Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities

Published

Author(s)

Lingyu Wang, Sushil Jajodia, Anoop Singhal, Pengsu Cheng, Steven Noel

Abstract

By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research on security metrics has been hindered by difficulties in handling zero day attacks exploiting unknown vulnerabilities. In fact, the security risk of unknown vulnerabilities has been considered as something unmeasurable due to the less predictable nature of software flaws. This causes a major difficulty to security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero day attacks. In this paper, we propose a novel security metric, k-zero day safety, to address this issue. Instead of attempting to rank unknown vulnerabilities, our metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security since the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower.We formally define the metric, analyze the complexity of computing the metric, devise heuristic algorithms for intractable cases, and finally demonstrate through case studies that applying the metric to existing network security practices may generate actionable knowledge.
Citation
IEEE Transactions on Dependable and Secure Computing
Volume
11
Issue
1

Keywords

Security metrics, network security, attack graph, network hardening, zero day attack

Citation

Wang, L. , Jajodia, S. , Singhal, A. , Cheng, P. and Noel, S. (2014), k-Zero Day Safety: A Network Security Metric for Measuring the Risk of Unknown Vulnerabilities, IEEE Transactions on Dependable and Secure Computing, [online], https://doi.org/10.1109/TDSC.2013.24, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=914235 (Accessed November 8, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created January 30, 2014, Updated October 12, 2021