A zero-day attack may refer to a security or malware attack that occurs before public disclosure of a vulnerability that the attack exploits. An attacker may discover the vulnerability inadvertently or by studying the software system that contains the vulnerability. By studying the software system, or by learning about the vulnerability from others, the attacker may develop a method or program for exploiting the vulnerability.
Notably, the attacker may keep the vulnerability and the exploit secret. The secrecy of the vulnerability and the exploit may make it far more difficult to detect or prevent the attack. Accordingly, the attacker may desire to maintain and take steps to ensure the secrecy. For the same reason, the attacker may only launch the attack on a small number of targets. The attacker may specify high value targets or may specify targets requiring a long time to compromise. Because the zero-day attack may be more difficult to detect, the attack can be better suited for targeting a smaller number of high value targets, especially over a long period of time.
Because of the secretive nature of zero-day attacks, not much is currently known about them. For example, relatively little is known about the prevalence, successfulness, or dangerousness of zero-day attacks. When attacks are finally discovered, the discovery is typically fortuitous and not representative of zero-day attacks in general. The lack of representative samples or more comprehensive data about zero-day attacks may make it more difficult to study the attacks and guard against them (e.g. by resolving vulnerabilities, developing patches, immunizing systems, and/or taking counter-measures against zero-day attackers).
Because zero-day attacks may exploit vulnerabilities that are not yet disclosed to the public, traditional security systems that rely on antivirus or intrusion-detection signatures may fail to detect these attacks. The failure of security systems to detect attacks may provide attackers with a long window to exploit their targets. For this reason, zero-day exploits are often used in targeted attacks. Moreover, security attacks often target non-executable files, which traditional security systems may have particular difficulty analyzing. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems and methods for analyzing zero-day attacks.