Presentation is loading. Please wait.

Presentation is loading. Please wait.

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1."— Presentation transcript:

1 P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1

2 O UTLINE Motivation. Related work. Proposed approach. Possible techniques. Plan. 2

3 O UTLINE Motivation. Related work. Proposed approach. Possible techniques. Plan. 3

4 T HE TREND OF VULNERABILITY NUMBERS 4

5 ZERO - DAY VULNERABILITY What is zero-day vulnerability? It is a vulnerability which is found by underground hackers before being made public. Increasing threat from zero-day vulnerabilities. Many attacks are attributed to zero-day vulnerabilities. E.g. in 2010 Microsoft confirmed a vulnerability in Internet Explorer, which affected some versions that were released in 2001. 5

6 O UR GOAL Risk awareness. The possibility of zero-day vulnerability must be considered for comprehensive risk assessment for enterprise networks. 6

7 E NTERPRISE RISK ASSESSMENT FRAMEWORK 7

8 8

9 9

10 10

11 E NTERPRISE RISK ASSESSMENT FRAMEWORK 11

12 P ROBLEM Predict the information of zero – day vulnerabilities from software configurations. 12

13 O UTLINE Motivation. Related work. Proposed approach. Possible techniques. Plan. 13

14 R ELATED WORK O. H. Alhazmi and Y. K. Malaiya, 2005. Andy Ozment, 2007. Kyle Ingols, et al, 2009. Miles A. McQueen, et al, 2009. 14

15 O UTLINE Motivation. Related work Proposed approach. Possible techniques. Plan. 15

16 P ROPOSED APPROACH Predict the likelihood of zero-day vulnerabilities for specific software applications. NVD Available since 2002. Rich data source including the preconditions and consequences of vulnerabilities. It could be used to build our model and validate our work. 16

17 S YSTEM ARCHITECTURE 17 IEWinXPFireFox… Target Machine Scanner (e.g. Nessus or OVAL) Our Prediction Model Output(MTTNV&CVSS Metrics) CPE (common platform enumeration)

18 P REDICTION MODEL Predictive data: CPE (common platform enumeration) Indicate software configuration on a host. Predicted data: MTTNV (Mean Time to Next Vulnerability) & CVSS Metrics MTTNV indicates the probability of zero-day vulnerabilities. CVSS metrics indicate the properties of the predicted vulnerabilities. 18

19 CPE ( COMMON PLATFORM ENUMERATION ) What is CPE? CPE is a structured naming scheme for information technology systems, software, and packages. Example (in primitive format) cpe:/a:acme:product:1.0:update2:pro:en-us Professional edition of the "Acme Product 1.0 Update 2 English". 19

20 CPE L ANGUAGE 20

21 CVSS (C OMMON V ULNERABILITY S CORING S YSTEM ) An open framework for communicating the characteristics and impacts of IT vulnerabilities. Metric Vector access complexity (H, M, L) authentication ( R, NR) confidentiality (N, P, C)... CVSS Score: Calculated based on above vector. It indicates the severity of a vulnerability. 21

22 CVSS USED IN RISK ASSESSMENT We use CVSS to derive a conditional probability. How likely a vulnerability could be successfully exploited, given all preconditions fulfilled. By combining the conditional probability with attack graph one can calculate the cumulative probability, we could obtain a overall estimated likelihood of the given machine being compromised. 22

23 O UTLINE Motivation. Related work. Proposed approach. Possible techniques. Plan. 23

24 P OSSIBLE TECHNIQUES Linear Regression ( input are continuous variables). Statistical classification (input are discrete variables). Maximum likelihood and least squares (Determining the parameters of our model). 24

25 V ALIDATION METHODOLOGY Earlier years of NVD: Building our model. Later years of NVD: Validate our model. Criteria: Closer to the factual value than without considering zero-day vulnerabilities. 25

26 O UTLINE Motivation. Related work. Proposed approach. Possible techniques. Plan. 26

27 PLAN Next phase: Study data-mining tools (e.g. Support Vector Machine). Then build up our prediction model. Validate the model on NVD. Final phase: If the previous phase provides a good model, we will incorporate the generated result into MulVAL. Otherwise, we are going to investigate the problem. 27

28 R EFERENCES [1]Andrew Buttner et al, ”Common Platform Enumeration (CPE) – Specification,” 2008. [2]NVD, http://nvd.nist.gov/home.cfm.http://nvd.nist.gov/home.cfm [3]O. H. Alhazmi et al, “Modeling the Vulnerability Discovery Process,” 2005. [4]Omar H. Alhazmi et al, “Prediction Capabilities of Vulnerability Discovery Models,” 2006. [5]Andy Ozment, “Improving Vulnerability Discovery Models,” 2007. [6]R. Gopalakrishna and E. H. Spafford, “A trend analysis of vulnerabilities,” 2005. [7]Christopher M. Bishop, “Pattern Recognition andMachine Learning,” 2006. [8]Xinming Ou et al, “MulVAL: A logic-based network security analyzer,” 2005. [9] Kyle Ingols et al, “Modeling Modern Network Attacks and Countermeasures Using Attack Graphs” 2009. [10] Miles A. McQueen et al, “Empirical Estimates and Observations of 0Day Vulnerabilities,” 2009. [11] Alex J. Smola et al, “A Tutorial on Support Vector Regression,” 1998. 28

29 T HANK YOU ! Questions & Answers 29

Download ppt "P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA MINING Su Zhang Department of Computing and Information Science Kansas State University 1."

Similar presentations

Regularized risk minimization

Regularized risk minimization
Polynomial Curve Fitting BITS C464/BITS F464 Navneet Goyal Department of Computer Science, BITS-Pilani, Pilani Campus, India.

Polynomial Curve Fitting BITS C464/BITS F464 Navneet Goyal Department of Computer Science, BITS-Pilani, Pilani Campus, India.
Example One Internet is allowed to access the web server through HTTP protocol and port CVE-2006-3747 was identified on web server.

Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server.
1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.
Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.

Software Quality Ranking: Bringing Order to Software Modules in Testing Fei Xing Michael R. Lyu Ping Guo.
Prediction of fault-proneness at early phase in object-oriented development Toshihiro Kamiya †, Shinji Kusumoto † and Katsuro Inoue †‡ † Osaka University.

Prediction of fault-proneness at early phase in object-oriented development Toshihiro Kamiya †, Shinji Kusumoto † and Katsuro Inoue †‡ † Osaka University.
Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.

Decision Making: An Introduction 1. 2 Decision Making Decision Making is a process of choosing among two or more alternative courses of action for the.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
Funding Networks Abdullah Sevincer University of Nevada, Reno Department of Computer Science & Engineering.

Funding Networks Abdullah Sevincer University of Nevada, Reno Department of Computer Science & Engineering.
Civil and Environmental Engineering Carnegie Mellon University Sensors & Knowledge Discovery (a.k.a. Data Mining) H. Scott Matthews April 14, 2003.

Civil and Environmental Engineering Carnegie Mellon University Sensors & Knowledge Discovery (a.k.a. Data Mining) H. Scott Matthews April 14, 2003.
Decision Tree Rong Jin. Determine Milage Per Gallon.

Decision Tree Rong Jin. Determine Milage Per Gallon.
Using the Maryland Biological Stream Survey Data to Test Spatial Statistical Models A Collaborative Approach to Analyzing Stream Network Data Andrew A.

Using the Maryland Biological Stream Survey Data to Test Spatial Statistical Models A Collaborative Approach to Analyzing Stream Network Data Andrew A.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.

CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
A Kolmogorov Complexity Approach for Measuring Attack Path Complexity By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava.

A Kolmogorov Complexity Approach for Measuring Attack Path Complexity By Nwokedi C. Idika & Bharat Bhargava Presented by Bharat Bhargava.
Secure Middleware (?) Patrick Morrison 3/1/2006 Secure Systems Group.

Secure Middleware (?) Patrick Morrison 3/1/2006 Secure Systems Group.
Clementine Server Clementine Server A data mining software for business solution.

Clementine Server Clementine Server A data mining software for business solution.
Modeling Gene Interactions in Disease CS 686 Bioinformatics.

Modeling Gene Interactions in Disease CS 686 Bioinformatics.
Statistical Learning: Pattern Classification, Prediction, and Control Peter Bartlett August 2002, UC Berkeley CIS.

Statistical Learning: Pattern Classification, Prediction, and Control Peter Bartlett August 2002, UC Berkeley CIS.
Risk Management.

Risk Management.
Correlational Designs

Correlational Designs

Similar presentations

Ads by Google