What are Unknown Attacks in information security?

Unknown attack category defines a completely new class label that the classifier has not undergone before in the training set. For example, if the classifier was not trained on DoS attacks and undergone DoS attacks in the testing set.

There are the technologies that supports imperative levels of protection against unknown attacks including software fault isolation, intrusion detection through program analysis.

These technologies distribute an imperative property: they do not based on the efficient operation of the programs. Rather than, they provide a secondary layer of protection should a program be breached and corrupted. It is available that these systems can also enclose flaws but in order for a victorious exploit to take place, both the application and the secondary protection required to be undermined concurrently. As bugs will give on to be patched, it is less expected that two overlap bugs will be declare and be known concurrently than that a single bug will be known.

Software Fault Isolation − The first expertise, Software Fault Isolation (SFI), produced by Wahbe etal is an approach to make Java-like sandboxes for dynamically-loading random program in a language-neutral manner. Unlike JVM-based systems, it can be useful in spite of source language and compiler. The only semantic restraint is that dynamic code generation is not allowed within a fault-isolated module.

The system supports each module its own concealed memory area in which it is isolated as part of the larger program. The static checks make specific that all statically determinable jumps only occur within the module and to permissible external functions, forming the basic mechanism of the sandbox.

Intrusion Detection by Program Analysis − The second technique, such as host-based intrusion detection by program analysis, was first projected and experienced by Wagner and Dean. This IDS implements a static analysis of the program to create an abstract, non-deterministic automata model of the function and system calls.

While the program is implementing, it connects the system call pattern with a running copy of the automata. If the program ever attempt a system call which violate the model, the system consider that a burglar has tainted the program.

It is divergent to other intrusion detection methods which is based on sample inputs or rule sets, this technique has a demonstrable zero false positive rate, eliminating some false alarms. This means the intrusion detection system can start automatic responses such as blocking the system call, shutting down the corrupted program, and alerting the executive.

The zero false-positive rates are because of the programmatic nature of the IDS, which encloses a model that displays all possible legal paths via the program, making sure that some detected deviation from the structure is not generated by the program’s code but through code inserted by a virus or an attacker.

Updated on: 04-Mar-2022


Kickstart Your Career

Get certified by completing the course

Get Started