In this paper we analyse the frequency at which vulnerabilities are exploited in the wild by relying on data collected worldwide by Symantec’s sensors. Our analysis comprises 374 exploited vulnerabilities for a total of 75.7 Million recorded attacks spanning three years (2009-2012). We find that for some software as little as 5% of exploited vulnerabilities is responsible for about 95% of the attacks against that platform. This strongly skewed distribution is consistent for all considered software categories, for which a general take-away is that less than 10% of vulnerabilities account for more than 90% of the attacks (with the exception of pre-2009 Java vulnerabilities). Following these findings, we hypothesise vulnerability exploitation may follow a Power Law distribution. Rigorous hypothesis testing results in neither accepting nor rejecting the Power Law Hypothesis, for which further data collection from the security community may be needed. Finally, we present and discuss the Law of the Work-Averse Attacker as a possible explanation for the heavy-tailed distributions we find in the data, and present examples of its effects for Apple Quicktime and Microsoft Internet Explorer vulnerabilities.

The heavy tails of vulnerability exploitation / Allodi, Luca. - (2015). (Intervento presentato al convegno ESSoS 2015 tenutosi a Milano nel 4th March-6th March 2015) [10.1007/978-3-319-15618-7_11].

The heavy tails of vulnerability exploitation

Allodi, Luca
2015-01-01

Abstract

In this paper we analyse the frequency at which vulnerabilities are exploited in the wild by relying on data collected worldwide by Symantec’s sensors. Our analysis comprises 374 exploited vulnerabilities for a total of 75.7 Million recorded attacks spanning three years (2009-2012). We find that for some software as little as 5% of exploited vulnerabilities is responsible for about 95% of the attacks against that platform. This strongly skewed distribution is consistent for all considered software categories, for which a general take-away is that less than 10% of vulnerabilities account for more than 90% of the attacks (with the exception of pre-2009 Java vulnerabilities). Following these findings, we hypothesise vulnerability exploitation may follow a Power Law distribution. Rigorous hypothesis testing results in neither accepting nor rejecting the Power Law Hypothesis, for which further data collection from the security community may be needed. Finally, we present and discuss the Law of the Work-Averse Attacker as a possible explanation for the heavy-tailed distributions we find in the data, and present examples of its effects for Apple Quicktime and Microsoft Internet Explorer vulnerabilities.
2015
Engineering Secure Software and Systems:7th International Symposium, ESSoS 2015, Milan, Italy, March 4-6, 2015. Proceedings
Switzerland
Springer International Publishing
978-3-319-15617-0
Allodi, Luca
The heavy tails of vulnerability exploitation / Allodi, Luca. - (2015). (Intervento presentato al convegno ESSoS 2015 tenutosi a Milano nel 4th March-6th March 2015) [10.1007/978-3-319-15618-7_11].
File in questo prodotto:
File Dimensione Formato  
ESSoS-2015.pdf

Solo gestori archivio

Descrizione: Articolo
Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 353.24 kB
Formato Adobe PDF
353.24 kB Adobe PDF   Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/117150
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus 8
  • ???jsp.display-item.citation.isi??? ND
social impact