Towards Incorporating a Possibility of Zero-day Attacks Into Security Risk Metrics: Work in Progress
Author
Abstract

This paper reports on work in progress on incorporating a possibility of zero-day attacks into security risk metrics. System security is modelled by Attack Graph (AG), where attack paths may include a combination of known and zero-day exploits. While set of feasible zero-day exploits and composition of each attack path are known, only estimates of likelihoods of known exploits are available. We propose addressing uncertain likelihoods of zero-day exploits within framework of robust risk metrics. Assuming some base likelihoods of zero-day exploits, robust risk metrics assume worst-case Probabilistic or Bayesian AG scenario allowing for a controlled deviation of actual likelihoods of zero-day exploits from their base values. The corresponding worst-case scenario is defined with respect to the system losses due to a zero-day attack. These robust risk metrics interpolate between the corresponding probabilistic or Bayesian AG model on the one hand and purely antagonistic game-theoretic model on the other hand. Popular k-zero day security metric is a particular case of the proposed metric.

Year of Publication
2023
Date Published
jan
Publisher
IEEE
Conference Location
Las Vegas, NV, USA
ISBN Number
978-1-66549-734-3
URL
https://ieeexplore.ieee.org/document/10060371/
DOI
10.1109/CCNC51644.2023.10060371
Google Scholar | BibTeX | DOI