Modeling Learningless Vulnerability Discovery using a Folded Distribution

A vulnerability discovery model describes the vulnerability discovery rate in a software system, and predicts the future behavior. It can allow the IT managers and developers to allocate their resources optimally by timely development and application of patches. Such models also allow the end-users to assess security risk in their systems. Recently, researchers have proposed a few vulnerability discovery models. The models are based on different assumptions, and thus differ in their accuracy and prediction capabilities. Among these models, the AML model has been found to have performed better in many cases in terms of model fitting and prediction capabilities. The AML model assumes that the discovery rate is symmetric. However, it has been noted that there are cases when the discovery trend is asymmetric. In this paper, we investigate the applicability of using a new vulnerability discovery model called Folded model, based on the Folded normal distribution, and compare it with the AML model. Results show that Folded model performs better than the AML model in general for both model fitting and prediction capabilities in cases when the learning phase is not present.

[1]  C. Daniel Use of Half-Normal Plots in Interpreting Factorial Two-Level Experiments , 1959 .

[2]  L. S. Nelson,et al.  The Folded Normal Distribution , 1961 .

[3]  N. Karunanithi,et al.  Predictability of software-reliability models , 1992 .

[4]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[5]  Martin R. Stytz,et al.  Security in computing, 3rd ed. [Book Review] , 2003, IEEE Security & Privacy Magazine.

[6]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[7]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[8]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[9]  Indrajit Ray,et al.  Security Vulnerabilities in Software Systems: A Quantitative Perspective , 2005, DBSec.

[10]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[11]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[12]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[13]  Jin Yoo Kim Vulnerability discovery in multiple version software systems : open source and commercial software systems , 2007 .

[14]  Yashwant K. Malaiya,et al.  Vulnerability Discovery Modeling Using Weibull Distribution , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[15]  Mladen A. Vouk,et al.  On Reliability Analysis of Open Source Software - FEDORA , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[16]  Chen Kai Multi-Cycle Vulnerability Discovery Model for Prediction , 2010 .

[17]  Laurie A. Williams,et al.  Searching for a Needle in a Haystack: Predicting Security Vulnerabilities for Windows Vista , 2010, 2010 Third International Conference on Software Testing, Verification and Validation.

[18]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..