Cluster-Based Vulnerability Assessment Applied to Operating Systems

Organizations face the issue of how to best allocate their security resources. Thus, they need an accurate method for assessing how many new vulnerabilities will be reported for the operating systems (OSs) they use in a given time period. Our approach consists of clustering vulnerabilities by leveraging the text information within vulnerability records, and then simulating the mean value function of vulnerabilities by relaxing the monotonic intensity function assumption, which is prevalent among the studies that use software reliability models (SRMs) and nonhomogeneous Poisson process (NHPP) in modeling. We applied our approach to the vulnerabilities of four OSs: Windows, Mac, IOS, and Linux. For the OSs analyzed in terms of curve fitting and prediction capability, our results, compared to a power-law model without clustering issued from a family of SRMs, are more accurate in all cases we analyzed.

[1]  Indrajit Ray,et al.  Assessing vulnerability exploitability risk using software properties , 2016, Software Quality Journal.

[2]  Warren S. Sarle,et al.  Cubic Clustering Criterion , 1983 .

[3]  Robert Tibshirani,et al.  Estimating the number of clusters in a data set via the gap statistic , 2000 .

[4]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[5]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[6]  Tudor Dumitras,et al.  Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits , 2015, USENIX Security Symposium.

[7]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[8]  Giovanni Besio,et al.  Problems in RMSE-based wave model validations , 2013 .

[9]  Tadashi Dohi,et al.  Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[10]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[11]  Jie Tian,et al.  Text Clustering on National Vulnerability Database , 2010, 2010 Second International Conference on Computer Engineering and Applications.

[12]  Michael R. Lyu,et al.  Handbook of software reliability engineering , 1996 .

[13]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[14]  Lynn Kuo,et al.  Bayesian computation for the superposition of nonhomogeneous poisson processes , 1999 .

[15]  Kinji Mori,et al.  Multi-layered Data Consistency Technology, An Enhanced Autonomous Decentralized Data Consistency Technology for IC Card Ticket System , 2007 .

[16]  Richard A. Johnson,et al.  Applied Multivariate Statistical Analysis , 1983 .

[17]  Yashwant K. Malaiya,et al.  Modeling Skewness in Vulnerability Discovery , 2014, Qual. Reliab. Eng. Int..

[18]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[19]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[20]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[21]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[22]  Paulo Veríssimo,et al.  Intrusion-tolerant middleware: the road to automatic security , 2006, IEEE Security & Privacy.

[23]  Indrakshi Ray,et al.  Vulnerability Discovery in Multi-Version Software Systems , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[24]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[25]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[26]  Tadashi Dohi,et al.  Quantitative Security Evaluation for Software System from Vulnerability Database , 2013 .

[27]  Yashwant K. Malaiya,et al.  Assessing Vulnerabilities in Apache and IIS HTTP Servers , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[28]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .