Visible to the public An Adaptive Real-Time Architecture for Zero-Day Threat Detection

TitleAn Adaptive Real-Time Architecture for Zero-Day Threat Detection
Publication TypeConference Paper
Year of Publication2018
AuthorsLobato, A. G. P., Lopez, M. A., Sanz, I. J., Cárdenas, A. A., Duarte, O. C. M. B., Pujolle, G.
Conference Name2018 IEEE International Conference on Communications (ICC)
KeywordsAdaptation models, adaptive detection schemes, adaptive real-time architecture, adaptive threat detection architecture, anomaly detection, attacker behavior, composability, defense, detection models training, Distributed databases, honeypots, learning (artificial intelligence), legitimate user behavior, Metrics, network operator, online trained supervised classification schemes, online trained unsupervised anomaly detection schemes, pubcrawl, Real-time Systems, resilience, Resiliency, security, security of data, security systems, stream processing technology, Support vector machines, Training, Zero day attacks, Zero-day attacks, zero-day threat detection, zero-day threats learning
Abstract

Attackers create new threats and constantly change their behavior to mislead security systems. In this paper, we propose an adaptive threat detection architecture that trains its detection models in real time. The major contributions of the proposed architecture are: i) gather data about zero-day attacks and attacker behavior using honeypots in the network; ii) process data in real time and achieve high processing throughput through detection schemes implemented with stream processing technology; iii) use of two real datasets to evaluate our detection schemes, the first from a major network operator in Brazil and the other created in our lab; iv) design and development of adaptive detection schemes including both online trained supervised classification schemes that update their parameters in real time and learn zero-day threats from the honeypots, and online trained unsupervised anomaly detection schemes that model legitimate user behavior and adapt to changes. The performance evaluation results show that proposed architecture maintains an excellent trade-off between threat detection and false positive rates and achieves high classification accuracy of more than 90%, even with legitimate behavior changes and zero-day threats.

URLhttps://ieeexplore.ieee.org/document/8422622
DOI10.1109/ICC.2018.8422622
Citation Keylobato_adaptive_2018