Abstract
By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, the security risk of unknown vulnerabilities is usually considered as something unmeasurable due to the less predictable nature of software flaws. This leads to a challenge for security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero day attacks. In this chapter, we describe a novel security metric, k-zero day safety, to address this issue. Instead of attempting to rank unknown vulnerabilities, the metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security since the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
N. Falliere, L.O. Murchu, E. Chien, W32.stuxnet dossier. Symantec Security Response (2011)
S. Jajodia, S. Noel, B. O’Berry, Topological analysis of network attack vulnerability, in Managing Cyber Threats: Issues, Approaches and Challenges, ed. by V. Kumar, J. Srivastava, A. Lazarevic (Kluwer Academic Publisher, Dordrecht, 2003)
S. Jha, O. Sheyner, J.M. Wing, Two formal analysis of attack graph, in Proceedings of the 15th Computer Security Foundation Workshop (CSFW’02) (2002)
J. McHugh, Quality of protection: measuring the unmeasurable? in Proceedings of the 2nd ACM QoP (2006), pp. 1–2
X. Ou, W.F. Boyer, M.A. McQueen, A scalable approach to attack graph generation, in Proceedings of the 13th ACM conference on Computer and communications security, CCS’06 (ACM, New York, 2006), pp. 336–345
O. Sheyner, J. Haines, S. Jha, R. Lippmann, J.M. Wing, Automated generation and analysis of attack graphs, in Proceedings of the IEEE S&P’02 (2002)
U.S. Department of Homeland Security, Recommended practice: improving industrial control systems cybersecurity with defense-in-depth strategies. https://www.us-cert.gov/control_systems/practices/Recommended_Practices.html (2009)
L. Wang, S. Noel, S. Jajodia, Minimum-cost network hardening using attack graphs. Comput. Commun. 29(18), 3812–3824 (2006)
L. Wang, S. Jajodia, A. Singhal, S. Noel, k-zero day safety: measuring the security risk of networks against unknown attacks, in Proceedings of the 15th ESORICS (2010), pp. 573–587
Acknowledgements
Authors with Concordia University were partially supported by the Natural Sciences and Engineering Research Council of Canada under Discovery Grant N01035. Sushil Jajodia was partially supported by the by Army Research Office grants W911NF-13-1-0421 and W911NF-15-1-0576, by the Office of Naval Research grant N00014-15-1-2007, National Institutes of Standard and Technology grant 60NANB16D287, and by the National Science Foundation grant IIP-1266147.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Wang, L., Jajodia, S., Singhal, A., Cheng, P., Noel, S. (2017). k-Zero Day Safety: Evaluating the Resilience of Networks Against Unknown Attacks. In: Network Security Metrics. Springer, Cham. https://doi.org/10.1007/978-3-319-66505-4_4
Download citation
DOI: https://doi.org/10.1007/978-3-319-66505-4_4
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-66504-7
Online ISBN: 978-3-319-66505-4
eBook Packages: Computer ScienceComputer Science (R0)