Zero-Day Vulnerability Risk Assessment and Attack Path Analysis Using Security Metric

Abstract

Zero-day vulnerability has been considered one of the most serious threats to network security at present. Current researches on zero-day vulnerability risk assessment are mainly focused on the number of necessary zero-day vulnerabilities for attack to exploit to reach the target. However, in practice, it is difficult to realize risk assessment of single zero-day vulnerability by existing methods. In this paper, a zero-day vulnerability and attack path risk assessment method is proposed for internal network. Four kinds of security metrics and a zero-day vulnerability discovery and zero-day attack graph generation algorithm are designed. By contrasting the preconditions with postconditions of known vulnerabilities, attack complexity and impact of zero-day vulnerabilities in various contexts are analyzed. Experimental results show that the proposed method can quantitatively assess risk of single zero-day vulnerability and attack path from multiple dimensionalities.