Devising a method of protection against zero-day attacks based on an analytical model of changing the state of the network sandbox

Authors

DOI:

https://doi.org/10.15587/1729-4061.2021.225646

Keywords:

zero-day attack, analytical model, state ranking, network SandBox, information protection

Abstract

This paper reports a method of protection against zero-day attacks using SandBox technology based on the developed analytical model with a probabilistic ranking of information system states. The model takes into consideration the conditions of a priori uncertainty regarding the parameters of the destructive flow on the system, accounting for the typical procedures of the network SandBox.

The proposed model of information system states makes it possible to analyze and track all possible states, as well as assess the level of security in these states, and the probability of transitions into them. Thus, it is possible to identify the most dangerous ones and track the activities that caused the corresponding changes. The fundamental difference between this model and standard approaches is the weight coefficients that characterize not the intensity of random events but the intensity of transitions between states.

Direct implementation and application of the proposed analytical model involved the technology of multilevel network "SandBoxes".

The difference from other popular anti-virus tools is the use of a priori mathematical threat assessment, which makes it possible to detect influences that are not considered threats by classical systems until the moment of harm to the system.

The combination with standard security tools makes it possible to separately analyze files that are too large in size, whether they enter the system not through a common gateway controlled by the network "SandBox" but from the external media of end-users.

The implementation of the developed analytical model has made it possible to improve the level of protection of the corporate network by 15 %, based on the number of detected threats. This difference is explained by the inability of classical software to detect new threats if they are not already listed in the database of the program, and their activity is not trivial

Author Biographies

Serhii Buchyk, Taras Shevchenko National University of Kyiv

Doctor of Technical Sciences, Associate Professor

Department of Cyber Security and Information Protection

Oleksandr Yudin, National academy of the Security service of Ukraine

Doctor of Technical Sciences, Professor

Department of Information Systems and Technologies and Protection of the State Interests in Information Sphere

Ruslana Ziubina, Taras Shevchenko National University of Kyiv

PhD

Department of Cyber Security and Information Protection

Ivan Bondarenko, National academy of the Security service of Ukraine

Assistant

Department of Information Systems and Technologies and Protection of the State Interests in Information Sphere

Oleh Suprun, Taras Shevchenko National University of Kyiv

Assistant

Department of Intelligent and Information Systems

References

  1. Moussouris, K., Siegel, M. (2015). The Wolves of Vuln Street: The 1st System Dynamics Model of the 0day Market. RSA Conference 2015. San Francisco. Available at: https://ic3-2017.mit.edu/sites/default/files/documents/MichaelSiegelKatieMoussouris_VulnMarketsRSAC2015Speaker.pdf
  2. Schwartz, A., Knake, R. (2016). Government’s Role in Vulnerability Disclosure: Creating a Permanent and Accountable Vulnerability Equities Process. Discussion Paper 2016-04. Harvard Kennedy School. Available at: https://www.belfercenter.org/sites/default/files/files/publication/Vulnerability%20Disclosure%20Web-Final4.pdf
  3. Yudin, O., Ziubina, R., Buchyk, S., Bohuslavska, O., Teliushchenko, V. (2019). Speaker’s Voice Recognition Methods in High-Level Interference Conditions. 2019 IEEE 2nd Ukraine Conference on Electrical and Computer Engineering (UKRCON). doi: https://doi.org/10.1109/ukrcon.2019.8879937
  4. Gurzhiy, P., Gorodetsky, B., Yudin, O., Ryabukha, Y. (2019). The Method of Adaptive Counteraction to Viral Attacks, Taking Into Account Their Masking in Infocommunication Systems. 2019 3rd International Conference on Advanced Information and Communications Technologies (AICT). doi: https://doi.org/10.1109/aiact.2019.8847893
  5. Edwards, J. (2001). Next-generation viruses present new challenges. Computer, 34 (5), 16–18. doi: https://doi.org/10.1109/2.920606
  6. Hedberg, S. (1996). Combating computer viruses: IBM's new computer immune system. IEEE Parallel & Distributed Technology: Systems & Applications, 4 (2), 9–11. doi: https://doi.org/10.1109/88.494599
  7. Zhao, F., Li, Q., Jin, L. (2006). An Intrusion-Tolerant Intrusion Detection Method Based on Real-Time Sequence Analysis. 2006 International Conference on Machine Learning and Cybernetics. doi: https://doi.org/10.1109/icmlc.2006.258927
  8. Jensen, M. (2013). Challenges of Privacy Protection in Big Data Analytics. 2013 IEEE International Congress on Big Data. doi: https://doi.org/10.1109/bigdata.congress.2013.39
  9. Tesauro, G. J., Kephart, J. O., Sorkin, G. B. (1996). Neural networks for computer virus recognition. IEEE Expert, 11 (4), 5–6. doi: https://doi.org/10.1109/64.511768
  10. Bonneau, J., Anderson, J., Danezis, G. (2009). Prying Data out of a Social Network. 2009 International Conference on Advances in Social Network Analysis and Mining. doi: https://doi.org/10.1109/asonam.2009.45
  11. Azzedin, F., Suwad, H., Alyafeai, Z. (2017). Countermeasureing Zero Day Attacks: Asset-Based Approach. 2017 International Conference on High Performance Computing & Simulation (HPCS). doi: https://doi.org/10.1109/hpcs.2017.129
  12. Popereshnyak, S., Suprun, O., Suprun, O., Wieckowski, T. (2018). Intrusion detection method based on the sensory traps system. 2018 XIV-Th International Conference on Perspective Technologies and Methods in MEMS Design (MEMSTECH). doi: https://doi.org/10.1109/memstech.2018.8365716
  13. Tian, Z.-H., Fang, B.-X., Yun, X.-C. (2003). An architecture for intrusion detection using honey pot. Proceedings of the 2003 International Conference on Machine Learning and Cybernetics (IEEE Cat. No.03EX693). doi: https://doi.org/10.1109/icmlc.2003.1259851
  14. Yudin, O., Boiko, Y., Ziubina, R., Buchyk, S., Tverdokhleb, V., Beresina, S. (2019). Data Compression Based on Coding Methods With a Controlled Level of Quality Loss. 2019 IEEE International Conference on Advanced Trends in Information Theory (ATIT). doi: https://doi.org/10.1109/atit49449.2019.9030431
  15. How to Choose your Next Sandboxing Solution. Featuring insight from gartner’s market guide for network Sandboxing (2016). Check Point Software Technologies Ltd. Available at: https://www.checkpoint.com/downloads/products/check-point-gartner-how-to-choose-sandboxing-solution-whitepaper.pdf
  16. Burnap, P., French, R., Turner, F., Jones, K. (2018). Malware classification using self organising feature maps and machine activity data. Computers & Security, 73, 399–410. doi: https://doi.org/10.1016/j.cose.2017.11.016
  17. ESET Dynamic Threat Defense. Available at: https://www.eset.com/int/business/dynamic-threat-defense/
  18. Lakhno, V., Kasatkin, D., Kozlovskyi, V., Petrovska, S., Boiko, Y., Kravchuk, P., Lishchynovska, N. (2019). A model and algorithm for detecting spyware in medical information systems. International Journal of Mechanical Engineering and Technology, 10 (1), 287–295.
  19. The Problem with Traditional Sandboxing. Available at: https://blog.checkpoint.com/2015/09/14/the-problem-with-traditional-sandboxing/
  20. Villalba, L. J. G., Orozco, A. L. S., Vidal, J. M. (2015). Malware Detection System by Payload Analysis of Network Traffic. IEEE Latin America Transactions, 13 (3), 850–855. doi: https://doi.org/10.1109/tla.2015.7069114
  21. Yudin, O., Ziubina, R., Buchyk, S., Matviichuk-Yudina, O., Suprun, O., Ivannikova, V. (2020). Development of methods for identification of information­controlling signals of unmanned aircraft complex operator. Eastern-European Journal of Enterprise Technologies, 2 (9 (104)), 56–64. doi: https://doi.org/10.15587/1729-4061.2020.195510
  22. Yudin, O., Symonychenko, Y., Symonychenko, A. (2019). The Method of Detection of Hidden Information in a Digital Image Using Steganographic Methods of Analysis. 2019 IEEE International Conference on Advanced Trends in Information Theory (ATIT). doi: https://doi.org/10.1109/atit49449.2019.9030479
  23. D'Hoinne, J., Orans, L. (2015). Market Guide for Network Sandboxing. Gartner. Available at: https://www.gartner.com/en/documents/2995621
  24. Cooke, E., Jahanian, F., McPherson, D. (2005). The zombie roundup: Understanding, detecting, and disrupting botnets. SRUTI ’05: Steps to Reducing Unwanted Traffic on the Internet Workshop, 39–44.
  25. Koller, D., Friedman, N. (2009). Probabilistic Graphical Models. Principles and Techniques. MIT Press.
  26. National Vulnerability Database. Statistics. NIST. Available at: https://nvd.nist.gov/vuln/search?adv_search=true&cves=on&pub_date_start_month=0&pub_date_start_year=2010&pub_date_end_month=9&pub_date_end_year=2016&cvss_version=3
  27. CVSS Severity Distribution Over Time. NIST. Available at: https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/cvss-severity-distribution-over-time
  28. Ablon, L., Libicki, M. C., Abler, A. M. (2017). Markets for Cybercrime Tools and Stolen Data: Hackers’ Bazaar. RAND Corporation. Available at: https://www.rand.org/pubs/research_reports/RR610.html
  29. Allodi, L., Massacci, F. (2014). Comparing Vulnerability Severity and Exploits Using Case-Control Studies. ACM Transactions on Information and System Security, 17 (1), 1–20. doi: https://doi.org/10.1145/2630069
  30. Chandrasekaran, M., Baig, M., Upadhyaya, S. (2006). AVARE: Aggregated Vulnerability Assessment and Response against Zero-day Exploits. 2006 IEEE International Performance Computing and Communications Conference. doi: https://doi.org/10.1109/.2006.1629458

Downloads

Published

2021-02-27

How to Cite

Buchyk, S., Yudin, O., Ziubina, . R., Bondarenko, . I., & Suprun, . O. (2021). Devising a method of protection against zero-day attacks based on an analytical model of changing the state of the network sandbox . Eastern-European Journal of Enterprise Technologies, 1(9 (109), 50–57. https://doi.org/10.15587/1729-4061.2021.225646

Issue

Vol. 1 No. 9 (109) (2021): Information and controlling system

Section

Information and controlling system

License

Copyright (c) 2021 Сергей Степанович Бучик , Александр Константинович Юдин , Руслана Витальевна Зюбина , Иван Дмитриевич Бондаренко , Олег Алексеевич Супрун

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.