Research India Publications. http://www.ripublication.com

on Engineering and Computer Science (WCECS 2016)

San Francisco, USA.
[18] Joshi, C., Singh, U. K.: Information security
assessment by quantifying risk level of network
vulnerabilities. International Journal of Computer
Application. 156(2), 6-10, (2016).
[19] Joshi, C., Singh, U. K.: A novel approach towards
integration of semantic web mining with link analysis
to improve the effectiveness of the personalized web.
International Journal of Computer Application.
128(11), 1-5 (2015).
[20] Roesch, M.: Snort - lightweight intrusion detection for
networks. In: Proceedings of LISA '99: 13th Systems
Administration Conference Seattle, Washington, USA,
pp. 229-238, (Nov 1999).
[21] Liu, X., Ye, Y.: Intrusion detection system based on
snort. In: Proceedings of the 9th International
Symposium on Linear Drives for Industry
Applications, Volume 3, Lecture Notes in Electrical
Engineering 272, doi: 10.1007/978-3-642-40633-1_82,
Springer-Verlag, Berlin Heidelberg (2014).
[22] Patel, N., Shah, V., Pancholi, K.: An analysis of
network intrusion detection system using SNORT.
International Journal for Scientific Research &
Development. 1(3), 410-412, (2013).
[23] Mell, P., Scarfone, K., Romanosky, S.: CVSS: a
complete guide to the common vulnerability scoring
system version 2.0. Forum of Incident Response and
Security Teams (FIRST), (2007).
[24] Page, L., Brin, S., Motwani, R., Winograd, T.: The
Pagerank Citation Ranking: bringing order to the Web.
Technical Report, Stanford Dig. Lib. Tech. Project,
pp.1-17, (1998).
[25] Joshi, C., Singh, U. K.: Security testing and assessment
of vulnerability scanners in quest of current
information security landscape. International Journal of
Computer Applications. 145(2), 1-7 (2016).
[26] Nessus Vulnerability Scanner. http://www.tenable.com
/products/nessus-vulnerability-scanner
[27] Joshi, C., Singh, U. K.: Performance evaluation of web
application security scanners for more effective
defense. International Journal of Scientific and
Research Publications, 6(6), 660-667 (2016).

10870