Tudor Dumitraș

Assistant Professor
ECE Department
University of Maryland, College Park

Empirical Study of Zero-Day Attacks

| Comments

A zero-day attack exploits one or more vulnerabilities that have not been disclosed publicly. Knowledge of such vulnerabilities gives cyber criminals a free pass to attack any target, from Fortune 500 companies to millions of consumer PCs around the world, while remaining undetected (recent examples include Stuxnet and the Elderwood project). The impact of zero-day attacks has been debated for more than a decade but their duration and prevalence in the real world remained unknown, because zero-day attacks are rare e vents that are unlikely to be observed in honeypots or in lab experiments. Instead, studying zero-day attacks requires the analysis of Internet-scale data.

We used WINE to measure the duration of 18 zero-day attacks, from field data collected on 11 million hosts worldwide [CCS 2012]. These attacks lasted between 19 days and 30 months, with a median of 8 months and an average of approximately 10 months (because we take the the first vulnerability exploit, recorded in the field and observable in WINE, as the starting point of the attack, these numbers represent lower bounds rather than precise estimations). This study also identified 11 vulnerabilities that were not previously known to have been employed in zero-day attacks.

In the news:

  • The Economist: Zero-Day Game
  • Slashdot: Hackers’ ‘Zero-Day’ Exploits Stay Secret For Ten Months On Average
  • Schneier on Security: Studying Zero-Day Attacks
  • Forbes: Hackers Exploit ‘Zero-Day’ Bugs For 10 Months On Average Before They’re Exposed
  • eWEEK: Zero-Day Attacks Escape Detection for Nearly a Year: Symantec Study
  • Dark Reading: Zero-Day Attacks Long-Lived, Presage Mass Exploitation
  • SC Magazine: Zero-day attacks last much longer than most would believe
  • The Register: Hackers get 10 MONTHS to pwn victims with 0-days before world+dog finds out
  • Ars Technica: Zero-day attacks are meaner, more rampant than we ever thought
  • Threat Post: Zero-Day Attacks Thrive for Months Before Disclosure
  • Channelnomics: ‘10 Month’ Zero Days Renew Focus on Heuristics
  • TechTarget: Symantec study highlights complexity of risks posed by zero-day exploits
  • CSO Magazine: Average life of zero day attack is 10 months: study
  • Info Security Magazine: Zero-day attacks circulate for 10 months on average before detection
  • Security Affairs: Wrong response to zero day attacks exposes to serious risks


  1. [CCS 2012] L. Bilge and T. Dumitraș, “Before we knew it: An empirical study of zero-day attacks in the real world,” in ACM Conference on Computer and Communications Security, Raleigh, NC, 2012, pp. 833–844.