Zero Day Attacks: Novel Behaviour or Novel Vulnerability?

TL;DR

This paper reviews 20 years of zero-day incidents, finding they mainly exploit undisclosed vulnerabilities rather than novel behaviors, and advocates for vulnerability-centric detection methods over behavior-based approaches.

Contribution

It introduces a taxonomy of zero-day vulnerabilities, analyzes ML-based detection assumptions, and emphasizes the importance of vulnerability-focused detection aligned with real-world attack mechanisms.

Findings

Zero-day attacks primarily exploit undisclosed vulnerabilities, especially memory-corruption flaws.

Attacks on defensive mechanisms have increased in recent years.

ML-based detectors often target hypothetical behaviors, which may not align with actual attack mechanisms.

Abstract

Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems (IDSs) for detecting zero-day attacks is essential. We contend that for an IDS to be effective it must be grounded in an understanding of how zero-day attacks manifest in real-world networks. To this end, we review documented zero-day incidents spanning 20 years, finding that these attacks arise from the exploitation of undisclosed vulnerabilities rather than novel attack behavior. Guided by this insight, we propose a taxonomy of zero-day vulnerability types and analyze assumptions of ML-based intrusion detection approaches. Our analysis shows that incidents consistently involve vulnerability exploitation, with memory-corruption flaws being most used; additionally, attacks targeting defensive-mechanism vulnerabilities have increased in recent years. We also identify a mismatch: while incident reports emphasize vulnerability exploitation, many ML-based detectors are designed to detect hypothetical "novel behaviors" during attack execution. Our findings indicate that vulnerability-centric methods are more aligned with real-world attack mechanisms. Consequently, reliance on behavior-based detection alone may overstate zero-day detection capabilities in ML-based IDSs. We advocate for cautious interpretation of such claims and call for improved automated vulnerability detection frameworks aligned with real-world exploit characteristics. Effective defense against zero-day attacks requires prioritizing vulnerability-centeric approaches that enable early identification and mitigation across the lifecycle. The ability to detect attacks that utilize novel behaviors (Tactics, Techniques, and Procedures (TTPs)) is useful, but it does necessarily equate to the ability to detect zero-day attacks.