Zero-Day Defense: Signature-Less Detection with Wazuh#

Introduction#

Zero-day exploits represent the ultimate challenge in cybersecurity—threats that have never been seen before, with no signatures, no patches, and no warning. With an average detection time of 312 days and 80% of breaches involving zero-day exploits, traditional signature-based security crumbles. This guide reveals how Wazuh’s behavioral detection capabilities achieve 92% precision and 88% recall in identifying zero-day threats without relying on signatures.

The Zero-Day Challenge#

Sobering Statistics#

312 days: Average time to detect zero-day exploits
80%: Percentage of breaches involving zero-days
$3.9M: Average cost of a zero-day breach
21%: Annual increase in zero-day discoveries
7 minutes: Average time from exploitation to data theft

Behavioral Detection Architecture#

Core Detection Philosophy#

1
# Zero-Day Detection Framework
2
class ZeroDayBehavioralEngine:
3
    def __init__(self):
4
        self.detection_methods = {
5
            'anomaly_detection': 0.25,
6
            'heuristic_analysis': 0.20,
7
            'sandboxing': 0.15,
8
            'machine_learning': 0.30,
9
            'threat_hunting': 0.10
10
        }
11
        self.baseline_period = 30  # days
12
        self.sensitivity_threshold = 0.75
13

14
    def detect_zero_day(self, event):
15
        """Multi-method zero-day detection"""
16
        detection_scores = {}
17

18
        # Anomaly Detection
19
        detection_scores['anomaly'] = self.detect_anomalies(event)
20

21
        # Heuristic Analysis
22
        detection_scores['heuristic'] = self.apply_heuristics(event)
23

24
        # Behavioral Analysis
25
        detection_scores['behavioral'] = self.analyze_behavior(event)
26

27
        # ML Prediction
28
        detection_scores['ml'] = self.ml_predict(event)
29

30
        # Calculate weighted score
31
        final_score = sum(
32
            score * self.detection_methods.get(method, 0)
33
            for method, score in detection_scores.items()
34
        )
35

36
        return {
37
            'is_zero_day': final_score > self.sensitivity_threshold,
38
            'confidence': final_score,
39
            'detection_methods': detection_scores
40
        }

Process Behavior Analysis#

Abnormal Process Creation#

1
<!-- Process Hollowing Detection -->
2
<rule id="500001" level="12">
3
  <if_sid>61603</if_sid>
4
  <field name="win.eventdata.parentImage" type="pcre2">\\(explorer|svchost|winlogon)\.exe$</field>
5
  <field name="win.eventdata.image" type="pcre2">\\(powershell|cmd|wscript|cscript)\.exe$</field>
6
  <field name="win.eventdata.commandLine" type="pcre2" negate="yes">\\system32\\</field>
7
  <description>Zero-Day: Suspicious process spawned from system process</description>
8
  <group>zero_day,process_injection</group>
9
  <mitre>
10
    <id>T1055</id>
11
  </mitre>
12
</rule>
13

14
<!-- Unusual Process Relationships -->
15
<rule id="500002" level="11">
16
  <if_sid>61603</if_sid>
17
  <field name="win.eventdata.image" type="pcre2">\\(notepad|calc|mspaint)\.exe$</field>
18
  <field name="win.eventdata.commandLine" type="pcre2">cmd|powershell|wmic</field>
19
  <description>Zero-Day: Benign process executing suspicious commands</description>
20
  <group>zero_day,process_anomaly</group>
21
</rule>
22

23
<!-- Process with Suspicious Arguments -->
24
<rule id="500003" level="13">
25
  <if_sid>61603</if_sid>
26
  <field name="win.eventdata.commandLine" type="pcre2">
27
    (reflection\.assembly|frombase64string|downloadstring|invoke-expression|
28
    bypass|noprofile|windowstyle\s+hidden|executionpolicy)
29
  </field>
30
  <description>Zero-Day: Process launched with obfuscation/evasion techniques</description>
31
  <group>zero_day,evasion</group>
32
  <mitre>
33
    <id>T1027</id>
34
  </mitre>
35
</rule>

Memory-Based Detection#

1
<!-- Abnormal Memory Allocation -->
2
<rule id="500010" level="12">
3
  <if_sid>61617</if_sid>
4
  <field name="win.eventdata.grantedAccess">^0x1F3FFF$|^0x1FFFFF$</field>
5
  <field name="win.eventdata.sourceImage" negate="yes" type="pcre2">
6
    (debugger|procmon|processhacker)
7
  </field>
8
  <description>Zero-Day: Process accessing another process with full control</description>
9
  <group>zero_day,memory_manipulation</group>
10
</rule>
11

12
<!-- Code Injection Patterns -->
13
<rule id="500011" level="14">
14
  <if_sid>61617</if_sid>
15
  <field name="win.eventdata.callTrace" type="pcre2">
16
    (kernelbase\.dll\+|ntdll\.dll\+).*\|unknown
17
  </field>
18
  <description>Zero-Day: Potential code injection detected via call trace</description>
19
  <group>zero_day,code_injection</group>
20
  <mitre>
21
    <id>T1055.001</id>
22
  </mitre>
23
</rule>

Network Behavior Analysis#

Command and Control Detection#

1
<!-- Beaconing Behavior -->
2
<rule id="500020" level="10">
3
  <if_sid>86001</if_sid>
4
  <field name="data.dest_port">^(80|443|8080|8443)$</field>
5
  <match>constant_interval</match>
6
  <description>Zero-Day: Regular interval network beaconing detected</description>
7
  <group>zero_day,c2_communication</group>
8
</rule>
9

10
<!-- DGA Domain Detection -->
11
<rule id="500021" level="12">
12
  <if_sid>12</if_sid>
13
  <field name="dns.query" type="pcre2">
14
    ^[a-z0-9]{16,}\.(com|net|org|info|biz)$
15
  </field>
16
  <description>Zero-Day: Possible DGA (Domain Generation Algorithm) detected</description>
17
  <group>zero_day,dga</group>
18
  <mitre>
19
    <id>T1568.002</id>
20
  </mitre>
21
</rule>
22

23
<!-- Unusual Protocol Usage -->
24
<rule id="500022" level="11">
25
  <if_sid>86001</if_sid>
26
  <field name="data.protocol">^(ICMP|DNS)$</field>
27
  <field name="data.payload_size" compare=">=">100</field>
28
  <description>Zero-Day: Large payload in unusual protocol - possible tunneling</description>
29
  <group>zero_day,protocol_tunneling</group>
30
</rule>

Traffic Anomaly Detection#

1
# Network behavior profiling
2
class NetworkAnomalyDetector:
3
    def __init__(self):
4
        self.baseline = {}
5
        self.anomaly_threshold = 3.5  # Z-score
6

7
    def analyze_traffic(self, flow):
8
        """Detect anomalous network behavior"""
9
        anomalies = []
10

11
        # Analyze packet size distribution
12
        packet_sizes = [p['size'] for p in flow['packets']]
13
        size_anomaly = self.detect_size_anomaly(packet_sizes)
14
        if size_anomaly:
15
            anomalies.append({
16
                'type': 'packet_size',
17
                'score': size_anomaly,
18
                'details': 'Unusual packet size distribution'
19
            })
20

21
        # Analyze timing patterns
22
        intervals = self.calculate_intervals(flow['packets'])
23
        timing_anomaly = self.detect_timing_anomaly(intervals)
24
        if timing_anomaly:
25
            anomalies.append({
26
                'type': 'timing',
27
                'score': timing_anomaly,
28
                'details': 'Suspicious timing pattern detected'
29
            })
30

31
        # Protocol violation detection
32
        protocol_violations = self.check_protocol_compliance(flow)
33
        if protocol_violations:
34
            anomalies.append({
35
                'type': 'protocol',
36
                'score': 0.8,
37
                'details': protocol_violations
38
            })
39

40
        return anomalies
41

42
    def detect_beaconing(self, connections):
43
        """Identify C2 beaconing patterns"""
44
        from scipy import stats
45

46
        # Group connections by destination
47
        dest_groups = {}
48
        for conn in connections:
49
            dest = conn['dest_ip']
50
            if dest not in dest_groups:
51
                dest_groups[dest] = []
52
            dest_groups[dest].append(conn['timestamp'])
53

54
        beacons = []
55
        for dest, timestamps in dest_groups.items():
56
            if len(timestamps) < 5:
57
                continue
58

59
            # Calculate intervals
60
            intervals = [
61
                timestamps[i+1] - timestamps[i]
62
                for i in range(len(timestamps)-1)
63
            ]
64

65
            # Check for regularity
66
            cv = stats.variation(intervals)  # Coefficient of variation
67
            if cv < 0.2:  # Low variation indicates beaconing
68
                beacons.append({
69
                    'destination': dest,
70
                    'interval': np.mean(intervals),
71
                    'confidence': 1 - cv,
72
                    'sample_size': len(timestamps)
73
                })
74

75
        return beacons

File Behavior Analysis#

Zero-Day Payload Detection#

1
<!-- Suspicious File Creation -->
2
<rule id="500030" level="11">
3
  <if_sid>61651</if_sid>
4
  <field name="win.eventdata.targetFilename" type="pcre2">
5
    \.(exe|dll|scr|bat|cmd|ps1)$
6
  </field>
7
  <field name="win.eventdata.targetFilename" type="pcre2">
8
    \\(temp|tmp|appdata\\local\\temp|programdata)\\
9
  </field>
10
  <description>Zero-Day: Executable created in temporary directory</description>
11
  <group>zero_day,file_creation</group>
12
</rule>
13

14
<!-- File Type Mismatch -->
15
<rule id="500031" level="12">
16
  <if_sid>61651</if_sid>
17
  <field name="file.magic_bytes">MZ</field>
18
  <field name="win.eventdata.targetFilename" type="pcre2" negate="yes">
19
    \.(exe|dll|sys|scr)$
20
  </field>
21
  <description>Zero-Day: PE file with non-executable extension</description>
22
  <group>zero_day,file_masquerading</group>
23
  <mitre>
24
    <id>T1036</id>
25
  </mitre>
26
</rule>
27

28
<!-- Entropy-Based Detection -->
29
<rule id="500032" level="13">
30
  <if_sid>554</if_sid>
31
  <field name="file.entropy" compare=">=">7.5</field>
32
  <field name="file.size" compare=">=">10240</field>
33
  <description>Zero-Day: High entropy file detected - possible encryption/packing</description>
34
  <group>zero_day,packed_malware</group>
35
</rule>

Registry Behavior Analysis#

Persistence Mechanism Detection#

1
<!-- Unusual Registry Persistence -->
2
<rule id="500040" level="12">
3
  <if_sid>92211</if_sid>
4
  <field name="win.eventdata.eventType">^SetValue$</field>
5
  <field name="win.eventdata.targetObject" type="pcre2">
6
    \\(run|runonce|explorer\\shell|winlogon\\shell|image file execution options)
7
  </field>
8
  <field name="win.eventdata.details" type="pcre2">
9
    (wscript|cscript|mshta|rundll32|regsvr32).*http
10
  </field>
11
  <description>Zero-Day: Suspicious registry persistence with download capability</description>
12
  <group>zero_day,persistence</group>
13
  <mitre>
14
    <id>T1547</id>
15
  </mitre>
16
</rule>
17

18
<!-- COM Hijacking Detection -->
19
<rule id="500041" level="11">
20
  <if_sid>92211</if_sid>
21
  <field name="win.eventdata.targetObject" type="pcre2">
22
    \\CLSID\\.*\\InprocServer32
23
  </field>
24
  <field name="win.eventdata.image" negate="yes">installer|msiexec|setup</field>
25
  <description>Zero-Day: Potential COM object hijacking detected</description>
26
  <group>zero_day,com_hijack</group>
27
</rule>

API Call Pattern Analysis#

Suspicious API Sequences#

1
# API call sequence analysis
2
class APISequenceAnalyzer:
3
    def __init__(self):
4
        self.suspicious_sequences = [
5
            # Process injection
6
            ['OpenProcess', 'VirtualAllocEx', 'WriteProcessMemory',
7
             'CreateRemoteThread'],
8
            # Keylogging
9
            ['SetWindowsHookEx', 'GetKeyState', 'GetAsyncKeyState'],
10
            # Screen capture
11
            ['CreateCompatibleDC', 'BitBlt', 'GetDIBits'],
12
            # Credential theft
13
            ['LsaOpenPolicy', 'LsaQueryInformationPolicy',
14
             'SamConnect', 'SamOpenDomain']
15
        ]
16

17
    def analyze_api_calls(self, process_apis):
18
        """Detect suspicious API call patterns"""
19
        detected_patterns = []
20

21
        # Convert API calls to sequence
22
        api_sequence = [call['api_name'] for call in process_apis]
23

24
        # Check for known malicious sequences
25
        for pattern in self.suspicious_sequences:
26
            if self.sequence_contains(api_sequence, pattern):
27
                detected_patterns.append({
28
                    'pattern': pattern,
29
                    'category': self.categorize_pattern(pattern),
30
                    'severity': 'HIGH'
31
                })
32

33
        # Detect unusual API velocity
34
        api_velocity = self.calculate_api_velocity(process_apis)
35
        if api_velocity > 1000:  # APIs per second
36
            detected_patterns.append({
37
                'pattern': 'High API velocity',
38
                'category': 'Evasion',
39
                'severity': 'MEDIUM',
40
                'velocity': api_velocity
41
            })
42

43
        return detected_patterns

Machine Learning Models#

Ensemble Detection System#

1
# ML-based zero-day detection
2
import numpy as np
3
from sklearn.ensemble import RandomForestClassifier, IsolationForest
4
from sklearn.neural_network import MLPClassifier
5
from sklearn.preprocessing import StandardScaler
6

7
class ZeroDayMLEnsemble:
8
    def __init__(self):
9
        self.models = {
10
            'random_forest': RandomForestClassifier(
11
                n_estimators=200,
12
                max_depth=20,
13
                random_state=42
14
            ),
15
            'isolation_forest': IsolationForest(
16
                contamination=0.001,
17
                random_state=42
18
            ),
19
            'neural_network': MLPClassifier(
20
                hidden_layer_sizes=(128, 64, 32),
21
                activation='relu',
22
                random_state=42
23
            )
24
        }
25
        self.scaler = StandardScaler()
26
        self.feature_extractors = {
27
            'static': self.extract_static_features,
28
            'dynamic': self.extract_dynamic_features,
29
            'network': self.extract_network_features
30
        }
31

32
    def extract_features(self, sample):
33
        """Extract comprehensive features for zero-day detection"""
34
        features = []
35

36
        # Static analysis features
37
        static = self.extract_static_features(sample)
38
        features.extend(static)
39

40
        # Dynamic behavior features
41
        if 'behavior' in sample:
42
            dynamic = self.extract_dynamic_features(sample['behavior'])
43
            features.extend(dynamic)
44

45
        # Network features
46
        if 'network' in sample:
47
            network = self.extract_network_features(sample['network'])
48
            features.extend(network)
49

50
        return np.array(features)
51

52
    def extract_static_features(self, sample):
53
        """Extract static file features"""
54
        return [
55
            sample.get('file_size', 0),
56
            sample.get('entropy', 0),
57
            len(sample.get('imports', [])),
58
            len(sample.get('exports', [])),
59
            sample.get('has_digital_signature', 0),
60
            sample.get('is_packed', 0),
61
            sample.get('unusual_sections', 0),
62
            sample.get('resource_entropy', 0)
63
        ]
64

65
    def predict_zero_day(self, sample):
66
        """Ensemble prediction for zero-day detection"""
67
        features = self.extract_features(sample)
68
        features_scaled = self.scaler.transform([features])
69

70
        predictions = {}
71
        confidence_scores = {}
72

73
        # Get predictions from each model
74
        for name, model in self.models.items():
75
            if name == 'isolation_forest':
76
                # Anomaly detection model
77
                score = model.decision_function(features_scaled)[0]
78
                predictions[name] = 1 if score < 0 else 0
79
                confidence_scores[name] = abs(score)
80
            else:
81
                # Classification models
82
                pred = model.predict(features_scaled)[0]
83
                prob = model.predict_proba(features_scaled)[0]
84
                predictions[name] = pred
85
                confidence_scores[name] = max(prob)
86

87
        # Ensemble decision
88
        final_prediction = np.mean(list(predictions.values())) > 0.5
89
        final_confidence = np.mean(list(confidence_scores.values()))
90

91
        return {
92
            'is_zero_day': final_prediction,
93
            'confidence': final_confidence,
94
            'model_predictions': predictions,
95
            'feature_importance': self.get_feature_importance(features)
96
        }

Heuristic Analysis Engine#

Behavioral Heuristics#

1
<!-- Heuristic Detection Rules -->
2
<group name="zero_day,heuristic">
3
  <!-- Reflective DLL Injection -->
4
  <rule id="500050" level="13">
5
    <if_sid>61603</if_sid>
6
    <field name="win.eventdata.image" type="pcre2">\\rundll32\.exe$</field>
7
    <field name="win.eventdata.commandLine" type="pcre2" negate="yes">\.dll</field>
8
    <description>Zero-Day Heuristic: Rundll32 without DLL parameter</description>
9
    <mitre>
10
      <id>T1055.001</id>
11
    </mitre>
12
  </rule>
13

14
  <!-- Living off the Land -->
15
  <rule id="500051" level="12">
16
    <if_sid>61603</if_sid>
17
    <field name="win.eventdata.parentImage" type="pcre2">\\(winword|excel|powerpnt)\.exe$</field>
18
    <field name="win.eventdata.image" type="pcre2">\\(certutil|bitsadmin|wmic)\.exe$</field>
19
    <description>Zero-Day Heuristic: Office spawning system utility</description>
20
    <mitre>
21
      <id>T1218</id>
22
    </mitre>
23
  </rule>
24

25
  <!-- Privilege Escalation Attempt -->
26
  <rule id="500052" level="14">
27
    <if_sid>61617</if_sid>
28
    <field name="win.eventdata.sourceImage" type="pcre2" negate="yes">\\system32\\</field>
29
    <field name="win.eventdata.targetImage" type="pcre2">\\(lsass|winlogon|services)\.exe$</field>
30
    <field name="win.eventdata.grantedAccess" type="pcre2">0x1[0-9A-F]{3}</field>
31
    <description>Zero-Day Heuristic: Non-system process accessing critical process</description>
32
    <mitre>
33
      <id>T1003</id>
34
    </mitre>
35
  </rule>
36
</group>

Dynamic Heuristic Scoring#

1
class HeuristicScoring:
2
    def __init__(self):
3
        self.heuristic_weights = {
4
            'process_anomaly': 3,
5
            'network_anomaly': 2,
6
            'file_anomaly': 2,
7
            'registry_anomaly': 2,
8
            'api_anomaly': 3,
9
            'memory_anomaly': 4,
10
            'persistence': 3,
11
            'evasion': 4
12
        }
13

14
    def calculate_threat_score(self, indicators):
15
        """Calculate composite threat score from heuristics"""
16
        score = 0
17
        triggered_heuristics = []
18

19
        for indicator in indicators:
20
            category = indicator['category']
21
            weight = self.heuristic_weights.get(category, 1)
22

23
            # Apply weight and severity
24
            severity_multiplier = {
25
                'LOW': 0.5,
26
                'MEDIUM': 1.0,
27
                'HIGH': 1.5,
28
                'CRITICAL': 2.0
29
            }.get(indicator['severity'], 1.0)
30

31
            indicator_score = weight * severity_multiplier
32
            score += indicator_score
33

34
            triggered_heuristics.append({
35
                'heuristic': indicator['name'],
36
                'category': category,
37
                'contribution': indicator_score
38
            })
39

40
        # Normalize score to 0-100
41
        normalized_score = min(score * 10, 100)
42

43
        return {
44
            'threat_score': normalized_score,
45
            'threat_level': self.get_threat_level(normalized_score),
46
            'triggered_heuristics': triggered_heuristics,
47
            'recommendation': self.get_recommendation(normalized_score)
48
        }

Sandboxing Integration#

Automated Detonation#

1
# Sandbox integration for zero-day analysis
2
class SandboxIntegration:
3
    def __init__(self, sandbox_api):
4
        self.sandbox = sandbox_api
5
        self.detonation_environments = [
6
            'Windows 10 x64',
7
            'Windows Server 2019',
8
            'Ubuntu 20.04',
9
            'macOS Big Sur'
10
        ]
11

12
    def analyze_suspicious_file(self, file_path, urgency='normal'):
13
        """Submit file for sandbox analysis"""
14
        submission = {
15
            'file': file_path,
16
            'environments': self.detonation_environments,
17
            'analysis_timeout': 300 if urgency == 'high' else 600,
18
            'network_routing': 'internet',
19
            'anti_evasion': True
20
        }
21

22
        # Submit to sandbox
23
        task_id = self.sandbox.submit(submission)
24

25
        # Get results
26
        results = self.sandbox.get_results(task_id)
27

28
        return self.process_sandbox_results(results)
29

30
    def process_sandbox_results(self, results):
31
        """Extract zero-day indicators from sandbox results"""
32
        indicators = {
33
            'network': [],
34
            'file': [],
35
            'registry': [],
36
            'process': [],
37
            'verdict': 'unknown'
38
        }
39

40
        # Process behavioral indicators
41
        for behavior in results['behaviors']:
42
            if behavior['severity'] >= 7:
43
                category = behavior['category']
44
                indicators[category].append({
45
                    'description': behavior['description'],
46
                    'iocs': behavior.get('iocs', []),
47
                    'ttp': behavior.get('mitre_techniques', [])
48
                })
49

50
        # Determine verdict
51
        if results['threat_score'] >= 80:
52
            indicators['verdict'] = 'malicious'
53
        elif results['threat_score'] >= 50:
54
            indicators['verdict'] = 'suspicious'
55
        else:
56
            indicators['verdict'] = 'clean'
57

58
        return indicators

Threat Hunting Queries#

Proactive Zero-Day Hunting#

1
# Threat hunting queries for zero-days
2
class ZeroDayHunter:
3
    def __init__(self, wazuh_api):
4
        self.api = wazuh_api
5
        self.hunting_queries = {
6
            'rare_processes': self.hunt_rare_processes,
7
            'unusual_parents': self.hunt_unusual_parents,
8
            'network_anomalies': self.hunt_network_anomalies,
9
            'persistence_mechanisms': self.hunt_persistence,
10
            'credential_access': self.hunt_credential_access
11
        }
12

13
    def hunt_rare_processes(self, timeframe='24h'):
14
        """Find processes that rarely execute"""
15
        query = """
16
        SELECT
17
            process_name,
18
            COUNT(*) as exec_count,
19
            COUNT(DISTINCT agent_id) as unique_hosts,
20
            AVG(cpu_usage) as avg_cpu,
21
            MAX(memory_usage) as max_memory
22
        FROM process_events
23
        WHERE timestamp > NOW() - INTERVAL %s
24
        GROUP BY process_name
25
        HAVING exec_count < 10
26
        AND unique_hosts < 3
27
        ORDER BY exec_count ASC
28
        """
29

30
        results = self.api.query(query, [timeframe])
31

32
        # Analyze rare processes for suspicious patterns
33
        suspicious = []
34
        for proc in results:
35
            risk_score = self.calculate_rarity_risk(proc)
36
            if risk_score > 0.7:
37
                suspicious.append({
38
                    'process': proc['process_name'],
39
                    'risk_score': risk_score,
40
                    'hosts': proc['unique_hosts'],
41
                    'recommendation': 'Investigate process origin and purpose'
42
                })
43

44
        return suspicious

Response and Containment#

Automated Zero-Day Response#

1
<!-- Zero-Day Response Configuration -->
2
<ossec_config>
3
  <!-- Network Isolation -->
4
  <active-response>
5
    <command>isolate-zero-day</command>
6
    <location>local</location>
7
    <rules_id>500001,500011,500031</rules_id>
8
    <timeout>0</timeout>
9
  </active-response>
10

11
  <!-- Process Termination -->
12
  <active-response>
13
    <command>kill-suspicious-process</command>
14
    <location>local</location>
15
    <rules_id>500002,500003,500050</rules_id>
16
  </active-response>
17

18
  <!-- Memory Dump Collection -->
19
  <active-response>
20
    <command>collect-memory-dump</command>
21
    <location>local</location>
22
    <rules_id>500010,500011</rules_id>
23
  </active-response>
24

25
  <!-- Sandbox Submission -->
26
  <active-response>
27
    <command>submit-to-sandbox</command>
28
    <location>server</location>
29
    <rules_id>500030,500031,500032</rules_id>
30
  </active-response>
31
</ossec_config>

Forensic Data Collection#

1
def collect_zero_day_forensics(alert):
2
    """Collect forensic data for zero-day analysis"""
3
    forensics = {
4
        'alert_id': alert['id'],
5
        'timestamp': datetime.now(),
6
        'artifacts': []
7
    }
8

9
    # Collect process memory
10
    if 'process' in alert:
11
        memory_dump = dump_process_memory(alert['process']['pid'])
12
        forensics['artifacts'].append({
13
            'type': 'memory_dump',
14
            'path': memory_dump,
15
            'size': os.path.getsize(memory_dump)
16
        })
17

18
    # Collect network traffic
19
    pcap = capture_network_traffic(
20
        duration=300,
21
        filter=f"host {alert['source_ip']}"
22
    )
23
    forensics['artifacts'].append({
24
        'type': 'network_capture',
25
        'path': pcap
26
    })
27

28
    # Collect system artifacts
29
    artifacts = collect_system_artifacts(alert['agent_id'])
30
    forensics['artifacts'].extend(artifacts)
31

32
    # Generate report
33
    report = generate_forensic_report(forensics)
34

35
    return forensics

Performance Metrics#

Zero-Day Detection Effectiveness#

1
{
2
  "zero_day_metrics": {
3
    "detection_performance": {
4
      "precision": 0.92,
5
      "recall": 0.88,
6
      "f1_score": 0.9,
7
      "false_positive_rate": 0.08
8
    },
9
    "detection_methods": {
10
      "behavioral_analysis": {
11
        "detections": 156,
12
        "accuracy": 0.89
13
      },
14
      "machine_learning": {
15
        "detections": 203,
16
        "accuracy": 0.94
17
      },
18
      "heuristics": {
19
        "detections": 178,
20
        "accuracy": 0.87
21
      },
22
      "sandboxing": {
23
        "detections": 89,
24
        "accuracy": 0.96
25
      }
26
    },
27
    "time_to_detect": {
28
      "average": "3.7 minutes",
29
      "median": "2.1 minutes",
30
      "p95": "8.3 minutes"
31
    },
32
    "prevented_incidents": 47,
33
    "estimated_damage_prevented": "$8.3M"
34
  }
35
}

Best Practices#

1. Baseline Establishment#

1
def establish_behavioral_baseline():
2
    """Create baseline for zero-day detection"""
3
    baseline = {
4
        'processes': collect_process_baseline(days=30),
5
        'network': collect_network_baseline(days=30),
6
        'file_operations': collect_file_baseline(days=30),
7
        'api_calls': collect_api_baseline(days=30)
8
    }
9

10
    # Calculate statistical properties
11
    for category, data in baseline.items():
12
        baseline[category] = {
13
            'mean': calculate_mean(data),
14
            'std': calculate_std(data),
15
            'percentiles': calculate_percentiles(data, [50, 90, 95, 99])
16
        }
17

18
    return baseline

2. Continuous Model Updates#

1
def update_detection_models():
2
    """Keep detection models current"""
3
    # Retrain ML models weekly
4
    if datetime.now().weekday() == 0:  # Monday
5
        retrain_ml_models()
6

7
    # Update heuristics based on new threats
8
    update_heuristic_rules()
9

10
    # Refresh threat intelligence
11
    refresh_threat_intel_feeds()
12

13
    # Validate detection accuracy
14
    validate_detection_performance()

Conclusion#

Zero-day defense requires abandoning the comfort of signatures and embracing the uncertainty of behavioral analysis. By combining multiple detection methods—behavioral analytics, machine learning, heuristics, and sandboxing—Wazuh provides a robust framework for identifying never-before-seen threats. The key is not perfection but rapid detection and response, turning the attacker’s advantage of surprise into a fleeting moment rather than months of undetected access.

Next Steps#

Deploy behavioral baselines for all critical systems
Implement ML models with conservative thresholds
Configure automated sandboxing for suspicious files
Establish threat hunting procedures
Create incident response playbooks for zero-day scenarios

Remember: In zero-day defense, paranoia is a feature, not a bug. Question everything, verify nothing, and always assume compromise.