The Heavy Tails of Vulnerability Exploitation

  • Luca Allodi
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8978)


In this paper we analyse the frequency at which vulnerabilities are exploited in the wild by relying on data collected worldwide by Symantec’s sensors. Our analysis comprises 374 exploited vulnerabilities for a total of 75.7 Million recorded attacks spanning three years (2009-2012). We find that for some software as little as 5% of exploited vulnerabilities is responsible for about 95% of the attacks against that platform. This strongly skewed distribution is consistent for all considered software categories, for which a general take-away is that less than 10% of vulnerabilities account for more than 90% of the attacks (with the exception of pre-2009 Java vulnerabilities). Following these findings, we hypothesise vulnerability exploitation may follow a Power Law distribution. Rigorous hypothesis testing results in neither accepting nor rejecting the Power Law Hypothesis, for which further data collection from the security community may be needed. Finally, we present and discuss the Law of the Work-Averse Attacker as a possible explanation for the heavy-tailed distributions we find in the data, and present examples of its effects for Apple Quicktime and Microsoft Internet Explorer vulnerabilities.


Heavy Tail Exploitation Volume Lorentz Curve Software Category 17th USENIX Security Symposium 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Alhazmi, O., Malaiya, Y.: Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering (ISSRE 2005), pp. 129–138 (2005)Google Scholar
  2. 2.
    Allodi, L., Kotov, V., Massacci, F.: Malwarelab: Experimentation with cybercrime attack tools. In: Proceedings of the 2013 6th Workshop on Cybersecurity Security and Test (2013)Google Scholar
  3. 3.
    Allodi, L., Massacci, F.: A preliminary analysis of vulnerability scores for attacks in wild. In: Proceedings of the 2012 ACM CCS Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (2012)Google Scholar
  4. 4.
    Allodi, L., Massacci, F.: Comparing vulnerability severity and exploits using case-control studies. ACM Transaction on Information and System Security (TISSEC) 17(1) (August 2014)Google Scholar
  5. 5.
    Allodi, L., Woohyun, S., Massacci, F.: Quantitative assessment of risk reduction with cybercrime black market monitoring. In: Proceedings of the 2013 IEEE S&P International Workshop on Cyber Crime (2013)Google Scholar
  6. 6.
    Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 833–844. ACM (2012)Google Scholar
  7. 7.
    Clark, S., Frei, S., Blaze, M., Smith, J.: Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities. In: Proceedings of the 26th Annual Computer Security Applications Conference, pp. 251–260 (2010),
  8. 8.
    Clauset, A., Shalizi, C.R., Newman, M.E.: Power-law distributions in empirical data. SIAM Review 51(4), 661–703 (2009)CrossRefzbMATHMathSciNetGoogle Scholar
  9. 9.
    Clauset, A., Young, M., Gleditsch, K.S.: On the frequency of severe terrorist events. Journal of Conflict Resolution 51(1), 58–87 (2007), CrossRefGoogle Scholar
  10. 10.
    Council, P.: Pci dss requirements and security assessment procedures, version 2.0 (2010),
  11. 11.
    Efron, B., Tibshirani, R.J.: An introduction to the bootstrap, vol. 57. CRC Press (1994)Google Scholar
  12. 12.
    Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: Proceedings of the 2006 SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131–138. ACM (2006)Google Scholar
  13. 13.
    Gillespie, C.S.: Fitting heavy tailed distributions: the poweRlaw package, package version 0.20.2 (2013)Google Scholar
  14. 14.
    Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C.J., Levchenko, K., Mavrommatis, P., McCoy, D., Nappa, A., Pitsillidis, A., Provos, N., Rafique, M.Z., Rajab, M.A., Rossow, C., Thomas, K., Paxson, V., Savage, S., Voelker, G.M.: Manufacturing compromise: the emergence of exploit-as-a-service. In: Proceedings of the 19th ACM Conference on Computer and Communications Security (CCS 2012), pp. 821–832. ACM (2012)Google Scholar
  15. 15.
    Holm, H.: A large-scale study of the time required to compromise a computer system. IEEE Transactions on Dependable and Secure Computing 11(1), 2–15 (2014)CrossRefGoogle Scholar
  16. 16.
    Kotov, V., Massacci, F.: Anatomy of exploit kits. In: Jürjens, J., Livshits, B., Scandariato, R. (eds.) ESSoS 2013. LNCS, vol. 7781, pp. 181–196. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  17. 17.
    Miller, C.: The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In: Proceedings of the 6th Workshop on Economics and Information Security (2007)Google Scholar
  18. 18.
    Mitzenmacher, M.: A brief history of generative models for power law and lognormal distributions. Internet Mathematics 1(2), 226–251 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  19. 19.
    Nayak, K., Marino, D., Efstathopoulos, P., Dumitraş, T.: Some vulnerabilities are different than others. In: Stavrou, A., Bos, H., Portokalidis, G. (eds.) RAID 2014. LNCS, vol. 8688, pp. 426–446. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  20. 20.
    Newman, M.E.: Power laws, pareto distributions and zipf’s law. Contemporary Physics 46(5), 323–351 (2005)CrossRefGoogle Scholar
  21. 21.
    Nguyen, V.H., Massacci, F.: An independent validation of vulnerability discovery models. In: Proceeding of the 7th ACM Symposium on Information, Computer and Communications Security, ASIACCS 2012 (2012)Google Scholar
  22. 22.
    Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Proceedings of the 4th Workshop on Economics and Information Security (2005)Google Scholar
  23. 23.
    Ozment, A.: Improving vulnerability discovery models: Problems with definitions and assumptions. In: Proceedings of the 3rd Workshop on Quality of Protection (2007)Google Scholar
  24. 24.
    Provos, N., Mavrommatis, P., Rajab, M.A., Monrose, F.: All your iframes point to us. In: Proceedings of the 17th USENIX Security Symposium, pp. 1–15 (2008)Google Scholar
  25. 25.
    Quinn, S.D., Scarfone, K.A., Barrett, M., Johnson, C.S.: Sp 800-117. guide to adopting and using the security content automation protocol (scap) version 1.0. Tech. rep., National Institute of Standards & Technology (2010)Google Scholar
  26. 26.
    R Core Team: R: A Language and Environment for Statistical Computing. R Foundation for Statistical Computing, Vienna, Austria (2013),
  27. 27.
    Ransbotham, S.: An empirical analysis of exploitation attempts based on vulnerabilities in open source software. In: Proceedings of the 9th Workshop on Economics and Information Security (2010)Google Scholar
  28. 28.
    Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: Proceedings of the 34th International Conference on Software Engineering, pp. 771–781. IEEE Press (2012)Google Scholar
  29. 29.
    Vuong, Q.H.: Likelihood ratio tests for model selection and non-nested hypotheses. Econometrica: Journal of the Econometric Society, 307–333 (1989)Google Scholar
  30. 30.
    Wash, R.: Folk models of home computer security. In: Proceedings of the Sixth Symposium on Usable Privacy and Security (2010)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Luca Allodi
    • 1
  1. 1.DISIUniversity of TrentoPovoItaly

Personalised recommendations