A Unified Measurable Software Trustworthy Model Based on Vulnerability Loss Speed Index

As trust becomes increasingly important in the software domain. Due to its complex composite concept, people face great challenges, especially in today's dynamic and constantly changing internet technology. In addition, measuring the software trustworthiness correctly and effectively plays a significant role in gaining users trust in choosing different software. In the context of security, trust is previously measured based on the vulnerability time occurrence to predict the total number of vulnerabilities or their future occurrence time. In this study, we proposed a new unified index called "loss speed index" that integrates the most important variables of software security such as vulnerability occurrence time, number and severity loss, which are used to evaluate the overall software trust measurement. Based on this new definition, a new model called software trustworthy security growth model (STSGM) has been proposed. This paper also aims at filling the gap by addressing the severity of vulnerabilities and proposed a vulnerability severity prediction model, the results are further evaluated by STSGM to estimate the future loss speed index. Our work has several features such as: (1) It is used to predict the vulnerability severity/type in future, (2) Unlike traditional evaluation methods like expert scoring, our model uses historical data to predict the future loss speed of software, (3) The loss metric value is used to evaluate the risk associated with different software, which has a direct impact on software trustworthiness. Experiments performed on real software vulnerability datasets and its results are analyzed to check the correctness and effectiveness of the proposed model.

[1]  Zhuhua Cai,et al.  Software Vulnerability Discovery Techniques: A Survey , 2012, 2012 Fourth International Conference on Multimedia Information Networking and Security.

[2]  Mehdi R. Zargham,et al.  Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database , 2013, IEEE Transactions on Reliability.

[3]  Kai Petersen,et al.  Countermeasure graphs for software security risk assessment: An action research , 2013, J. Syst. Softw..

[4]  Ping Luo,et al.  VCIPR: Vulnerable Code is Identifiable When a Patch is Released (Hacker's Perspective) , 2019, 2019 12th IEEE Conference on Software Testing, Validation and Verification (ICST).

[5]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[6]  Aditya K. Ghose,et al.  Automatic feature learning for vulnerability prediction , 2017, ArXiv.

[7]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[8]  Ping Luo,et al.  DroidMD: An Efficient and Scalable Android Malware Detection Approach at Source Code Level , 2019 .

[9]  Ritu Sibal,et al.  Change Point Modelling in the Vulnerability Discovery Process , 2018 .

[10]  Bedir Tekinerdogan,et al.  Model-based testing for software safety: a systematic mapping study , 2017, Software Quality Journal.

[11]  Lionel C. Briand,et al.  Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning , 2015, IEEE Transactions on Dependable and Secure Computing.

[12]  Rong Jiang,et al.  A Trustworthiness Evaluation Method for Software Architectures Based on the Principle of Maximum Entropy (POME) and the Grey Decision-Making Method (GDMM) , 2014, Entropy.

[13]  Ping Luo,et al.  Metric model for trustworthiness of computer supported cooperative design platform considering effect of multiple short boards , 2013 .

[14]  Ping Luo,et al.  Vulnerability Severity Prediction Model For Software Based on Markov Chain , 2019 .

[15]  Wang Yue-sheng Model of fuzzy risk assessment of the information system , 2007 .

[16]  Yashwant K. Malaiya,et al.  Modeling Skewness in Vulnerability Discovery , 2014, Qual. Reliab. Eng. Int..

[17]  Yashwant K. Malaiya,et al.  Vulnerability Discovery Modeling Using Weibull Distribution , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[18]  Z. Jelinski,et al.  Software reliability Research , 1972, Statistical Computer Performance Evaluation.

[19]  Ruchi Sharma,et al.  Vulnerability Discovery in Open- and Closed-Source Software: A New Paradigm , 2018, Advances in Intelligent Systems and Computing.

[20]  Awad A. Younis,et al.  Modeling Learningless Vulnerability Discovery using a Folded Distribution , 2011 .

[21]  Uday Kumar,et al.  Coverage-based vulnerability discovery modeling to optimize disclosure time using multiattribute approach , 2019, Qual. Reliab. Eng. Int..

[22]  Adarsh Anand,et al.  Vulnerability Discovery Modelling for Software with Multi-versions , 2017 .

[23]  Amrit L. Goel,et al.  Time-Dependent Error-Detection Rate Model for Software Reliability and Other Performance Measures , 1979, IEEE Transactions on Reliability.

[24]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[25]  Guido Schryen,et al.  Security of Open Source and Closed Source Software: An Empirical Comparison of Published Vulnerabilities , 2009, AMCIS.

[26]  Teresa K. George,et al.  Token based Detection and Neural Network based Reconstruction framework against code injection vulnerabilities , 2018, J. Inf. Secur. Appl..

[27]  Eugene H. Spafford,et al.  A Trend Analysis of Vulnerabilities , 2005 .

[28]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[29]  Ping Luo,et al.  A Measurable SocialToTech Software Trust Framework , 2019 .

[30]  Karen A. Scarfone,et al.  A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST , 2007 .

[31]  Laurie A. Williams,et al.  Can traditional fault prediction models be used for vulnerability prediction? , 2011, Empirical Software Engineering.