Title :
Empirical Estimates and Observations of 0Day Vulnerabilities
Author :
McQueen, M.A. ; McQueen, T.A. ; Boyer, W.F. ; Chaffin, M.R.
Abstract :
We define a 0Day vulnerability to be any vulnerability, in deployed software, that has been discovered by at least one person but has not yet been publicly announced or patched. These 0Day vulnerabilities are of particular interest when assessing the risk to a system from exploit of vulnerabilities which are not generally known to the public or, most importantly, to the owners of the system. Using the 0Day definition given above, we analyzed the 0Day lifespans of 491 vulnerabilities and conservatively estimated that in the worst year there were on average 2500 0Day vulnerabilities in existence on any given day. Then using a small but intriguing set of 15 0Day vulnerability lifespans representing the time from actual discovery to public disclosure, we made a more aggressive estimate. In this case, we estimated that in the worst year there were, on average, 4500 0Day vulnerabilities in existence on any given day.
Keywords :
risk management; security of data; 0Day lifespan; 0Day software vulnerability observation; public disclosure; risk assessment; Application software; Databases; Educational institutions; Hardware; IEEE news; Laboratories; Life estimation; Protection; Security; Software systems;
Conference_Titel :
System Sciences, 2009. HICSS '09. 42nd Hawaii International Conference on
Conference_Location :
Big Island, HI
Print_ISBN :
978-0-7695-3450-3
DOI :
10.1109/HICSS.2009.186
