Abstract: A computer-implemented system incorporates a time-varying view of exploitability in the form of Expected Exploitability (EE) to learn and continuously estimate the likelihood of functional software exploits being developed over time. The system characterizes the noise-generating process systematically affecting exploit prediction, and applies a domain-specific technique (e.g., Feature Forward Correction) to learn EE in the presence of label noise. The system also incorporates timeliness and predictive utility of various artifacts, including new and complementary features from proof-of-concepts, and includes scalable feature extractors. The system is validated on three case studies to investigate the practical utility of EE, showing that the system incorporating EE can qualitatively improve prioritization strategies based on exploitability.

Abstract: A computer-implemented method for analyzing zero-day attacks may include 1) identifying, within a database of known security vulnerabilities, disclosure timing information that indicates when a security vulnerability was publicly disclosed, 2) correlating a file with the security vulnerability by searching a database of file activity for at least one file that is associated with an attack that exploits the security vulnerability, 3) identifying, within the database of file activity, activity timing information indicating timing of one or more activities that involve the file and that occurred on endpoint computing devices before the security vulnerability was publicly disclosed, and 4) comparing the disclosure timing information with the activity timing information to investigate a potential zero-day attack that exploits the security vulnerability. Various other methods, systems, and computer-readable media are also disclosed.

Abstract: A computer-implemented method for determining malicious-attack exposure levels based on field-data analysis may include (1) receiving a plurality of attack reports from a plurality of computing systems, wherein at least one attack report includes an identifier of a software component of a computing system within the plurality of computing systems from which the attack report was received and an indication that a malicious attack was detected at the computing system, (2) determining a number of attack reports within the plurality of attack reports that identify the software component, (3) analyzing the plurality of attack reports to determine, based at least in part on the number of attack reports, a level of exposure to malicious attacks of the software component, and (4) making, based at least in part on the level of exposure, a security determination related to the software component. Various other methods, systems, and computer-readable media are also disclosed.