A preliminary analysis of quantifying computer security vulnerability data in "the wild"

A system of computers, networks and software has some level of vulnerability exposure that puts it at risk to criminal hackers. Presently, most vulnerability research uses data from software vendors, and the National Vulnerability Database (NVD). We propose an alternative path forward through grounding our analysis in data from the operational information security community, i.e. vulnerability data from "the wild". In this paper, we propose a vulnerability data parsing algorithm and an in-depth univariate and multivariate analysis of the vulnerability arrival and deletion process (also referred to as the vulnerability birth-death process). We find that vulnerability arrivals are best characterized by the log-normal distribution and vulnerability deletions are best characterized by the exponential distribution. These distributions can serve as prior probabilities for future Bayesian analysis. We also find that over 22% of the deleted vulnerability data have a rate of zero, and that the arrival vulnerability data is always greater than zero. Finally, we quantify and visualize the dependencies between vulnerability arrivals and deletions through a bivariate scatterplot and statistical observations.

[1]  Yashwant K. Malaiya,et al.  A Framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics , 2010 .

[2]  Christopher Krügel,et al.  Enemy of the State: A State-Aware Black-Box Web Vulnerability Scanner , 2012, USENIX Security Symposium.

[3]  Michael Lyle Artz,et al.  NetSPA : a Network Security Planning Architecture , 2002 .

[4]  Mathias Ekstedt,et al.  Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks , 2012, IEEE Transactions on Dependable and Secure Computing.

[5]  Tim Schmitz,et al.  Improving Web Application Security Threats And Countermeasures , 2016 .

[6]  Lawrence Carin,et al.  Cybersecurity Strategies: The QuERIES Methodology , 2008, Computer.

[7]  Teodor Sommestad,et al.  A quantitative evaluation of vulnerability scanning , 2011, Inf. Manag. Comput. Secur..

[8]  K. Burnham,et al.  Model selection: An integral part of inference , 1997 .

[9]  Indrakshi Ray,et al.  Aspect-Oriented Risk Driven Development of Secure Applications , 2006, DBSec.

[10]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[11]  Gregory S. Parnell,et al.  Mission Oriented Risk and Design Analysis of Critical Information Systems , 2005 .

[12]  K. Clark,et al.  Security risk metrics: fusing enterprise objectives and vulnerabilities , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[13]  Thomas A. Cruse,et al.  Reliability-Based Mechanical Design , 1997 .