Journal of Multimedia Information System

Korea Multimedia Society (한국멀티미디어학회)
권호 표지
DOI QR코드

DOI QR Code

Extended Linear Vulnerability Discovery Process

  • Received : 2017.06.12
  • Accepted : 2017.06.27
  • Published : 2017.06.30
Download PDF
⟨ Previous Next ⟩

Abstract

Numerous software vulnerabilities have been found in the popular operating systems. And recently, robust linear behaviors in software vulnerability discovery process have been noticeably observed among the many popular systems having multi-versions released. Software users need to estimate how much their software systems are risk enough so that they need to take an action before it is too late. Security vulnerabilities are discovered throughout the life of a software system by both the developers, and normal end-users. So far there have been several vulnerability discovery models are proposed to describe the vulnerability discovery pattern for determining readiness for patch release, optimal resource allocations or evaluating the risk of vulnerability exploitation. Here, we apply a linear vulnerability discovery model into Windows operating systems to see the linear discovery trends currently observed often. The applicability of the observation form the paper show that linear discovery model fits very well with aggregate version rather than each version.

Keywords

References

  1. I. V. Krsul, "Software vulnerability analysis," PhD dissertation, Purdue University, West Lafayette, IN, USA. Advisor: E. H. Spafford, 1998.
  2. A. Ozment, "Improving vulnerability discovery models," in Proceedings of the 2007 ACM workshop on Quality of protection, NewYork, pp. 6-11, 2007.
  3. J.A. Wang, M. Guo, H. Wang, M. Xia and L. Zhou, "Environmental Metrics for Software Security Based on a Vulnerability Ontology," in Proceedings of the third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159-168, 2009.
  4. R. Kissel, "Glossary of Key Information Security Terms," NIST IR 7298, 2006
  5. C.P. Pfleeger and S.L. Pfleeger, Security in Computing. 3rd ed., Prentice Hall PTR, 2003.
  6. W.R. Cheswick and S.M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker. Reading, MA: Addison-Wesley, 1994.
  7. E.E. Schultz Jr., D.S. Brown and T.A. Longstaff, "Responding to Computer Security Incidents," Lawrence Livermore National Laboratory, 1990.
  8. K. Otwell and B. Aldridge, "The role of vulnerability in risk management," in proceedings of Computer Security Applications Conference, pp.32-38, 1989
  9. H. Mayerfeld, "Definition and Identification of Assets as The Basis for Risk Management," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.21-34, 1988
  10. N. Lewis, "Using Binary Schemas to Model Risk Analysis," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.35-48, 1988
  11. D. Snow, "A General Model for the Risk Management of ADP Systems," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.145-162, 1988
  12. IEEE standard glossary of software engineering terminology, IEEE Standard 610.12-1990, 1990
  13. K. Otwell and B. Aldridge, "The role of vulnerability in risk management," in Proceedings of Computer Security Applications Conference, pp.32-38, 1989
  14. S. Frei, "Security Econometrics - The Dynamics of (In)Security", Ph.D. dissertation, ETH Zurich, ISBN 1-4392-5409-5, 2009
  15. Y.P. Breukers, "The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling," M.S. Thesis, Delft University of Technology, Aug. 22, 2016
  16. H. Joh and Y. K. Malaiya, "Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics," in Proceedings of the 2011 International Conference on Security and Management, pp. 10-16, 2011
  17. J. Radianti, E. Rich, and J. Gonzalez, "Vulnerability black markets: Empirical evidence and scenario simulation," in Proceedings of the 42nd Hawaii International Conference on System Sciences, pp.1-10, 2009
  18. G. Schryen, "Security of open source and closed source software: An empirical comparison of published vulnerabilities," in Proceedings of the 15th Americas Conference on Information Systems, 6-9 Aug., 2009
  19. O. Alhazmi, Y.K. Malaiya and I. Ray, "Security vulnerabilities in software systems: A quantitative perspective," Lecture Notes in Computer Science of Data and Applications Security XIX, vol.3654, pp.281-294, 2005
  20. O. Alhazmi and Y.K. Malaiya, "Application of Vulnerability Discovery Models to Major Operating Systems," IEEE Transactions on Reliability, vol.57, pp.14-22, 2008 https://doi.org/10.1109/TR.2008.916872
  21. J. Kim, Y.K. Malaiya and I. Ray, "Vulnerability Discovery in Multi-Version Software Systems," in Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium, Washington, DC, USA, pp.141-148, 2007
  22. O. Alhazmi and Y.K. Malaiya, "Prediction Capabilities of Vulnerability Discovery Models," in Proceedings of Reliability and Maintainability Symposium, pp. 86-91, 2006
  23. T. Zimmermann, N. Nagappan and L. Williams, "Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista," in Proceedings of the 2010 Third International Conference on Software Testing, Verification and Validation, pp.421-428, 2010.