Some Vulnerabilities Are Different Than Others

Nayak, Kartik; Marino, Daniel L.; Efstathopoulos, Petros; Dumitraş, Tudor

doi:10.1007/978-3-319-11379-1_21

Cited by 61 publications

(58 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…This requires the definition of models that jointly evaluate attacker's and defender's strategies: (89) several independent studies showed that most attacks are driven by a handful of vulnerabilities only, suggesting that attackers choose vulnerabilities to exploit as opposed to launching attacks drawn randomly from a pool of exploits for all vulnerabilities. (46,47,103) Capturing these aspects may require to integrate socioeconomic models to evaluate attacker's incentives in marketing or buying a new vulnerability (91,102) or choosing a target. (89) We consider these aspects for future work.…”

Section: Discussionmentioning

confidence: 99%

“…(37,45) Due to the studied along the guidelines of traditional safety analysis and QRA in the same fashion that natural risks are studied. prevalence of untargeted attacks in the overall risk scenario, (38,46,47) in this article we focus on this type of attacks.…”

Section: Following Ransbotham Andmentioning

confidence: 99%

“…To compute these components from the technical infrastructure, empirical evidence suggests that if the automated attack tool has incorporated the exploit of a vulnerability present in the system, then success of the attack is almost certain. (37,47,92) Therefore, the probability of a successful intrusion equals the probability that the appropriate combination of vulnerabilities is present in the attacked system (v ∈ s), and that the attacker actually weaponized v in his or her toolkit (v ∈ Weapon):…”

Section: A Quantitative Model For Likelihood Of Cyberattacksmentioning

confidence: 99%

See 2 more Smart Citations

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi

Massacci

2017

Risk Analysis

View full text Add to dashboard Cite

Current industry standards for estimating cybersecurity risk are based on qualitative risk matrices as opposed to quantitative risk estimates. In contrast, risk assessment in most other industry sectors aims at deriving quantitative risk estimations (e.g., Basel II in Finance). This article presents a model and methodology to leverage on the large amount of data available from the IT infrastructure of an organization's security operation center to quantitatively estimate the probability of attack. Our methodology specifically addresses untargeted attacks delivered by automatic tools that make up the vast majority of attacks in the wild against users and organizations. We consider two-stage attacks whereby the attacker first breaches an Internet-facing system, and then escalates the attack to internal systems by exploiting local vulnerabilities in the target. Our methodology factors in the power of the attacker as the number of "weaponized" vulnerabilities he/she can exploit, and can be adjusted to match the risk appetite of the organization. We illustrate our methodology by using data from a large financial institution, and discuss the significant mismatch between traditional qualitative risk assessments and our quantitative approach.

show abstract

Section: Discussionmentioning

confidence: 99%

Section: Following Ransbotham Andmentioning

confidence: 99%

Section: A Quantitative Model For Likelihood Of Cyberattacksmentioning

confidence: 99%

See 1 more Smart Citation

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Allodi

Massacci

2017

Risk Analysis

View full text Add to dashboard Cite

show abstract

“…We exploit the impactcomplexity e ect described in Section 3 to estimate the volume of a acks that a vulnerability can potentially receive if an a ack for it exists in the wild. Given the high incidence of unexploited vulnerabilities in the wild [12], a desirable property for our estimator is to maintain high true negative rates (something that the bare CVSS-score unfortunately does not do [2]), whereas false positives can be ruled out by more ne-grained assessments later in a triage process [5]. To build our estimator, we rst assign to each Impact and Access Complexity value an ordinal value derived directly from the original CVSS v2 speci cation [11].…”

Section: Potential Of Attackmentioning

confidence: 99%

Attack Potential in Impact and Complexity

Allodi

Massacci

2017

Proceedings of the 12th International Conference on Availability, Reliability and Security

View full text Add to dashboard Cite

Vulnerability exploitation is reportedly one of the main a ack vectors against computer systems. Yet, most vulnerabilities remain unexploited by a ackers. It is therefore of central importance to identify vulnerabilities that carry a high 'potential for a ack'. In this paper we rely on Symantec data on real a acks detected in the wild to identify a trade-o in the Impact and Complexity of a vulnerability, in terms of a acks that it generates; exploiting this e ect, we devise a readily computable estimator of the vulnerability's A ack Potential that reliably estimates the expected volume of a acks against the vulnerability. We evaluate our estimator performance against standard patching policies by measuring foiled a acks and demanded workload expressed as the number of vulnerabilities entailed to patch. We show that our estimator signi cantly improves over standard patching policies by ruling out low-risk vulnerabilities, while maintaining invariant levels of coverage against a acks in the wild. Our estimator can be used as a rst aid for vulnerability prioritisation to focus assessment e orts on high-potential vulnerabilities. CCS CONCEPTS•Security and privacy → Vulnerability management;

show abstract

“…By validating the actual "traces" attacks left on real systems, they claimed that the real attacker would behave less powerful than we thought and would not exploit every vulnerability. The attackers would strategically choose the busy periods and some certain vulnerabilities, while the efforts of security professionals were diffused across many vulnerabilities [20,21]. Based on this observation, Dumitraş [22] proposed a novel metrics that enabled a more accurate assessment of the risk of cyberattacks.…”

Section: Related Workmentioning

confidence: 99%

Security Measurement for Unknown Threats Based on Attack Preferences

Yin

Sun

Wang

et al. 2018

Security and Communication Networks

View full text Add to dashboard Cite

Security measurement matters to every stakeholder in network security. It provides security practitioners the exact security awareness. However, most of the works are not applicable to the unknown threat. What is more, existing efforts on security metric mainly focus on the ease of certain attack from a theoretical point of view, ignoring the "likelihood of exploitation." To help administrator have a better understanding, we analyze the behavior of attackers who exploit the zero-day vulnerabilities and predict their attack timing. Based on the prediction, we propose a method of security measurement. In detail, we compute the optimal attack timing from the perspective of attacker, using a long-term game to estimate the risk of being found and then choose the optimal timing based on the risk and profit. We design a learning strategy to model the information sharing mechanism among multiattackers and use spatial structure to model the long-term process. After calculating the Nash equilibrium for each subgame, we consider the likelihood of being attacked for each node as the security metric result. The experiment results show the efficiency of our approach.

show abstract

Some Vulnerabilities Are Different Than Others

Cited by 61 publications

References 10 publications

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Security Events and Vulnerability Data for Cybersecurity Risk Estimation

Attack Potential in Impact and Complexity

Security Measurement for Unknown Threats Based on Attack Preferences

Contact Info

Product

Resources

About