research-article

Predicting vulnerability discovery rate using past versions of a software

Authors:

Fok Kar Wai,

Lim Wee Yong,

Dinil Mon Divakaran,

Vrizlynn L. L. ThingAuthors Info & Claims

2018 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)

Pages 220 - 225

https://doi.org/10.1109/SOLI.2018.8476753

Published: 31 July 2018 Publication History

Abstract

A vulnerability discovery model (VDM) describes the number of security vulnerabilities for a software across time. Several models have been proposed to capture characteristics of the vulnerabilities discovery trend for different stages in the life cycle of various software. Such models can help in assessing the risk of a software by helping to predict its number and trend of vulnerabilities discovery. However, existing work examine software independently when investigating the use of such VDMs for predicting its vulnerability discovery trend. In this work, we propose two algorithms—MeanFit and TrendFit— to utilise vulnerability discovery data from past versions of a current software to help in building its vulnerability discovery model. Experimental results indicate merit in the algorithms in cases where there is limited data for the current software.

References

[1]

National Institute of Standards and Technology: National Vulnerability Database. https://nvd.nist.gov/.

Google Scholar

[2]

O. H. Alhazmi and Y. K. Malaiya. Modeling the vulnerability discovery process. In Proceedings of the 16th IEEE International Symposium on Software Reliability Engineering, ISSRE ’05, 2005.

Google Scholar

[3]

O. H. Alhazmi and Y. K. Malaiya. Prediction capabilities of vulnerability discovery models. In Proceedings of the RAMS ’06. Annual Reliability and Maintainability Symposium, 2006., RAMS ’06, 2006.

Google Scholar

[4]

H. Joh, J. Kim, and Y. K. Malaiya. Vulnerability discovery modeling using weibull distribution. In 2008 19th International Symposium on Software Reliability Engineering (ISSRE), pages 299–300, 2008.

Google Scholar

[5]

F. Massacci and V. H. Nguyen. An empirical methodology to evaluate vulnerability discovery models. IEEE Transactions on Software Engineering, 40(12), 2014.

Google Scholar

[6]

J. D. Musa and K. Okumoto. A logarithmic poisson execution time model for software reliability measurement. In Proceedings of the 7th International Conference on Software Engineering, ICSE ’84, 1984.

Google Scholar

[7]

Viet Hung Nguyen and Fabio Massacci. The (un)reliability of nvd vulnerable versions data: An empirical experiment on google chrome vulnerabilities. In Proceedings of the 8th ACM SIGSAC Symposium on Information, Computer and Communications Security, ASIA CCS ’13, 2013.

Google Scholar

[8]

Eric Rescorla. Is finding security holes a good idea? IEEE Security and Privacy, 3(1), January 2005.

Google Scholar

[9]

Merijn van Erp and Lambert Schomaker. Variants of the borda count method for combining ranked classifier hypotheses. In In The Seventh International Workshop On Frontiers In Handwriting Recognition, pages 443–452, 2000.

Google Scholar

[10]

Awad A Younis, Hyunchul Joh, and Yashwant K Malaiya. Modeling learningless vulnerability discovery using a folded distribution. In Proceedings of the Internat. Conf. Security and Management, 2011.

Google Scholar

[11]

Su Zhang, Doina Caragea, and Xinming Ou. An empirical study on using the national vulnerability database to predict software vulnerabilities. In Proceedings of the 22nd International Conference on Database and Expert Systems Applications - Volume Part I, DEXA’11, 2011.

Google Scholar

Index Terms

Predicting vulnerability discovery rate using past versions of a software

Index terms have been assigned to the content through auto-classification.

Recommendations

Predicting vulnerability risks using software characteristics
Software Vulnerability Discovery Techniques: A Survey
MINES '12: Proceedings of the 2012 Fourth International Conference on Multimedia Information Networking and Security

Software vulnerabilities are the root cause of computer security problem. How people can quickly discover vulnerabilities existing in a certain software has always been the focus of information security field. This paper has done research on software ...
Software Vulnerability: Identification and Minimization

Comments

Information & Contributors

Information

Published In

2018 IEEE International Conference on Service Operations and Logistics, and Informatics (SOLI)

Jul 2018

308 pages

Publisher

IEEE Press

Publication History

Published: 31 July 2018

Qualifiers

Research-article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

0
Total Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Index Terms

Recommendations

Predicting vulnerability risks using software characteristics

Software Vulnerability Discovery Techniques: A Survey

Software Vulnerability: Identification and Minimization

Comments

Information

Published In

Publisher

Publication History

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations