Browse > Article
http://dx.doi.org/10.9717/JMIS.2017.4.2.57

Extended Linear Vulnerability Discovery Process  

Joh, HyunChul (Dept. of Computer Eng., Kyungil University)
Publication Information
Journal of Multimedia Information System / v.4, no.2, 2017 , pp. 57-64 More about this Journal
Abstract
Numerous software vulnerabilities have been found in the popular operating systems. And recently, robust linear behaviors in software vulnerability discovery process have been noticeably observed among the many popular systems having multi-versions released. Software users need to estimate how much their software systems are risk enough so that they need to take an action before it is too late. Security vulnerabilities are discovered throughout the life of a software system by both the developers, and normal end-users. So far there have been several vulnerability discovery models are proposed to describe the vulnerability discovery pattern for determining readiness for patch release, optimal resource allocations or evaluating the risk of vulnerability exploitation. Here, we apply a linear vulnerability discovery model into Windows operating systems to see the linear discovery trends currently observed often. The applicability of the observation form the paper show that linear discovery model fits very well with aggregate version rather than each version.
Keywords
Software vulnerability; Risk assessment; Linear vulnerability discovery model;
Citations & Related Records
연도 인용수 순위
  • Reference
1 I. V. Krsul, "Software vulnerability analysis," PhD dissertation, Purdue University, West Lafayette, IN, USA. Advisor: E. H. Spafford, 1998.
2 A. Ozment, "Improving vulnerability discovery models," in Proceedings of the 2007 ACM workshop on Quality of protection, NewYork, pp. 6-11, 2007.
3 J.A. Wang, M. Guo, H. Wang, M. Xia and L. Zhou, "Environmental Metrics for Software Security Based on a Vulnerability Ontology," in Proceedings of the third IEEE International Conference on Secure Software Integration and Reliability Improvement, pp. 159-168, 2009.
4 R. Kissel, "Glossary of Key Information Security Terms," NIST IR 7298, 2006
5 C.P. Pfleeger and S.L. Pfleeger, Security in Computing. 3rd ed., Prentice Hall PTR, 2003.
6 E.E. Schultz Jr., D.S. Brown and T.A. Longstaff, "Responding to Computer Security Incidents," Lawrence Livermore National Laboratory, 1990.
7 K. Otwell and B. Aldridge, "The role of vulnerability in risk management," in proceedings of Computer Security Applications Conference, pp.32-38, 1989
8 H. Mayerfeld, "Definition and Identification of Assets as The Basis for Risk Management," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.21-34, 1988
9 N. Lewis, "Using Binary Schemas to Model Risk Analysis," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.35-48, 1988
10 D. Snow, "A General Model for the Risk Management of ADP Systems," in Proceedings of 1988 Computer Security Risk Management Model Builders Workshop, pp.145-162, 1988
11 IEEE standard glossary of software engineering terminology, IEEE Standard 610.12-1990, 1990
12 K. Otwell and B. Aldridge, "The role of vulnerability in risk management," in Proceedings of Computer Security Applications Conference, pp.32-38, 1989
13 S. Frei, "Security Econometrics - The Dynamics of (In)Security", Ph.D. dissertation, ETH Zurich, ISBN 1-4392-5409-5, 2009
14 W.R. Cheswick and S.M. Bellovin, Firewalls and Internet Security: Repelling the Wily Hacker. Reading, MA: Addison-Wesley, 1994.
15 Y.P. Breukers, "The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling," M.S. Thesis, Delft University of Technology, Aug. 22, 2016
16 H. Joh and Y. K. Malaiya, "Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics," in Proceedings of the 2011 International Conference on Security and Management, pp. 10-16, 2011
17 G. Schryen, "Security of open source and closed source software: An empirical comparison of published vulnerabilities," in Proceedings of the 15th Americas Conference on Information Systems, 6-9 Aug., 2009
18 O. Alhazmi, Y.K. Malaiya and I. Ray, "Security vulnerabilities in software systems: A quantitative perspective," Lecture Notes in Computer Science of Data and Applications Security XIX, vol.3654, pp.281-294, 2005
19 O. Alhazmi and Y.K. Malaiya, "Application of Vulnerability Discovery Models to Major Operating Systems," IEEE Transactions on Reliability, vol.57, pp.14-22, 2008   DOI
20 J. Kim, Y.K. Malaiya and I. Ray, "Vulnerability Discovery in Multi-Version Software Systems," in Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium, Washington, DC, USA, pp.141-148, 2007
21 O. Alhazmi and Y.K. Malaiya, "Prediction Capabilities of Vulnerability Discovery Models," in Proceedings of Reliability and Maintainability Symposium, pp. 86-91, 2006
22 T. Zimmermann, N. Nagappan and L. Williams, "Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista," in Proceedings of the 2010 Third International Conference on Software Testing, Verification and Validation, pp.421-428, 2010.
23 J. Radianti, E. Rich, and J. Gonzalez, "Vulnerability black markets: Empirical evidence and scenario simulation," in Proceedings of the 42nd Hawaii International Conference on System Sciences, pp.1-10, 2009