xMiner: Nip the Zero Day Exploits in the Bud

Abstract

Vulnerability exploits present in malformed messages are one of the major sources to remotely launch malicious activities in different protocols. Sometimes, a single malformed message could be enough to crash remote servers or to gain unfettered access over them. In this paper, we propose the design of a generic vulnerability exploits detection system xMiner to detect malformed messages in real time for avoiding any network hazard. The proposed xMiner exploits the information embedded within byte-level sequences of network messages. xMiner applies multi-order Markov process and principal component analysis (PCA) to extract novel discriminative features and uses them to detect attacks launched through malicious packets in real-time. The novelty of xMiner lies in its light-weight design which requires less processing and memory resources and makes it easily deployable on resource-constrained devices like smart phones. The system is evaluated on real-world datasets pertaining to three different protocols -- HTTP, FTP and SIP. Five different classifiers are deployed to establish the effectiveness of the proposed system. On evaluation we found that the decision tree classifier performs well for HTTP and FTP datasets whereas, SVM shows highest performance in case of SIP packets.