Nnamdi Jibunoh, Sara Khanchi, Adetokunbo Makanju
Zero-day attacks pose severe cybersecurity risks due to their high success rates and stealth. Because signature-based approaches struggle to detect such attacks, building Intrusion Detection Systems (IDSs) for detecting zero-day attacks is essential. We contend that for an IDS to be effective it must be grounded in an understanding of how zero-day attacks manifest in real-world networks. To this end, we review documented zero-day incidents spanning 20 years, finding that these attacks arise from the exploitation of undisclosed vulnerabilities rather than novel attack behavior. Guided by this insight, we propose a taxonomy of zero-day vulnerability types and analyze assumptions of ML-based intrusion detection approaches. Our analysis shows that incidents consistently involve vulnerability exploitation, with memory-corruption flaws being most used; additionally, attacks targeting defensive-mechanism vulnerabilities have increased in recent years. We also identify a mismatch: while incident reports emphasize vulnerability exploitation, many ML-based detectors are designed to detect hypothetical "novel behaviors" during attack execution. Our findings indicate that vulnerability-centric methods are more aligned with real-world attack mechanisms. Consequently, reliance on behavior-based detection alone may overstate zero-day detection capabilities in ML-based IDSs. We advocate for cautious interpretation of such claims and call for improved automated vulnerability detection frameworks aligned with real-world exploit characteristics. Effective defense against zero-day attacks requires prioritizing vulnerability-centeric approaches that enable early identification and mitigation across the lifecycle. The ability to detect attacks that utilize novel behaviors (Tactics, Techniques, and Procedures (TTPs)) is useful, but it does necessarily equate to the ability to detect zero-day attacks.