An efficient approach to assessing the risk of zero-day vulnerabilities

Computer systems are vulnerable to both known and zero-day attacks. Although known attack patterns can be easily modeled, thus enabling the development of suitable hardening strategies, handling zero-day vulnerabilities is inherently difficult due to their unpredictable nature. Previous research has attempted to assess the risk associated with unknown attack patterns, and a suitable metric to quantify such risk, the k-zero-day safety metric, has been defined. However, existing algorithms for computing this metric are not scalable, and assume that complete zero-day attack graphs have been generated, which may be unfeasible in practice for large networks. In this paper, we propose a set of polynomial algorithms for estimating the k-zero-day safety of possibly large networks efficiently, without pre-computing the entire attack graph. We validate our approach through experiments, and show that the proposed algorithms are computationally efficient and accurate.

[1]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[2]  Cynthia A. Phillips,et al.  A graph-based system for network-vulnerability analysis , 1998, NSPW '98.

[3]  Miles McQueen,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009 .

[4]  May R. Chaffin,et al.  Empirical Estimates and Observations of 0Day Vulnerabilities , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[5]  Fabio Massacci,et al.  Proceedings of the 2nd ACM Workshop on Quality of Protection, QoP 2006, Alexandria, VA, USA, October 30, 2006 , 2006, QoP.

[6]  Bart De Decker,et al.  A Privacy-Preserving Ticketing System , 2008, DBSec.

[7]  David John Leversage,et al.  Estimating a System's Mean Time-to-Compromise , 2008, IEEE Security & Privacy.

[8]  J. Homer A Sound and Practical Approach to Quantifying Security Risk in Enterprise Networks ∗ , 2009 .

[9]  John McHugh Quality of protection: measuring the unmeasurable? , 2006, QoP '06.

[10]  Sushil Jajodia,et al.  k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks , 2010, ESORICS.

[11]  Sushil Jajodia,et al.  An Attack Graph-Based Probabilistic Security Metric , 2008, DBSec.

[12]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[13]  Mattia Monga,et al.  Assessing the risk of using vulnerable components , 2006, Quality of Protection.

[14]  Edmund M. Clarke,et al.  Ranking Attack Graphs , 2006, RAID.

[15]  Dieter Gollmann,et al.  Quality of Protection - Security Measurements and Metrics , 2006, Advances in Information Security.

[16]  Sushil Jajodia,et al.  A weakest-adversary security metric for network configuration security analysis , 2006, QoP '06.

[17]  Sushil Jajodia,et al.  Managing attack graph complexity through visual hierarchical aggregation , 2004, VizSEC/DMSEC '04.

[18]  Duminda Wijesekera,et al.  Scalable, graph-based network vulnerability analysis , 2002, CCS '02.

[19]  Marc Dacier Vers une évaluation quantitative de la sécurité informatique. (Towards a quantitative evaluation of computer security) , 1994 .

[20]  Somesh Jha,et al.  Automated generation and analysis of attack graphs , 2002, Proceedings 2002 IEEE Symposium on Security and Privacy.

[21]  Bart Preneel,et al.  Computer Security - ESORICS 2010, 15th European Symposium on Research in Computer Security, Athens, Greece, September 20-22, 2010. Proceedings , 2010, ESORICS.

[22]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.