An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities

Massimiliano Albanese, Sushil Jajodia, Anoop Singhal, Lingyu Wang

Abstract

.

References

  1. Ammann, P., Wijesekera, D., and Kaushik, S. (2002). Scalable, graph-based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS 2002), pages 217-224, Washington, DC, USA.
  2. Balzarotti, D., Monga, M., and Sicari, S. (2005). Assessing the risk of using vulnerable components. In Proceedings of the 1st ACM Workshop on Quality of Protection (QoP 2005), volume 23 of Advances in Information Security, pages 65-77. Springer.
  3. Dacier, M. (1994). Towards quantitative evaluation of computer security. PhD thesis, Institut National Polytechnique de Toulouse.
  4. Greenberg, A. (2012). Shopping for zero-days: A price list for hackers' secret software exploits. Forbes.
  5. Homer, J., Ou, X., and Schmidt, D. (2009). A sound and practical approach to quantifying security risk in enterprise networks. Technical report, Kansas State University.
  6. Ingols, K., Chu, M., Lippmann, R., Webster, S., and Boyer, S. (2009). Modeling modern network attacks and countermeasures using attack graphs. In Proceedings of the Annual Computer Security Applications Conference (ACSAC 2009), pages 117-126, Honolulu, HI, USA.
  7. Leversage, D. J. and Byres, E. J. (2008). Estimating a system's mean time-to-compromise. IEEE Security & Privacy, 6(1):52-60.
  8. McHugh, J. (2006). Quality of protection: Measuring the unmeasurable? In Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), pages 1-2, Alexandria, VA, USA. ACM.
  9. McQueen, M. A., McQueen, T. A., Boyer, W. F., and Chaffin, M. R. (2009). Empirical estimates and observations of 0day vulnerabilities. In Proceedings of the 42nd Hawaii International Conference on System Sciences (HICSS 2009), Waikoloa, Big Island, HI, USA.
  10. Mehta, V., Bartzis, C., Zhu, H., Clarke, E., and Wing, J. (2006). Ranking attack graphs. In Proceedings of the 9th International Symposium On Recent Advances In Intrusion Detection (RAID 2006), volume 4219 of Lecture Notes in Computer Science, pages 127-144, Hamburg, Germany.
  11. Mell, P., Scarfone, K., and Romanosky, S. (2006). Common vulnerability scoring system. IEEE Security & Privacy, 4(6):85-89.
  12. Noel, S. and Jajodia, S. (2004). Managing attack graph complexity through visual hierarchical aggregation. In Proceedings of the ACM CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 2004), pages 109-118, Fairfax, VA, USA. ACM.
  13. Pamula, J., Jajodia, S., Ammann, P., and Swarup, V. (2006). A weakest-adversary security metric for network configuration security analysis. In Proceedings of the 2nd ACM Workshop on Quality of Protection (QoP 2006), volume 23 of Advances in Information Security, pages 31-68, Alexandria, VA, USA. Springer.
  14. Phillips, C. and Swiler, L. P. (1998). A graph-based system for network-vulnerability analysis. In Proceedings of the New Security Paradigms Workshop (NSPW 1998), pages 71-79, Charlottesville, VA, USA.
  15. Shahzad, M., Shafiq, M. Z., and Liu, A. X. (2012). A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the 34th International Conference on Software Engineering (ICSE 2012), pages 771-781, Zurich, Switzerland.
  16. Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing, J. M. (2002). Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy (S&P 2002), pages 273-284, Berkeley, CA, USA.
  17. The MITRE Corporation (2011). Common Weakness Scoring System (CWSSTM). http://cwe.mitre.org/cwss/. Version 0.8.
  18. Wang, L., Islam, T., Long, T., Singhal, A., and Jajodia, S. (2008). An attack graph-based probabilistic security metric. In Atluri, V., editor, Proceedings of the 22nd Annual IFIP WG 11.3 Working Conference on Data and Applications Security, volume 5094 of Lecture Notes in Computer Science, pages 283-296, London, United Kingdom. Springer.
  19. Wang, L., Jajodia, S., Singhal, A., and Noel, S. (2010). kzero day safety: Measuring the security risk of networks against unknown attacks. In Gritzalis, D., Preneel, B., and Theoharidou, M., editors, Proceedings of the 15th European Symposium on Research in Computer Security (ESORICS 2011), volume 6345 of Lecture Notes in Computer Science, pages 573-587, Athens, Greece. Springer.
Download


Paper Citation


in Harvard Style

Albanese M., Jajodia S., Singhal A. and Wang L. (2013). An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities . In Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013) ISBN 978-989-8565-73-0, pages 207-218. DOI: 10.5220/0004530602070218


in Bibtex Style

@conference{secrypt13,
author={Massimiliano Albanese and Sushil Jajodia and Anoop Singhal and Lingyu Wang},
title={An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities},
booktitle={Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)},
year={2013},
pages={207-218},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0004530602070218},
isbn={978-989-8565-73-0},
}


in EndNote Style

TY - CONF
JO - Proceedings of the 10th International Conference on Security and Cryptography - Volume 1: SECRYPT, (ICETE 2013)
TI - An Efficient Approach to Assessing the Risk of Zero-Day Vulnerabilities
SN - 978-989-8565-73-0
AU - Albanese M.
AU - Jajodia S.
AU - Singhal A.
AU - Wang L.
PY - 2013
SP - 207
EP - 218
DO - 10.5220/0004530602070218