Abstract
Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the definition of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has attempted to assess the risk associated with unknown attack patterns, and a metric to quantify such risk, the \(k\)-zero-day safety metric, has been defined. However, existing algorithms for computing this metric are not scalable, and assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks. In this paper, we propose a framework comprising a suite of polynomial algorithms for estimating the \(k\)-zero-day safety of possibly large networks efficiently, without pre-computing the entire attack graph. We validate our approach experimentally, and show that the proposed solution is computationally efficient and accurate.
The work presented in this paper is supported in part by the National Institutes of Standard and Technology under grant number 70NANB12H236, by the Army Research Office under MURI award number W911NF-09-1-0525, and by the Office of Naval Research under award number N00014-12-1-0461. The work of Sushil Jajodia was also supported by the MITRE Sponsored Research Program.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
For exploits directly reachable from initial conditions, \(zdu(e)\) is either \(1\), if \(e\) is a zero-day exploit, or \(0\), otherwise.
References
Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Berkeley, CA, USA, pp. 273–284 (2002)
Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC, USA, pp. 217–224 (2002)
McHugh, J.: Quality of protection: Measuring the unmeasurable? In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), Alexandria, VA, USA, ACM, pp. 1–2 (2006)
Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010)
Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), Fairfax, VA, USA, ACM, pp. 109–118 (2004)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4, 85–89 (2006)
The MITRE Corporation: Common Weakness Scoring System (CWSS™) Version 0.8 (2011). http://cwe.mitre.org/cwss/
Dacier, M.: Towards quantitative evaluation of computer security. Ph.D. thesis. Institut National Polytechnique de Toulouse (1994)
Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the New Security Paradigms Workshop (NSPW 1998), Charlottesville, VA, USA, pp. 71–79 (1998)
Mehta, V., Bartzis, C., Zhu, H., Clarke, E.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)
Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 65–77. Springer, Heidelberg (2006)
Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006). Advances in Information Security, Alexandria, VA, USA, Springer, vol. 23, pp. 31–68 (2006)
Leversage, D.J., Byres, E.J.: Estimating a system’s mean time-to-compromise. IEEE Secur. Priv. 6, 52–60 (2008)
Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008)
Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks, Technical report. Kansas State University (2009)
McQueen, M.A., McQueen, T.A., Boyer, W.F., Chaffin, M.R.: Empirical estimates and observations of 0day vulnerabilities. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS 2009), Waikoloa, Big Island, HI, USA (2009)
Greenberg, A.: Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits. Forbes, New York (2012)
Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: Proceedings of the 34th International Conference on Software Engineering (ICSE 2012), Zurich, Switzerland, pp. 771–781 (2012)
Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2009), Honolulu, HI, USA, pp. 117–126 (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2014 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Albanese, M., Jajodia, S., Singhal, A., Wang, L. (2014). An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities. In: Obaidat, M., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2013. Communications in Computer and Information Science, vol 456. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44788-8_19
Download citation
DOI: https://doi.org/10.1007/978-3-662-44788-8_19
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-44787-1
Online ISBN: 978-3-662-44788-8
eBook Packages: Computer ScienceComputer Science (R0)