An Efficient Framework for Evaluating the Risk of Zero-Day Vulnerabilities

  • Massimiliano Albanese
  • Sushil JajodiaEmail author
  • Anoop Singhal
  • Lingyu Wang
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 456)


Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the definition of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has attempted to assess the risk associated with unknown attack patterns, and a metric to quantify such risk, the \(k\)-zero-day safety metric, has been defined. However, existing algorithms for computing this metric are not scalable, and assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks. In this paper, we propose a framework comprising a suite of polynomial algorithms for estimating the \(k\)-zero-day safety of possibly large networks efficiently, without pre-computing the entire attack graph. We validate our approach experimentally, and show that the proposed solution is computationally efficient and accurate.


Zero-day attacks Vulnerability analysis Attack graphs 


  1. 1.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), Berkeley, CA, USA, pp. 273–284 (2002)Google Scholar
  2. 2.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), Washington, DC, USA, pp. 217–224 (2002)Google Scholar
  3. 3.
    McHugh, J.: Quality of protection: Measuring the unmeasurable? In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), Alexandria, VA, USA, ACM, pp. 1–2 (2006)Google Scholar
  4. 4.
    Wang, L., Jajodia, S., Singhal, A., Noel, S.: k-zero day safety: measuring the security risk of networks against unknown attacks. In: Gritzalis, D., Preneel, B., Theoharidou, M. (eds.) ESORICS 2010. LNCS, vol. 6345, pp. 573–587. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  5. 5.
    Noel, S., Jajodia, S.: Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), Fairfax, VA, USA, ACM, pp. 109–118 (2004)Google Scholar
  6. 6.
    Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4, 85–89 (2006)CrossRefGoogle Scholar
  7. 7.
    The MITRE Corporation: Common Weakness Scoring System (CWSS™) Version 0.8 (2011).
  8. 8.
    Dacier, M.: Towards quantitative evaluation of computer security. Ph.D. thesis. Institut National Polytechnique de Toulouse (1994)Google Scholar
  9. 9.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: Proceedings of the New Security Paradigms Workshop (NSPW 1998), Charlottesville, VA, USA, pp. 71–79 (1998)Google Scholar
  10. 10.
    Mehta, V., Bartzis, C., Zhu, H., Clarke, E.: Ranking attack graphs. In: Zamboni, D., Kruegel, C. (eds.) RAID 2006. LNCS, vol. 4219, pp. 127–144. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  11. 11.
    Balzarotti, D., Monga, M., Sicari, S.: Assessing the risk of using vulnerable components. In: Gollmann, D., Massacci, F., Yautsiukhin, A. (eds.) Quality of Protection. Advances in Information Security, vol. 23, pp. 65–77. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  12. 12.
    Pamula, J., Jajodia, S., Ammann, P., Swarup, V.: A weakest-adversary security metric for network configuration security analysis. In: Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006). Advances in Information Security, Alexandria, VA, USA, Springer, vol. 23, pp. 31–68 (2006)Google Scholar
  13. 13.
    Leversage, D.J., Byres, E.J.: Estimating a system’s mean time-to-compromise. IEEE Secur. Priv. 6, 52–60 (2008)CrossRefGoogle Scholar
  14. 14.
    Wang, L., Islam, T., Long, T., Singhal, A., Jajodia, S.: An attack graph-based probabilistic security metric. In: Atluri, V. (ed.) DAS 2008. LNCS, vol. 5094, pp. 283–296. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  15. 15.
    Homer, J., Ou, X., Schmidt, D.: A sound and practical approach to quantifying security risk in enterprise networks, Technical report. Kansas State University (2009)Google Scholar
  16. 16.
    McQueen, M.A., McQueen, T.A., Boyer, W.F., Chaffin, M.R.: Empirical estimates and observations of 0day vulnerabilities. In: Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS 2009), Waikoloa, Big Island, HI, USA (2009)Google Scholar
  17. 17.
    Greenberg, A.: Shopping for Zero-Days: A Price List for Hackers’ Secret Software Exploits. Forbes, New York (2012)Google Scholar
  18. 18.
    Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: Proceedings of the 34th International Conference on Software Engineering (ICSE 2012), Zurich, Switzerland, pp. 771–781 (2012)Google Scholar
  19. 19.
    Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: Proceedings of the Annual Computer Security Applications Conference (ACSAC 2009), Honolulu, HI, USA, pp. 117–126 (2009)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2014

Authors and Affiliations

  • Massimiliano Albanese
    • 1
  • Sushil Jajodia
    • 1
    • 2
    Email author
  • Anoop Singhal
    • 3
  • Lingyu Wang
    • 4
  1. 1.Center for Secure Information SystemsGeorge Mason UniversityFairfaxUSA
  2. 2.The MITRE CorporationMcLeanUSA
  3. 3.Computer Security DivisionNISTGaithersburgUSA
  4. 4.Concordia Institute for Information Systems EngineeringConcordia UniversityMontrealCanada

Personalised recommendations