Implementation and Design of a Zero-Day Intrusion Detection and Response System for Responding to Network Security Blind Spots

• Published in: Mobile information systems Vol. 2022; pp. 1 - 13
• Main Authors: Choi, Won-Seok, Lee, Si-Young, Choi, Seong-Gon
• Format: Journal Article
• Language: English
• Published: Amsterdam Hindawi 08.04.2022; John Wiley & Sons, Inc
• Subjects: Algorithms; Artificial intelligence; Classification; Data storage; Design; Efficiency; Inspection; Internet of Things; Intrusion detection systems; Machine learning; Metadata; Methods; Search algorithms; Security; Software; Storage capacity; Verification
• ISSN: 1574-017X; 1875-905X; 1875-905X
• DOI: 10.1155/2022/6743070

We propose a zero-day intrusion detection and response system (ZDRS) for responding to network security blind spots. An existing detection and response system for the analysis of zero-day attacks uses a full-packet storage method; thus, the longer the time required to recognize a zero-day attack, the higher is the packet storage capacity and inspection cost. To solve the storage capacity and inspection cost problems, we design an architecture for ZDRS for a retroactive security check (RSC) using a first-N packet storage method. For fast verification of the RSC result, we propose a drill-down session metadata searching algorithm using session and flow metadata. The ZDRS comprises a network processing unit and a security processing unit. The ZDRS network processing unit generates metadata for the RSC verification and efficiently stores packets using the first-N packet storage method. The ZDRS security processing unit performs the RSC and RSC verification using the drill-down session metadata searching algorithm. For ZDRS performance analysis, we implemented ZDRS and analyzed the storage efficiency, detection efficiency, and detection speed of ZDRS at the campus level. As a performance analysis result of implementation, the amount of data storage decreased from 3.4 terabyte to 62 gigabyte compared to the full-packet storage method by 1.82%, and storage efficiency increased by 54.84 times. Furthermore, the detection rate of 99.55% based on the first 5-kilobyte size compared to the full-packet storage method was confirmed.