1 / 29

Predicting zero-day software vulnerabilities through data mining

Predicting zero-day software vulnerabilities through data mining. Su Zhang Department of Computing and Information Science Kansas State University. Outline. Motivation. Related work. Proposed approach. Possible techniques. Plan. Outline. Motivation. Related work. Proposed approach.

kimi
Télécharger la présentation

Predicting zero-day software vulnerabilities through data mining

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Predicting zero-day software vulnerabilities through data mining Su Zhang Department of Computing and Information Science Kansas State University

  2. Outline • Motivation. • Related work. • Proposed approach. • Possible techniques. • Plan.

  3. Outline • Motivation. • Related work. • Proposed approach. • Possible techniques. • Plan.

  4. The trend of vulnerability numbers

  5. zero-day vulnerability • What is zero-day vulnerability? It is a vulnerability which is found by underground hackers before being made public. • Increasing threat from zero-day vulnerabilities. Many attacks are attributed to zero-day vulnerabilities. E.g. in 2010 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001.

  6. Our goal • Risk awareness. The possibility of zero-day vulnerability must be considered for comprehensive risk assessment for enterprise networks.

  7. Enterprise risk assessment framework

  8. Enterprise risk assessment framework

  9. Enterprise risk assessment framework

  10. Enterprise risk assessment framework

  11. Enterprise risk assessment framework

  12. Problem • Predict the information of zero – day vulnerabilities from software configurations.

  13. Outline • Motivation. • Related work. • Proposed approach. • Possible techniques. • Plan.

  14. Related work • O. H. Alhazmi and Y. K. Malaiya, 2005. • Andy Ozment, 2007. • Kyle Ingols, et al, 2009. • Miles A. McQueen, et al, 2009.

  15. Outline • Motivation. • Related work • Proposed approach. • Possible techniques. • Plan.

  16. Proposed approach • Predict the likelihood of zero-day vulnerabilities for specific software applications. • NVD • Available since 2002. • Rich data source including the preconditions and consequences of vulnerabilities. It could be used to build our model and validate our work.

  17. System architecture Output(MTTNV&CVSS Metrics) Our Prediction Model CPE (common platform enumeration) Scanner (e.g. Nessus or OVAL) Target Machine IE WinXP FireFox …

  18. Prediction model • Predictive data: CPE (common platform enumeration) • Indicate software configuration on a host. • Predicted data: MTTNV (Mean Time to Next Vulnerability) & CVSS Metrics • MTTNV indicates the probability of zero-day vulnerabilities. • CVSS metrics indicate the properties of the predicted vulnerabilities.

  19. CPE (common platform enumeration) • What is CPE? • CPE is a structured naming scheme for information technology systems, software, and packages. • Example (in primitive format) • cpe:/a:acme:product:1.0:update2:pro:en-us Professional edition of the "Acme Product 1.0 Update 2 English".

  20. CPE Language

  21. CVSS (Common Vulnerability Scoring System ) • An open framework for communicating the characteristics and impacts of IT vulnerabilities. • Metric Vector access complexity (H, M, L) authentication ( R, NR) confidentiality (N, P, C) ... • CVSS Score: Calculated based on above vector. It indicates the severity of a vulnerability.

  22. CVSS used in risk assessment • We use CVSS to derive a conditional probability. How likely a vulnerability could be successfully exploited, given all preconditions fulfilled. • By combining the conditional probability with attack graph one can calculate the cumulative probability, we could obtain a overall estimated likelihood of the given machine being compromised.

  23. Outline • Motivation. • Related work. • Proposed approach. • Possible techniques. • Plan.

  24. Possible techniques • Linear Regression ( input are continuous variables). • Statistical classification (input are discrete variables). • Maximum likelihood and least squares (Determining the parameters of our model).

  25. Validation methodology • Earlier years of NVD: Building our model. • Later years of NVD: Validate our model. • Criteria: Closer to the factual value than without considering zero-day vulnerabilities.

  26. Outline • Motivation. • Related work. • Proposed approach. • Possible techniques. • Plan.

  27. plan • Next phase: Study data-mining tools (e.g. Support Vector Machine) . Then build up our prediction model. • Validate the model on NVD. • Final phase: • If the previous phase provides a good model, we will incorporate the generated result into MulVAL. • Otherwise, we are going to investigate the problem.

  28. References • [1]Andrew Buttner et al, ”Common Platform Enumeration (CPE) – Specification,” 2008. • [2]NVD,http://nvd.nist.gov/home.cfm. • [3]O. H. Alhazmi et al, “Modeling the Vulnerability Discovery Process,” 2005. • [4]Omar H. Alhazmi et al, “Prediction Capabilities of Vulnerability Discovery Models,” 2006. • [5]Andy Ozment, “Improving Vulnerability Discovery Models,” 2007. • [6]R. Gopalakrishna and E. H. Spafford, “A trend analysis of vulnerabilities,” 2005. • [7]Christopher M. Bishop, “Pattern Recognition andMachine Learning,” 2006. • [8]XinmingOu et al, “MulVAL: A logic-based network security analyzer,” 2005. • [9] Kyle Ingols et al, “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs” 2009. • [10] Miles A. McQueen et al, “Empirical Estimates and Observations of 0Day Vulnerabilities,” 2009. • [11] Alex J. Smola et al, “A Tutorial on Support Vector Regression,” 1998.

  29. Thank you! Questions &Answers

More Related