Before we knew it: An empirical study of zero-day attacks in the real world

Proceedings of the ACM Conference on Computer and Communications Security

Volumn , Issue , 2012, Pages 833-844

  Bilge, Leyla ^a   Dumitras, Tudor ^a  

^a SYMANTEC RESEARCH LABS   (United States)

Author keywords

Full disclosure; Vulnerabilities; Zero day attacks

Indexed keywords

CYBER CRIMINALS; DATA SETS; EMPIRICAL STUDIES; FULL DISCLOSURES; HONEYPOTS; ORDERS OF MAGNITUDE; RARE EVENT; VULNERABILITIES; ZERO DAY ATTACK;

SECURITY OF DATA;

EID: 84869403808     PISSN: 15437221     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/2382196.2382284     Document Type: Conference Paper

References (40)

1. Adobe Systems Incorporated. Security bulletins and advisories. http://www.adobe.com/support/security/, 2012.
2. R. Anderson and T. Moore. The economics of information security. In Science, vol. 314, no. 5799, 2006.
3. W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of vulnerability: A case study analysis. IEEE Computer, 33(12), December 2000.
4. A. Arora, R. Krishnan, A. Nandkumar, R. Telang, and Y. Yang. Impact of vulnerability disclosure and patch availability - an empirical analysis. In Workshop on the Economics of Information Security (WEIS 2004), 2004.
5. S. Beattie, S. Arnold, C. Cowan, P. Wagle, and C. Wright. Timing the application of security patches for optimal uptime. In Large Installation System Administration Conference, pages 233-242, Philadelphia, PA, Nov 2002.
6. J. Bollinger. Economies of disclosure. In SIGCAS Comput. Soc., 2004.
7. D. Brumley, P. Poosankam, D. X. Song, and J. Zheng. Automatic patch-based exploit generation is possible: Techniques and implications. In IEEE Symposium on Security and Privacy, pages 143-157, Oakland, CA, May 2008.
8. H. C. H. Cavusoglu and S. Raghunathan. Emerging issues in responsible vulnerability disclosure. In Workshop on Information Technology and Systems, 2004.
9. D. H. P. Chau, C. Nachenberg, J. Wilhelm, A. Wright, and C. Faloutsos. Polonium : Tera-scale graph mining for malware detection. In SIAM International Conference on Data Mining (SDM), Mesa, AZ, April 2011.
10. CVE. A dictionary of publicly known information security vulnerabilities and exposures. http://cve.mitre.org/, 2012.
11. N. Falliere, L. O'Murchu, and E. Chien. W32.stuxnet dossier. http://www.symantec.com/content/en/us/enterprise/media/security-response/ whitepapers/w32-stuxnet-dossier.pdf, February 2011.
12. S. Frei. Security Econometrics: The Dynamics of (In)Security. PhD thesis, ETH Zürich, 2009.
13. S. Frei. End-Point Security Failures, Insight gained from Secunia PSI scans. Predict Workshop, February 2011.
14. Google Inc. Pwnium: rewards for exploits, February 2012. http://blog.chromium.org/2012/02/pwnium-rewards-for-exploits.html.
15. A. Greenberg. Shopping for zero-days: A price list for hackers' secret software exploits. Forbes, 23 March 2012. http://www.forbes.com/sites/ andygreenberg/2012/03/23/shopping-for-zero-days-an-\price-list-for-hackers- secret-software-exploits/.
16. A. Lelli. The Trojan.Hydraq incident: Analysis of the Aurora 0-day exploit. http://www.symantec.com/connect/blogs/trojanhydraq-incident-analysis- aurora-0-day-exploit, 25 January 2010.
17. R. McMillan. RSA spearphish attack may have hit US defense organizations. PC World, 8 September 2011. http://www.pcworld.com/businesscenter/article/ 239728/rsa-spearphish-attack-may-have-hit-us-defense-organizations.html.
18. M. A. McQueen, T. A. McQueen, W. F. Boyer, and M. R. Chaffin. Empirical estimates and observations of 0day vulnerabilities. In Hawaii International Conference on System Sciences, 2009.
19. Microsoft. Microsoft security bulletins. http:// technet.microsoft.com/ en-us/security/bulletin, 2012.
20. C. Miller. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales. In Workshop on the Economics of Information Security, Pittsburgh, PA, June 2007.
21. OSVDB. The open source vulnerability database. http://www.osvdb.org/, 2012.
22. A. Ozment and S. E. Schechter. Milk or wine: does software security improve with age? In 15th conference on USENIX Security Symposium, 2006.
23. P. Porras, H. Saidi, and V. Yegneswaran. An anlysis of conficker's logic and rendezvous points. http://mtc.sri.com/Conficker/, 2009.
24. Qualys, Inc. The laws of vulnerabilities 2.0. http://www.qualys.com/docs/ Laws-2.0.pdf, July 2009.
25. T. Dumitraş and D. Shou. Toward a standard benchmark for computer security research: The Worldwide Intelligence Network Environment (WINE). In EuroSys BADGERS Workshop, Salzburg, Austria, Apr 2011.
26. E. Rescorla. Is finding security holes a good idea? In IEEE Security and Privacy, 2005.
27. U. Rivner. Anatomy of an attack, 1 April 2011. http: //blogs.rsa.com/ rivner/anatomy-of-an-attack/ Retrieved on 19 April 2012.
28. SANS Institute. Top cyber security risks - zero-day vulnerability trends. http://www.sans.org/top-cyber-security-risks/zero-day.php, 2009.
29. B. Schneier. Cryptogram september 2000 - full disclosure and the window of exposure. http://www.schneier.com/crypto-gram-0009.html, 2000.
30. B. Schneier. Locks and full disclosure. In IEEE Security and Privacy, 2003.
31. B. Schneier. The nonsecurity of secrecy. In Commun. ACM, 2004.
32. M. Shahzad, M. Z. Shafiq, and A. X. Liu. A large scale exploratory analysis of software vulnerability life cycles. In Proceedings of the 2012 International Conference on Software Engineering, 2012.
33. Symantec Corporation. Symantec global Internet security threat report, volume 13. http://eval.symantec.com/mktginfo/enterprise/ white-papers/b- whitepaper-internet-security- threat-report-xiii-04-2008.en-us.pdf, April 2008.
34. Symantec Corporation. Symantec global Internet security threat report, volume 14. http://eval.symantec.com/mktginfo/enterprise/white-papers/b- whitepaper-internet-security-threat-report-xv-04-2010.en-us.pdf,April2009.
35. Symantec Corporation. Symantec global Internet security threat report, volume 15. http://msisac.cisecurity.org/resources/reports/documents/ SymantecInternetSecurityThreatReport2010.pdf, April 2010.
36. Symantec Corporation. Symantec Internet security threat report, volume 16, April 2011.
37. Symantec Corporation. Symantec Internet security threat report, volume 17. http://www.symantec.com/threatreport/, April 2012.
38. Symantec Corporation. Symantec threat explorer. http://www.symantec.com/ security-response/threatexplorer/azlisting.jsp, 2012.
39. Symantec.cloud. February 2011 intelligence report. http://www. messagelabs.com/mlireport/MLI-2011-02-February-FINAL-en.PDF, 2011.
40. N. Weaver and D. Ellis. Reflections on Witty: Analyzing the attacker. ;login: The USENIX Magazine, 29(3):34-37, June 2004.