ABSTRACT
Little is known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments.
In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.
- Adobe Systems Incorporated. Security bulletins and advisories. http://www.adobe.com/support/security/, 2012.Google Scholar
- R. Anderson and T. Moore. The economics of information security. In Science, vol. 314, no. 5799, 2006.Google Scholar
- W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of vulnerability: A case study analysis. IEEE Computer, 33(12), December 2000. Google ScholarDigital Library
- A. Arora, R. Krishnan, A. Nandkumar, R. Telang, and Y. Yang. Impact of vulnerability disclosure and patch availability - an empirical analysis. In Workshop on the Economics of Information Security (WEIS 2004), 2004.Google Scholar
- S. Beattie, S. Arnold, C. Cowan, P. Wagle, and C. Wright. Timing the application of security patches for optimal uptime. In Large Installation System Administration Conference, pages 233--242, Philadelphia, PA, Nov 2002. Google ScholarDigital Library
- J. Bollinger. Economies of disclosure. In SIGCAS Comput. Soc., 2004. Google ScholarDigital Library
- D. Brumley, P. Poosankam, D. X. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In IEEE Symposium on Security and Privacy, pages 143--157, Oakland, CA, May 2008. Google ScholarDigital Library
- H. C. H. Cavusoglu and S. Raghunathan. Emerging issues in responsible vulnerability disclosure. In Workshop on Information Technology and Systems, 2004.Google Scholar
- D. H. P. Chau, C. Nachenberg, J. Wilhelm, A. Wright, and C. Faloutsos. Polonium : Tera-scale graph mining for malware detection. In SIAM International Conference on Data Mining (SDM), Mesa, AZ, April 2011.Google ScholarCross Ref
- CVE. A dictionary of publicly known information security vulnerabilities and exposures. http://cve.mitre.org/, 2012.Google Scholar
- N. Falliere, L. O'Murchu, and E. Chien. W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_stuxnet_dossier.pdf, February 2011.Google Scholar
- S. Frei. Security Econometrics: The Dynamics of (In)Security. PhD thesis, ETH Zurich, 2009.Google Scholar
- S. Frei. End-Point Security Failures, Insight gained from Secunia PSI scans. Predict Workshop, February 2011.Google Scholar
- Google Inc. Pwnium: rewards for exploits, February 2012. http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html.Google Scholar
- A. Greenberg. Shopping for zero-days: A price list for hackers' secret software exploits. Forbes, 23 March 2012. http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/.Google Scholar
- A. Lelli. The Trojan.Hydraq incident: Analysis of the Aurora 0-day exploit. http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis-aurora-0-day-exploit, 25 January 2010.Google Scholar
- R. McMillan. RSA spearphish attack may have hit US defense organizations. PC World, 8 September 2011. http://www.pcworld.com/businesscenter/article/239728/rsa_spearphish_attack_may_have_hit_us_defense_organizations.html.Google Scholar
- M. A. McQueen, T. A. McQueen, W. F. Boyer, and M. R. Chaffin. Empirical estimates and observations of 0day vulnerabilities. In Hawaii International Conference on System Sciences, 2009. Google ScholarDigital Library
- Microsoft. Microsoft security bulletins. http://technet.microsoft.com/en-us/security/bulletin, 2012.Google Scholar
- C. Miller. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In Workshop on the Economics of Information Security, Pittsburgh, PA, June 2007.Google Scholar
- OSVDB. The open source vulnerability database. http://www.osvdb.org/, 2012.Google Scholar
- A. Ozment and S. E. Schechter. Milk or wine: does software security improve with age? In 15th conference on USENIX Security Symposium, 2006. Google ScholarDigital Library
- P. Porras, H. Saidi, and V. Yegneswaran. An anlysis of conficker's logic and rendezvous points. http://mtc.sri.com/Conficker/, 2009.Google Scholar
- Qualys, Inc. The laws of vulnerabilities 2.0. http://www.qualys.com/docs/Laws_2.0.pdf, July 2009.Google Scholar
- T. Dumitra' and D. Shou. Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE). In EuroSys BADGERS Workshop, Salzburg, Austria, Apr 2011. Google ScholarDigital Library
- E. Rescorla. Is finding security holes a good idea? In IEEE Security and Privacy, 2005. Google ScholarDigital Library
- U. Rivner. Anatomy of an attack, 1 April 2011. http://blogs.rsa.com/rivner/anatomy-of-an-attack/ Retrieved on 19 April 2012.Google Scholar
- SANS Institute. Top cyber security risks - zero-day vulnerability trends. http://www.sans.org/top-cyber-security-risks/zero-day.php, 2009.Google Scholar
- B. Schneier. Cryptogram september 2000 - full disclosure and the window of exposure. http://www.schneier.com/crypto-gram-0009.html, 2000.Google Scholar
- B. Schneier. Locks and full disclosure. In IEEE Security and Privacy, 2003. Google ScholarDigital Library
- B. Schneier. The nonsecurity of secrecy. In Commun. ACM, 2004. Google ScholarDigital Library
- M. Shahzad, M. Z. Shafiq, and A. X. Liu. A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the 2012 International Conference on Software Engineering, 2012. Google ScholarDigital Library
- Symantec Corporation. Symantec global Internet security threat report, volume 13. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xiii_04-2008.en-us.pdf, April 2008.Google Scholar
- Symantec Corporation. Symantec global Internet security threat report, volume 14. http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_internet_security_threat_report_xv_04-2010.en-us.pdf, April 2009.Google Scholar
- Symantec Corporation. Symantec global Internet security threat report, volume 15. http://msisac.cisecurity.org/resources/reports/documents/SymantecInternetSecurityThreatReport2010.pdf, April 2010.Google Scholar
- Symantec Corporation. Symantec Internet security threat report, volume 16, April 2011.Google Scholar
- Symantec Corporation. Symantec Internet security threat report, volume 17. http://www.symantec.com/threatreport/, April 2012.Google Scholar
- Symantec Corporation. Symantec threat explorer. http://www.symantec.com/security_response/threatexplorer/azlisting.jsp, 2012.Google Scholar
- Symantec.cloud. February 2011 intelligence report. http://www.messagelabs.com/mlireport/MLI_2011_02_February_FINAL-en.PDF, 2011.Google Scholar
- N. Weaver and D. Ellis. Reflections on Witty: Analyzing the attacker. ;login: The USENIX Magazine, 29(3):34--37, June 2004.Google Scholar
Index Terms
- Before we knew it: an empirical study of zero-day attacks in the real world
Recommendations
Cyber Deception Against Zero-Day Attacks: A Game Theoretic Approach
Decision and Game Theory for SecurityAbstractReconnaissance activities precedent other attack steps in the cyber kill chain. Zero-day attacks exploit unknown vulnerabilities and give attackers the upper hand against conventional defenses. Honeypots have been used to deceive attackers by ...
New Hurdles for Vulnerability Disclosure
Vulnerability disclosure is an important part of information security. In recent years, vulnerabilities in specific Web sites and SCADA implementations have created new hurdles for vulnerability disclosure. These aspects of information security have ...
Origin Information Assisted Hybrid Analysis to Detect APT Malware
Information Systems SecurityAbstractRecently, the sophistication and varieties of advanced persistent threat (APT) based attacks have risen exponentially on global scale. Accurate prediction decisions related to the detection of APT malware are an ongoing challenge due to the use of ...
Comments