An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities

  • Massimiliano Albanese
  • Sushil Jajodia
  • Anoop Singhal
  • Lingyu Wang
Conference paper

DOI: 10.1007/978-3-662-44788-8_19

Part of the Communications in Computer and Information Science book series (CCIS, volume 456)
Cite this paper as:
Albanese M., Jajodia S., Singhal A., Wang L. (2014) An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities. In: Obaidat M., Filipe J. (eds) E-Business and Telecommunications. ICETE 2013. Communications in Computer and Information Science, vol 456. Springer, Berlin, Heidelberg

Abstract

Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the definition of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has attempted to assess the risk associated with unknown attack patterns, and a metric to quantify such risk, the \(k\)-zero-day safety metric, has been defined. However, existing algorithms for computing this metric are not scalable, and assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks. In this paper, we propose a framework comprising a suite of polynomial algorithms for estimating the \(k\)-zero-day safety of possibly large networks efficiently, without pre-computing the entire attack graph. We validate our approach experimentally, and show that the proposed solution is computationally efficient and accurate.

Keywords

Zero-day attacks Vulnerability analysis Attack graphs 

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Massimiliano Albanese
    • 1
  • Sushil Jajodia
    • 1
    • 2
  • Anoop Singhal
    • 3
  • Lingyu Wang
    • 4
  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  2. 2.The MITRE CorporationMcLeanUSA
  3. 3.Computer Security DivisionNISTGaithersburgUSA
  4. 4.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada

Personalised recommendations