Abstract
The security of deployed and actively used systems is a moving target, influenced by factors that are not captured in the existing security models and metrics. For example, estimating the number of vulnerabilities in source code does not account for the fact that cyber attackers never exploit some of the discovered vulnerabilities, in the presence of reduced attack surfaces and of technologies that render exploits less likely to succeed. Conversely, some vulnerabilities are exploited stealthily before their public disclosure, in zero-day attacks, and old vulnerabilities continue to impact security in the wild until all vulnerable hosts are patched. As such,we currently do not know how to assess the security of systems in active use. In this chapter, we report on empirical studies of security in the real world, using field data collected on 10+ million real hosts that are targeted by cyber attacks (rather than on honeypots or in small-scale lab settings). Our empirical findings and the novel metrics we evaluate on this field data will enable a more accurate assessment of the risk of cyber attacks, by taking into account the vulnerabilities and attacks that matter most in practice.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Approximate lines of code, in millions: Windows 2000\(\simeq 30\), Windows XP\(\simeq 45\), Windows Server 2003\(\simeq 50\), Windows Vista, Windows 7\(> 50\) (http://bit.ly/RKDHIm;http://bit.ly/5LkKx,http://tek.io/g3rBrB).
References
Adobe Systems Incorporated: Security bulletins and advisories.http://www.adobe.com/support/security/ (2012)
Allodi, L.: Attacker economics for internet-scale vulnerability risk assessment. In: Proceedings of Usenix LEET Workshop (2013)
Allodi, L., Massacci, F.: A preliminary analysis of vulnerability scores for attacks in wild. In: CCS BADGERS Workshop. Raleigh, NC (2012)
Anderson, R., Moore, T.: The economics of information security. In: Science, vol. 314, no. 5799 (2006)
Arbaugh, W.A., Fithen, W.L., McHugh, J.: Windows of vulnerability: A case study analysis. IEEE Computer33(12) (2000)
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability - an empirical analysis. In: Workshop on the Economics of Information Security (WEIS 2004) (2004)
Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C.: Timing the application of security patches for optimal uptime. In: Large Installation System Administration Conference, pp. 233–242. Philadelphia, PA (2002). URLhttp://www.usenix.org/events/lisa02/tech/beattie.html
Bilge, L., Dumitraş, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: ACM Conference on Computer and Communications Security, pp. 833–844 (2012)
Bollinger, J.: Economies of disclosure. In: SIGCAS Comput. Soc. (2004)
Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: KDD. Washington, DC (2010)
Cavusoglu, H.C.H., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: Workshop on Information Technology and Systems (2004)
Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: The honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Proceedings of the 26th Annual Computer Security Applications Conference, ACSAC ’10, pp. 251–260. ACM, New York, NY, USA (2010).. URLhttp://doi.acm.org/10.1145/1920261.1920299
CrySyS Lab: sKyWIper (a.k.a. Flame a.k.a. Flamer): A complex malware for targeted attacks. Tech. rep., Budapest University of Technology and Economics (2012). URLhttp://www.crysys.hu/skywiper/skywiper.pdf
CVE: A dictionary of publicly known information security vulnerabilities and exposures.http://cve.mitre.org/ (2012)
Dumitraş, T., Shou, D.: Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE). In: EuroSys BADGERS Workshop. Salzburg, Austria (2011)
Falliere, N., O’Murchu, L., Chien, E.: W32.Stuxnet dossier. Symantec Whitepaper (2011). URLhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf
Finifter, M., Akhawe, D., Wagner, D.: An empirical study of vulnerability rewards programs. In: Proceedings of the ACM Conference on Computer and Communications Security. Washington, DC (2013)
FireEye: The Dual Use Exploit: CVE-2013-3906 Used in Both Targeted Attacks and Crimeware Campaigns.http://bit.ly/R3XQQ4 (2013)
Frei, S.: Security econometrics: The dynamics of (in)security. Ph.D. thesis, ETH Zürich (2009)
Frei, S.: End-Point Security Failures, Insight gained from Secunia PSI scans. Predict Workshop (2011)
Google Inc: Pwnium: rewards for exploits (2012).http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html
Greenberg, A.: Shopping for zero-days: A price list for hackers’ secret software exploits. Forbes (2012).http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
Krebs, B.: Crimeware author funds exploit buying spree.http://bit.ly/1mYwlUY (2013)
Kumar, A., Paxson, V., Weaver, N.: Exploiting underlying structure for detailed reconstruction of an internet-scale event. In: Internet Measurment Conference, pp. 351–364 (2005)
Lelli, A.: The Trojan.Hydraq incident: Analysis of the Aurora 0-day exploit.http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit (2010)
McQueen, M.A., McQueen, T.A., Boyer, W.F., Chaffin, M.R.: Empirical estimates and observations of 0day vulnerabilities. In: Hawaii International Conference on System Sciences (2009)
Microsoft: Microsoft security bulletins.http://technet.microsoft.com/en-us/security/bulletin (2012)
Microsoft Corp.: A history of Windows.http://bit.ly/RKDHIm
Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Workshop on the Economics of Information Security. Pittsburgh, PA (2007)
National Institute of Standards and Technology: Engineering statistics handbook.http://www.itl.nist.gov/div898/handbook/index.htm
Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others: Studying vulnerabilities and attack surfaces in the wild. In: Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses. Gothenburg, Sweeden (2014)
National Vulnerability Database.http://nvd.nist.gov/
O’Gorman, G., McDonald, G.: The Elderwood project. Symantec Whitepaper (2012)
OSVDB: The open source vulnerability database.http://www.osvdb.org/ (2012)
Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: 15th conference on USENIX Security Symposium (2006)
Papalexakis, E.E., Dumitras, T., Chau, D.H.P., Prakash, B.A., Faloutsos, C.: Spatio-temporal mining of software adoption & penetration. In: IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining (ASONAM). Niagara Falls, CA (2103)
Porras, P., Saidi, H., Yegneswaran, V.: An anlysis of conficker’s logic and rendezvous points.http://mtc.sri.com/Conficker/ (2009)
Qualys, Inc.: The laws of vulnerabilities 2.0.http://www.qualys.com/docs/Laws_2.0.pdf (2009)
Quinn, S., Scarfone, K., Barrett, M., Johnson, C.: Guide to adopting and using the security content automation protocol (SCAP) version 1.0. NIST Special Publication 800-117 (2010)
Ransbotham, S.: An empirical analysis of exploitation attempts based on vulnerabilities in open source software (2010)
Rescorla, E.: Is finding security holes a good idea? In: IEEE Security and Privacy (2005)
Rivner, U.: Anatomy of an attack (2011).http://blogs.rsa.com/rivner/anatomy-of-an-attack/ Retrieved on 19 April 2012
SANS Institute: Top cyber security risks - zero-day vulnerability trends.http://www.sans.org/top-cyber-security-risks/zero-day.php (2009)
Schneier, B.: Cryptogram september 2000 - full disclosure and the window of exposure.http://www.schneier.com/crypto-gram-0009.html (2000)
Schneier, B.: Locks and full disclosure. In: IEEE Security and Privacy (2003)
Schneier, B.: The nonsecurity of secrecy. In: Commun. ACM (2004)
Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: Proceedings of the 2012 International Conference on Software Engineering (2012)
Shin, Y., Meneely, A., Williams, L., Osborne, J.A.: Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities. IEEE Trans. Software Eng.37(6), 772–787 (2011)
Staniford, S., Paxson, V., Weaver, N.: How to 0wn the Internet in your spare time. In: USENIX Security Symposium, pp. 149–167 (2002)
Symantec Attack Signatures.http://www.symantec.com/security_response/attacksignatures/
Symantec Corporation: Symantec global Internet security threat report, volume 13.http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf (2008)
Symantec Corporation: Symantec global Internet security threat report, volume 14.http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf (2009)
Symantec Corporation: Symantec global Internet security threat report, volume 15.http://msisac.cisecurity.org/resources/reports/documents/SymantecInternetSecurityThreatReport2010.pdf (2010)
Symantec Corporation: Symantec Internet security threat report, volume 16 (2011)
Symantec Corporation: W32.Duqu: The precursor to the next Stuxnet. Symantec Whitepaper (2011). URLhttp://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet_research.pdf
Symantec Corporation: Symantec Internet security threat report, volume 17.http://www.symantec.com/threatreport/ (2012)
Symantec Corporation: Symantec threat explorer.http://www.symantec.com/security_response/threatexplorer/azlisting.jsp (2012)
Symantec.cloud: February 2011 intelligence report.http://www.messagelabs.com/mlireport/MLI_2011_02_February_FINAL-en.PDF (2011)
TechRepublic: Five super-secret features in Windows 7.http://tek.io/g3rBrB
Wikipedia: Source lines of code.http://bit.ly/5LkKx
Zimmermann, T., Nagappan, N., Williams, L.A.: Searching for a needle in a haystack: Predicting security vulnerabilities for windows vista. In: ICST, pp. 421–428 (2010)
Acknowledgements
This research would not have been possible without the WINE platform, built and made available to the research community by Symantec. Our results can be reproduced by utilizing the reference data setsWINE 2012-003 andWINE-2014-001, archived in the WINE infrastructure.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Dumitraş, T. (2015). Understanding the Vulnerability Lifecycle for Risk Assessment and Defense Against Sophisticated Cyber Attacks. In: Jajodia, S., Shakarian, P., Subrahmanian, V., Swarup, V., Wang, C. (eds) Cyber Warfare. Advances in Information Security, vol 56. Springer, Cham. https://doi.org/10.1007/978-3-319-14039-1_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-14039-1_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-14038-4
Online ISBN: 978-3-319-14039-1
eBook Packages: Computer ScienceComputer Science (R0)