Find My Sloths: Automated Comparative Analysis of How Real Enterprise Computers Keep Up with the Software Update Races
Pages 215 - 236
Abstract
A software update is a critical but complicated part of software security. Its delay poses risks due to vulnerabilities and defects of software. Despite the high demand to shorten the update lag and keep the software up-to-date, software updates involve factors such as human behavior, program configurations, and system policies, adding variety in the updates of software. Investigating these factors in a real environment poses significant challenges such as the knowledge of software release schedules from the software vendors and the deployment times of programs in each user’s machine. Obtaining software release plans requires information from vendors which is not typically available to public. On the users’ side, tracking each software’s exact update installation is required to determine the accurate update delay. Currently, a scalable and systematic approach is missing to analyze these two sides’ views of a comprehensive set of software. We performed a long term system-wide study of update behavior for all software running in an enterprise by translating the operating system logs from enterprise machines into graphs of binary executable updates showing their complex, and individualized updates in the environment. Our comparative analysis locates risky machines and software with belated or dormant updates falling behind others within an enterprise without relying on any third-party or domain knowledge, providing new observations and opportunities for improvement of software updates. Our evaluation analyzes real data from 113,675 unique programs used by 774 computers over 3 years.
References
[1]
APT (Advanced Package Tool). https://ubuntu.com/server/docs/package-management. Accessed 14 May 2021
[2]
Homebrew. https://brew.sh/. Accessed 14 May 2021
[3]
Linux Audit. https://people.redhat.com/sgrubb/audit/. Accessed 14 May 2021
[4]
National Software Reference Library. https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl. Accessed 14 May 2021
[5]
Top 50 Vendors by Total Number of “Distinct” Vulnerabilities. https://www.cvedetails.com/top-50-vendors.php. Accessed 14 May 2021
[6]
What Are Security Patches and Why Are They Important? https://www.idtheftcenter.org/Cybersecurity/what-are-security -patches-and-why-are-they-important.html. Accessed 20 May 2018
[7]
Why Software Updates Are So Important. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/software-updates-important/. Accessed 14 May 2021
[8]
Yum. http://yum.baseurl.org/. Accessed 14 May 2021
[9]
Abu Odeh, M., Adkins, C., Setayeshfar, O., Doshi, P., Lee, K.H.: A novel AI-based methodology for identifying cyber attacks in honey pots. In: IAAI (2021)
[10]
Aditya, K., Grzonkowski, S., Le-Khac, N.A.: Riskwriter: predicting cyber risk of an enterprise. In: ICISSP (2018)
[11]
Ahmad, A., Saad, M., Bassiouni, M., Mohaisen, A.: Towards blockchain-driven, secure and transparent audit logs. CoRR (2018)
[12]
Apple: iTunes store. https://itunes.apple.com/us/. Accessed 14 Nov 2018
[13]
Bilge, L., Han, Y., Dell’Amico, M.: Riskteller: predicting the risk of cyber incidents. In: CCS (2017)
[14]
Corley, C.S., Kraft, N.A., Etzkorn, L.H., Lukins, S.K.: Recovering traceability links between source code and fixed bugs via patch analysis. In: TEFSE (2011)
[15]
Corporation, T.M.: Common vulnerabilities and exposures (cve®). https://cve.mitre.org/. Accessed 13 June 2019
[16]
Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: CCS (2017)
[17]
Duebendorfer, T., Frei, S.: Web browser security update effectiveness. In: CRITIS (2009)
[18]
Duebendorfer, T., Frei, S.: Why silent updates boost security. TIK (2009)
[19]
Gentoo Foundation, I.: Portage. https://wiki.gentoo.org/wiki/Handbook:X86/Working/Portage. Accessed 14 May 2021
[20]
Gkantsidis, C., Karagiannis, T., VojnoviC, M.: Planet scale software updates. In: CCR (2006)
[21]
Han, X., et al.: SIGL: securing software installations through deep graph learning. arXiv (2020)
[22]
Kang, C., Park, N., Prakash, B.A., Serra, E., Subrahmanian, V.: Ensemble models for data-driven prediction of malware infections. In: WSDM (2016)
[23]
Kotzias, P., Bilge, L., Vervier, P.A., Caballero, J.: Mind your own business: a longitudinal study of threats and vulnerabilities in enterprises (2019)
[24]
Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)
[25]
Li, F., Paxson, V.: A large-scale empirical study of security patches. In: CCS (2017)
[26]
Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security (2015)
[27]
Mathur, A., Engel, J., Sobti, S., Chang, V., Chetty, M.: “They keep coming back like zombies”: improving software updating interfaces. In: SOUPS (2016)
[28]
Meneely, A., Srinivasan, H., Musa, A., Tejeda, A.R., Mokary, M., Spates, B.: When a patch goes bad: exploring the properties of vulnerability-contributing commits. In: ESEM (2013)
[29]
Microsoft: About Event Tracing. https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing. Accessed 14 May 2021
[30]
Microsoft: Assemblies in .NET. https://docs.microsoft.com/en-us/dotnet/standard/assembly/#assembly-manifest. Accessed 14 May 2021
[31]
Microsoft: Assembly Manifest. https://docs.microsoft.com/en-us/dotnet/standard/assembly/manifest. Accessed 14 May 2021
[32]
Microsoft: Microsoft Store. https://www.microsoft.com/en-us/store/b/home. Accessed 14 May 2021
[33]
Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: S&P (2015)
[34]
Okutan A and Yang SJ ASSERT: attack synthesis and separation with entropy redistribution towards predictive cyber defense Cybersecurity 2019 2 1-8
[35]
Ovelgönne M, Dumitraş T, Prakash BA, Subrahmanian V, and Wang B Understanding the relationship between human behavior and susceptibility to cyber attacks: a data-driven approach TIST 2017 8 1-25
[36]
Perl, H., et al.: VCCfinder: finding potential vulnerabilities in open-source projects to assist code audits. In: CCS (2015)
[37]
Redmiles, E.M., Mazurek, M.L., Dickerson, J.P.: Dancing pigs or externalities?: measuring the rationality of security decisions. In: EC (2018)
[38]
RPM: RPM package manager. https://rpm.org/. Accessed 14 May 2021
[39]
Sharif, M., Urakawa, J., Christin, N., Kubota, A., Yamada, A.: Predicting impending exposure to malicious content from user behavior. In: CCS (2018)
[40]
Shen, Y., Mariconti, E., Vervier, P.A., Stringhini, G.: Tiresias: predicting security events through deep learning. In: CCS (2018)
[41]
Shrivastava G and Kumar P SensDroid: analysis for malicious activity risk of android application MTA 2019 78 24 35713-35731
[42]
SUSE: Zypper. https://en.opensuse.org/Portal:Zypper. Accessed 14 May 2021
[43]
Symantec: Internet security threat report 2017. https://www.symantec.com/content/dam/symantec/docs/reports/gistr22-government-report.pdf
[44]
Team, P.D.: Pacman. https://www.archlinux.org/pacman/. Accessed 14 May 2021
[45]
Verizon: 2015 data breach investigations report. https://iapp.org/media/pdf/resource_center/Verizon_data-breach-investigation-report-2015.pdf. Accessed 14 May 2021
[46]
Verizon: 2017 data breach investigations report. https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf. Accessed 14 May 2021
[47]
VirusTotal. https://www.virustotal.com. Accessed 14 May 2021
[48]
Wash, R., Rader, E., Vaniea, K., Rizor, M.: Out of the loop: how automated software updates cause unintended security consequences. In: SOUPS (2014)
[49]
Xiao, C., Sarabi, A., Liu, Y., Li, B., Liu, M., Dumitras, T.: From patching delays to infection symptoms: using risk profiles for an early discovery of vulnerabilities exploited in the wild. In: USENIX Security (2018)
[50]
Xiao J, Chen S, He Q, Feng Z, and Xue X An android application risk evaluation framework based on minimum permission set identification JSS 2020 163 110533
Index Terms
- Find My Sloths: Automated Comparative Analysis of How Real Enterprise Computers Keep Up with the Software Update Races
Index terms have been assigned to the content through auto-classification.
Recommendations
Automated recommendation of dynamic software update points: an exploratory study
Internetware '14: Proceedings of the 6th Asia-Pacific Symposium on InternetwareDue to the demand for bugs fixing and feature enhancements, developers inevitably need to update in-use software systems. Instead of shutting down a running system before updating, it is often desirable and sometimes mandatory to patch the running ...
Component-Based Software Update Process in Collaborative Software Development
APSEC '08: Proceedings of the 2008 15th Asia-Pacific Software Engineering ConferenceComponent-based software engineering (CBSE) has emerged as a key technology for developing and maintaining large scaled software systems in an outsourcing environment. These software components tend to be developed concurrently in different locations ...
Update or wait: How to keep your data fresh
IEEE INFOCOM 2016 - The 35th Annual IEEE International Conference on Computer CommunicationsIn this work we study how to manage the freshness of status updates sent from a source to a remote monitor via a network server. A proper metric of data freshness at the monitor is the age-of-information, which is defined as how old the freshest update is ...
Comments
Information & Contributors
Information
Published In
Jul 2021
402 pages
ISBN:978-3-030-80824-2
DOI:10.1007/978-3-030-80825-9
© Springer Nature Switzerland AG 2021.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 14 July 2021
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 30 Aug 2024
Other Metrics
Citations
View Options
View options
Get Access
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in