IEEE Security and Privacy
Communications of the ACM - Voting systems
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Timing the Application of Security Patches for Optimal Uptime
LISA '02 Proceedings of the 16th USENIX conference on System administration
ACM SIGCAS Computers and Society
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Automatic Patch-Based Exploit Generation is Possible: Techniques and Implications
SP '08 Proceedings of the 2008 IEEE Symposium on Security and Privacy
Empirical Estimates and Observations of 0Day Vulnerabilities
HICSS '09 Proceedings of the 42nd Hawaii International Conference on System Sciences
Proceedings of the First Workshop on Building Analysis Datasets and Gathering Experience Returns for Security
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
On the feasibility of online malware detection with performance counters
Proceedings of the 40th Annual International Symposium on Computer Architecture
Spatio-temporal mining of software adoption & penetration
Proceedings of the 2013 IEEE/ACM International Conference on Advances in Social Networks Analysis and Mining
Communications of the ACM
A systematic approach for detecting and clustering distributed cyber scanning
Computer Networks: The International Journal of Computer and Telecommunications Networking
Hi-index | 0.02 |
Little is known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments. In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.