Saved in:
Bibliographic Details
Main Authors: Jibunoh, Nnamdi, Khanchi, Sara, Makanju, Adetokunbo
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2605.03138
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915978982457344
author Jibunoh, Nnamdi
Khanchi, Sara
Makanju, Adetokunbo
author_facet Jibunoh, Nnamdi
Khanchi, Sara
Makanju, Adetokunbo
contents Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems (IDSs) for detecting zero-day attacks is essential. We contend that for an IDS to be effective it must be grounded in an understanding of how zero-day attacks manifest in real-world networks. To this end, we review documented zero-day incidents spanning 20 years, finding that these attacks arise from the exploitation of undisclosed vulnerabilities rather than novel attack behavior. Guided by this insight, we propose a taxonomy of zero-day vulnerability types and analyze assumptions of ML-based intrusion detection approaches. Our analysis shows that incidents consistently involve vulnerability exploitation, with memory-corruption flaws being most used; additionally, attacks targeting defensive-mechanism vulnerabilities have increased in recent years. We also identify a mismatch: while incident reports emphasize vulnerability exploitation, many ML-based detectors are designed to detect hypothetical "novel behaviors" during attack execution. Our findings indicate that vulnerability-centric methods are more aligned with real-world attack mechanisms. Consequently, reliance on behavior-based detection alone may overstate zero-day detection capabilities in ML-based IDSs. We advocate for cautious interpretation of such claims and call for improved automated vulnerability detection frameworks aligned with real-world exploit characteristics. Effective defense against zero-day attacks requires prioritizing vulnerability-centeric approaches that enable early identification and mitigation across the lifecycle. The ability to detect attacks that utilize novel behaviors (Tactics, Techniques, and Procedures (TTPs)) is useful, but it does necessarily equate to the ability to detect zero-day attacks.
format Preprint
id arxiv_https___arxiv_org_abs_2605_03138
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Zero Day Attacks: Novel Behaviour or Novel Vulnerability?
Jibunoh, Nnamdi
Khanchi, Sara
Makanju, Adetokunbo
Cryptography and Security
Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems (IDSs) for detecting zero-day attacks is essential. We contend that for an IDS to be effective it must be grounded in an understanding of how zero-day attacks manifest in real-world networks. To this end, we review documented zero-day incidents spanning 20 years, finding that these attacks arise from the exploitation of undisclosed vulnerabilities rather than novel attack behavior. Guided by this insight, we propose a taxonomy of zero-day vulnerability types and analyze assumptions of ML-based intrusion detection approaches. Our analysis shows that incidents consistently involve vulnerability exploitation, with memory-corruption flaws being most used; additionally, attacks targeting defensive-mechanism vulnerabilities have increased in recent years. We also identify a mismatch: while incident reports emphasize vulnerability exploitation, many ML-based detectors are designed to detect hypothetical "novel behaviors" during attack execution. Our findings indicate that vulnerability-centric methods are more aligned with real-world attack mechanisms. Consequently, reliance on behavior-based detection alone may overstate zero-day detection capabilities in ML-based IDSs. We advocate for cautious interpretation of such claims and call for improved automated vulnerability detection frameworks aligned with real-world exploit characteristics. Effective defense against zero-day attacks requires prioritizing vulnerability-centeric approaches that enable early identification and mitigation across the lifecycle. The ability to detect attacks that utilize novel behaviors (Tactics, Techniques, and Procedures (TTPs)) is useful, but it does necessarily equate to the ability to detect zero-day attacks.
title Zero Day Attacks: Novel Behaviour or Novel Vulnerability?
topic Cryptography and Security
url https://arxiv.org/abs/2605.03138