Implementation and Design of a Zero-Day Intrusion Detection and Response System for Responding to Network Security Blind Spots

Abstract

We propose a zero-day intrusion detection and response system (ZDRS) for responding to network security blind spots. An existing detection and response system for the analysis of zero-day attacks uses a full-packet storage method; thus, the longer the time required to recognize a zero-day attack, the higher is the packet storage capacity and inspection cost. To solve the storage capacity and inspection cost problems, we design an architecture for ZDRS for a retroactive security check (RSC) using a first-N packet storage method. For fast verification of the RSC result, we propose a drill-down session metadata searching algorithm using session and flow metadata. The ZDRS comprises a network processing unit and a security processing unit. The ZDRS network processing unit generates metadata for the RSC verification and efficiently stores packets using the first-N packet storage method. The ZDRS security processing unit performs the RSC and RSC verification using the drill-down session metadata searching algorithm. For ZDRS performance analysis, we implemented ZDRS and analyzed the storage efficiency, detection efficiency, and detection speed of ZDRS at the campus level. As a performance analysis result of implementation, the amount of data storage decreased from 3.4 terabyte to 62 gigabyte compared to the full-packet storage method by 1.82%, and storage efficiency increased by 54.84 times. Furthermore, the detection rate of 99.55% based on the first 5-kilobyte size compared to the full-packet storage method was confirmed.