Time series modeling of vulnerabilities

Vulnerability prediction models forecast future vulnerabilities and can be used to assess security risks and estimate the resources needed for handling potential security breaches. Although several vulnerability prediction models have been proposed, such models have shortcomings and do not consider trend, level, and seasonality components of vulnerabilities. Through time series analysis, this study built predictive models for five popular web browsers: Chrome, Firefox, Internet Explorer, Safari and Opera and for all reported vulnerabilities elsewhere. Results showed that time series models provide a good fit to our vulnerability datasets and can be useful for vulnerability prediction. Results also suggested that the level of the series is the best estimator of the prediction models.

[1]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[2]  Lars Grunske,et al.  An approach to software reliability prediction based on time series modeling , 2013, J. Syst. Softw..

[3]  O. D. Anderson,et al.  Time Series Analysis and Forecasting: The Box-Jenkins Approach. , 1976 .

[4]  Wouter Joosen,et al.  Predicting Vulnerable Software Components via Text Mining , 2014, IEEE Transactions on Software Engineering.

[5]  Nataliia Bielova Survey on JavaScript security policies and their enforcement mechanisms in a web browser , 2013, J. Log. Algebraic Methods Program..

[6]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[7]  Mehdi R. Zargham,et al.  Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database , 2013, IEEE Transactions on Reliability.

[8]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[9]  Gwilym M. Jenkins,et al.  Time series analysis, forecasting and control , 1972 .

[10]  Viet Hung Nguyen,et al.  Predicting vulnerable software components with dependency graphs , 2010, MetriSec '10.

[11]  P. Goodwin,et al.  On the asymmetry of the symmetric MAPE , 1999 .

[12]  Mourad Debbabi,et al.  An aspect-oriented approach for the systematic security hardening of code , 2008, Comput. Secur..

[13]  G. Box,et al.  On a measure of lack of fit in time series models , 1978 .

[14]  E. McKenzie General exponential smoothing and the equivalent arma process , 1984 .

[15]  Andy Ozment,et al.  Improving vulnerability discovery models , 2007, QoP '07.

[16]  Laurie A. Williams,et al.  Evaluating Complexity, Code Churn, and Developer Activity Metrics as Indicators of Software Vulnerabilities , 2011, IEEE Transactions on Software Engineering.

[17]  Chris Chatfield,et al.  The Analysis of Time Series: An Introduction , 1981 .

[18]  Mourad Debbabi,et al.  A High-level Aspect-oriented-based Framework for Software Security Hardening , 2008, Inf. Secur. J. A Glob. Perspect..

[19]  Riccardo Scandariato,et al.  Predicting vulnerable classes in an Android application , 2012, MetriSec '12.

[20]  D. Rubinfeld,et al.  Econometric models and economic forecasts , 2002 .

[21]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[22]  Tugrul U. Daim,et al.  Using artificial neural network models in stock market index prediction , 2011, Expert Syst. Appl..

[23]  Michel Cukier,et al.  Analysis of Computer Security Incident Data Using Time Series Models , 2008, 2008 19th International Symposium on Software Reliability Engineering (ISSRE).

[24]  Monnie McGee,et al.  Introduction to Time Series Analysis and Forecasting: With Applications of SAS and SPSS , 2000 .

[25]  Lionel C. Briand,et al.  Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning , 2015, IEEE Transactions on Dependable and Secure Computing.

[26]  David A. Wagner,et al.  An Empirical Study of Vulnerability Rewards Programs , 2013, USENIX Security Symposium.

[27]  Jan H. P. Eloff,et al.  Vulnerability forecasting - a conceptual model , 2004, Comput. Secur..