Before We Knew It: An Empirical Study of Zero-day Attacks in the Real World

TitleBefore We Knew It: An Empirical Study of Zero-day Attacks in the Real World
Publication TypeConference Papers
Year of Publication2012
AuthorsBilge L, Dumitras T
Conference NameCCS '12 Proceedings of the 2012 ACM conference on Computer and Communications Security
Date Published2012///
ISBN Number978-1-4503-1651-4
Keywordsfull disclosure, vulnerabilities, zero-day attacks

Little is known about the duration and prevalence of zero-day attacks, which exploit vulnerabilities that have not been disclosed publicly. Knowledge of new vulnerabilities gives cyber criminals a free pass to attack any target of their choosing, while remaining undetected. Unfortunately, these serious threats are difficult to analyze, because, in general, data is not available until after an attack is discovered. Moreover, zero-day attacks are rare events that are unlikely to be observed in honeypots or in lab experiments. In this paper, we describe a method for automatically identifying zero-day attacks from field-gathered data that records when benign and malicious binaries are downloaded on 11 million real hosts around the world. Searching this data set for malicious files that exploit known vulnerabilities indicates which files appeared on the Internet before the corresponding vulnerabilities were disclosed. We identify 18 vulnerabilities exploited before disclosure, of which 11 were not previously known to have been employed in zero-day attacks. We also find that a typical zero-day attack lasts 312 days on average and that, after vulnerabilities are disclosed publicly, the volume of attacks exploiting them increases by up to 5 orders of magnitude.