Skip to main content
SpringerLink
Log in
Book cover

International Conference on E-Business and Telecommunications

ICETE 2013: E-Business and Telecommunications pp 322–340Cite as

An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities

  • Conference paper
  • First Online:

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 456))

Abstract

Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the definition of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has attempted to assess the risk associated with unknown attack patterns, and a metric to quantify such risk, the \(k\)-zero-day safety metric, has been defined. However, existing algorithms for computing this metric are not scalable, and assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks. In this paper, we propose a framework comprising a suite of polynomial algorithms for estimating the \(k\)-zero-day safety of possibly large networks efficiently, without pre-computing the entire attack graph. We validate our approach experimentally, and show that the proposed solution is computationally efficient and accurate.

The work presented in this paper is supported in part by the National Institutes of Standard and Technology under grant number 70NANB12H236, by the Army Research Office under MURI award number W911NF-09-1-0525, and by the Office of Naval Research under award number N00014-12-1-0461. The work of Sushil Jajodia was also supported by the MITRE Sponsored Research Program.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    For exploits directly reachable from initial conditions, \(zdu(e)\) is either \(1\), if \(e\) is a zero-day exploit, or \(0\), otherwise.

References

  1. Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Berkeley, CA, USA, pp. 273–284 (2002)

    Google Scholar 

  2. Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC, USA, pp. 217–224 (2002)

    Google Scholar 

  3. McHugh, J.: Quality of protection: Measuring the unmeasurable? In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), Alexandria, VA, USA, ACM, pp. 1–2 (2006)

    Google Scholar 

  4. Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  5. Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), Fairfax, VA, USA, ACM, pp. 109–118 (2004)

    Google Scholar 

  6. Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4, 85–89 (2006)

    Article  Google Scholar 

  7. The MITRE Corporation: Common Weakness Scoring System (CWSS™) Version 0.8 (2011). http://cwe.mitre.org/cwss/

  8. Dacier, M.: Towards quantitative evaluation of computer security. Ph.D. thesis. Institut National Polytechnique de Toulouse (1994)

    Google Scholar 

  9. Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the New Security Paradigms Workshop (NSPW 1998), Charlottesville, VA, USA, pp. 71–79 (1998)

    Google Scholar 

  10. Mehta, V., Bartzis, C., Zhu, H., Clarke, E.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  11. Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 65–77. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  12. Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006). Advances in Information Security, Alexandria, VA, USA, Springer, vol. 23, pp. 31–68 (2006)

    Google Scholar 

  13. Leversage, D.J., Byres, E.J.: Estimating a system’s mean time-to-compromise. IEEE Secur. Priv. 6, 52–60 (2008)

    Article  Google Scholar 

  14. Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  15. Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks, Technical report. Kansas State University (2009)

    Google Scholar 

  16. McQueen, M.A., McQueen, T.A., Boyer, W.F., Chaffin, M.R.: Empirical estimates and observations of 0day vulnerabilities. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS 2009), Waikoloa, Big Island, HI, USA (2009)

    Google Scholar 

  17. Greenberg, A.: Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits. Forbes, New York (2012)

    Google Scholar 

  18. Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: Proceedings of the 34th International Conference on Software Engineering (ICSE 2012), Zurich, Switzerland, pp. 771–781 (2012)

    Google Scholar 

  19. Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2009), Honolulu, HI, USA, pp. 117–126 (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Center for Secure Information Systems, George Mason University, 4400 University Dr, Fairfax, VA, 22030, USA

    Massimiliano Albanese & Sushil Jajodia

  2. The MITRE Corporation, 7515 Colshire Dr, McLean, VA, 22102, USA

    Sushil Jajodia

  3. Computer Security Division, NIST, 100 Bureau Dr, Gaithersburg, MD, 20899, USA

    Anoop Singhal

  4. Concordia Institute for Information Systems Engineering, Concordia University, 1515 Sainte-Catherine St W, Montreal, QC, H3G 2W1, Canada

    Lingyu Wang

Authors
  1. Massimiliano Albanese
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Sushil Jajodia
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Anoop Singhal
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lingyu Wang
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Sushil Jajodia .

Editor information

Editors and Affiliations

  1. Department of Computer Science, Monmouth University, West Long Branch, New Jersey, USA

    Mohammad S. Obaidat

  2. Polytechnic Institute of Setúbal, INSTICC, Setúbal, Portugal

    Joaquim Filipe

Rights and permissions

Reprints and permissions

Copyright information

© 2014 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Albanese, M., Jajodia, S., Singhal, A., Wang, L. (2014). An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities. In: Obaidat, M., Filipe, J. (eds) E-Business and Telecommunications. ICETE 2013. Communications in Computer and Information Science, vol 456. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-44788-8_19

Download citation

  • DOI: https://doi.org/10.1007/978-3-662-44788-8_19

  • Published:

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-662-44787-1

  • Online ISBN: 978-3-662-44788-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation