The concept of attack surface has seen many applications in various domains, e.g., software security, cloud security, mobile device security, Moving Target Defense (MTD), etc. However, in contrast to the original attack surface metric, which is formally and quantitatively defined for a software, most of the applications at higher abstraction levels, such as the network level, are limited to an intuitive and qualitative notion, losing the modeling power of the original concept. In this paper, we lift the attack surface concept to the network level as a formal security metric for evaluating the resilience of networks against zero day attacks. Specifically, we first develop novel models for aggregating the attack surface of different network resources. We then design heuristic algorithms to estimate the network attack surface while reducing the effort spent on calculating attack surface for individual resources. Finally, the proposed methods are evaluated through experiments.

中文翻译：

---

网络攻击面：将攻击面的概念提升到网络级别，以评估网络对零日攻击的弹性

攻击面的概念在各个领域都有很多应用，例如软件安全、云安全、移动设备安全、移动目标防御 (MTD) 等。 然而，与原始攻击面度量相比，它在形式上和数量上都是为软件定义，大多数更高抽象级别的应用程序，例如网络级别，仅限于直观和定性的概念，失去了原始概念的建模能力。在本文中，我们将攻击面概念提升到网络级别，作为评估网络抵御零日攻击的弹性的正式安全指标。具体来说，我们首先开发了用于聚合不同网络资源的攻击面的新模型。然后我们设计启发式算法来估计网络攻击面，同时减少计算单个资源的攻击面所花费的精力。最后，通过实验评估所提出的方法。