k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks

  • Lingyu Wang
  • Sushil Jajodia
  • Anoop Singhal
  • Steven Noel
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6345)


The security risk of a network against unknown zero day attacks has been considered as something unmeasurable since software flaws are less predictable than hardware faults and the process of finding such flaws and developing exploits seems to be chaotic [10]. In this paper, we propose a novel security metric, k-zero day safety, based on the number of unknown zero day vulnerabilities. That is, the metric simply counts how many unknown vulnerabilities would be required for compromising a network asset, regardless of what vulnerabilities those might be. We formally define the metric based on an abstract model of networks and attacks. We then devise algorithms for computing the metric. Finally, we show the metric can quantify many existing practices in hardening a network.


Security Risk Remote Service Disjunctive Normal Form Inside Attack Distinct Zero 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of CCS 2002 (2002)Google Scholar
  2. 2.
    Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Proceedings of the 1st Workshop on Quality of Protection (2005)Google Scholar
  3. 3.
    Castro, M., Liskov, B.: Practical byzantine fault tolerance and proactive recovery. ACM Trans. Comput. Syst. 20(4), 398–461 (2002)CrossRefGoogle Scholar
  4. 4.
    Dacier, M.: Towards quantitative evaluation of computer security. Ph.D. Thesis, Institut National Polytechnique de Toulouse (1994)Google Scholar
  5. 5.
    Frigault, M., Wang, L., Singhal, A., Jajodia, S.: Measuring network security using dynamic bayesian network. In: Proceedings of ACM Workshop on Quality of protection (2008)Google Scholar
  6. 6.
    Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of ACSAC 2009, Washington, DC, USA, 2009, pp. 117–126. IEEE Computer Society Press, Los Alamitos (2009)Google Scholar
  7. 7.
    Jaquith, A.: Security Merics: Replacing Fear Uncertainity and Doubt. Addison Wesley, Reading (2007)Google Scholar
  8. 8.
    Lee, W., Xiang, D.: Information-theoretic measures for anomaly detection. In: Proceedings of the 2001 IEEE Symposium on Security and Privacy, Washington, DC, USA, p. 130. IEEE Computer Society Press, Los Alamitos (2001)Google Scholar
  9. 9.
    Leversage, D.J., Byres, E.J.: Estimating a system’s mean time-to-compromise. IEEE Security and Privacy 6(1), 52–60 (2008)CrossRefGoogle Scholar
  10. 10.
    McHugh, J.: Quality of protection: Measuring the unmeasurable? In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), pp. 1–2 (2006)Google Scholar
  11. 11.
    McQueen, M., McQueen, T., Boyer, W., Chaffin, M.: Empirical estimates and observations of 0day vulnerabilities. In: Hawaii International Conference on System Sciences, pp. 1–12 (2009)Google Scholar
  12. 12.
    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Security & Privacy Magazine 4(6), 85–89 (2006)CrossRefGoogle Scholar
  13. 13.
    National Institute of Standards and Technology. Technology assessment: Methods for measuring the level of computer security. NIST Special Publication 500-133 (1985)Google Scholar
  14. 14.
    Manadhata, J.W.P.: An attack surface metric. Technical Report CMU-CS-05-155 (2005)Google Scholar
  15. 15.
    Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection, pp. 31–38. ACM Press, New York (2006)CrossRefGoogle Scholar
  16. 16.
    Samarati, P.: Protecting respondents’ identities in microdata release. IEEE Transactions on Knowledge and Data Engineering (TKDE), 1010–1027 (2001)Google Scholar
  17. 17.
    Reiter, M., Stubblebine, S.: Authentication metric analysis and design. ACM Transactions on Information and System Security 2(2), 138–158, 5 (1999)CrossRefGoogle Scholar
  18. 18.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.: Automated generation and analysis of attack graphs. In: Proceedings of the IEEE Symposium on Security and Privacy (2002)Google Scholar
  19. 19.
    Swanson, M., Bartol, N., Sabato, J., Hash, J., Graffo, L.: Security metrics guide for information technology systems. NIST Special Publication 800-55 (2003)Google Scholar
  20. 20.
    Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  21. 21.
    Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: Measuring the security risk of networks against unknown attacks. Technical report, Spectrum Research Repository, Concordia University (2010),
  22. 22.
    Wang, L., Noel, S., Jajodia, S.: Minimum-cost network hardening using attack graphs. Computer Communications 29(18), 3812–3824, 11 (2006)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Lingyu Wang
    • 1
  • Sushil Jajodia
    • 2
  • Anoop Singhal
    • 3
  • Steven Noel
    • 2
  1. 1.Concordia Institute for Information Systems EngineeringConcordia University 
  2. 2.Center for Secure Information SystemsGeorge Mason University 
  3. 3.Computer Security DivisionNational Institute of Standards and Technology 

Personalised recommendations