we propose a novel network security metric, k-zero day safety, to address this issue. Roughly speaking, instead of attempting to measure which un-known vulnerabilities are more likely to exist, we start with the worst case assumption that this is not measurable. Our metric then simply counts how many zero-day vulnerabilities are required to compromise a network asset. A larger count will indicate a relatively more secure network, because the likelihood of having more unknown vulnerabilities all available at the same time, applicable to the same network, and exploitable by the same attacker, will be lower. We will formally define the k-zero day safety metric based on an abstract model of networks and zero-day attacks. We analyze the complexity of computing the metric and design heuristic algorithms for addressing this complexity in special cases. By enabling a direct comparison of different security solutions with respect to their relative effectiveness, a network security metric may provide quantifiable evidences to assist security practitioners in securing computer networks. However, research on security metrics has been hindered by difficulties in handling zero-day attacks exploiting unknown vulnerabilities. In fact, the security risk of unknown vulnerabilities has been considered as something unmeasurable due to the less predictable nature of software flaws. This causes a major difficulty to security metrics, because a more secure configuration would be of little value if it were equally susceptible to zero-day attacks. In this paper, we propose a novel security metric, k-zero day safety, to address this issue. Instead of attempting to rank unknown vulnerabilities, our metric counts how many such vulnerabilities would be required for compromising network assets; a larger count implies more security because the likelihood of having more unknown vulnerabilities available, applicable, and exploitable all at the same time will be significantly lower. We formally define the metric, analyze the complexity of computing the metric, devise heuristic algorithms for intractable cases, and finally demonstrate through case studies that applying the metric to existing network security practices may generate actionable knowledge.
You are here: / / MEASURING THE RISK OF UNKNOWN VULNERABILITIES USING K-ZERO DAY SAFETY NETWORK SECURITY METRICS