Publication PrePrints Abstract - k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
 This Article Share Bibliographic References Add to: Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb Search Similar Articles Articles by Lingyu Wang Articles by Sushil Jajodia Articles by Anoop Singhal Articles by Pengsu Cheng Articles by Steven Noel
k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities
PrePrint
ISSN: 1545-5971
 ASCII Text x Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, "k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities," IEEE Transactions on Dependable and Secure Computing, vol. 99, no. 1, pp. 1, , 5555.
 BibTex x @article{ 10.1109/TDSC.2013.24,author = {Lingyu Wang and Sushil Jajodia and Anoop Singhal and Pengsu Cheng and Steven Noel},title = {k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities},journal ={IEEE Transactions on Dependable and Secure Computing},volume = {99},number = {1},issn = {1545-5971},year = {5555},pages = {1},doi = {http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.24},publisher = {IEEE Computer Society},address = {Los Alamitos, CA, USA},}
 RefWorks Procite/RefMan/Endnote x TY - JOURJO - IEEE Transactions on Dependable and Secure ComputingTI - k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown VulnerabilitiesIS - 1SN - 1545-5971SPEPEPD - 1A1 - Lingyu Wang, A1 - Sushil Jajodia, A1 - Anoop Singhal, A1 - Pengsu Cheng, A1 - Steven Noel, PY - 5555KW - intrusion preventionKW - security metricsKW - security modelingKW - network securityKW - zero day attackVL - 99JA - IEEE Transactions on Dependable and Secure ComputingER -
Lingyu Wang, Concordia University, Montreal
Sushil Jajodia, George Mason University, Fairfax
Anoop Singhal, National Institute of Standards and Technology, Gaithersburg
Pengsu Cheng, Concordia University, Montreal
Steven Noel, George Mason University, Fairfax
By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research on security metrics has been hindered by difficulties in handling zero day attacks exploiting unknown vulnerabilities. In fact, the security risk of unknown vulnerabilities has been considered as something unmeasurable due to the less predictable nature of software flaws. This causes a major difficulty to security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero day attacks. In this paper, we propose a novel security metric, \emph{$k$-zero day safety}, to address this issue. Instead of attempting to rank unknown vulnerabilities, our metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security since the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower. We formally define the metric, analyze the complexity of computing the metric, devise heuristic algorithms for intractable cases, and finally demonstrate through case studies that applying the metric to existing network security practices may generate actionable knowledge.
Index Terms:
intrusion prevention,security metrics,security modeling,network security,zero day attack
Citation:
Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel, "k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities," IEEE Transactions on Dependable and Secure Computing, 11 June 2013. IEEE computer Society Digital Library. IEEE Computer Society, <http://doi.ieeecomputersociety.org/10.1109/TDSC.2013.24>