k -Zero Day Safety: Evaluating the Resilience of Networks Against Unknown Attacks

By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, the security risk of unknown vulnerabilities is usually considered as something unmeasurable due to the less predictable nature of software flaws. This leads to a challenge for security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero day attacks. In this chapter, we describe a novel security metric, k-zero day safety, to address this issue. Instead of attempting to rank unknown vulnerabilities, the metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security since the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower.