Empirical Models for Vulnerability Exploits - UMD - October 2014

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Tudor Dumitras
Researchers: Kartik Nayak, BumJun Kwon, Michael Hicks, Jonathan Katz, Joseph JaJa

FUNDAMENTAL RESEARCH:

The security of deployed and actively used systems is a moving target, influenced by factors not captured in the existing security metrics. For example, the count and severity of vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. For example, simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

1. Kartik Nayak, Daniel Marino, Petros Efstathopoulos, and Tudor Dumitras. Some vulnerabilities are different than others: Studying vulnerabilities and attack surfaces in the wild. In Proceedings of the 17th International Symposium on Research in Attacks, Intrusions and Defenses (RAID'14), Gothenburg, Sweden, Sep 2014.

ACCOMPLISHMENT HIGHLIGHTS

• Formalized several security metrics derived from field data, including the count of vulnerabilities exploited and the size of the attack surface actually exercised in real-world attacks.
• Evaluated these metrics on a data set collected on more than six million hosts, and showed that only 15% of known vulnerabilities are exploited in the wild, and that none of the products we analyzed has an exploitation ratio higher than 35%.
• Showed that quantitative improvements with respect to our metrics are often associated with the introduction of new security technologies (e.g. sandboxing), thus demonstrating the effectiveness of these technologies in the field.