Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities

Vulnerabilities with publically known exploits typically form 2-7% of all vulnerabilities reported for a given software version. With a smaller number of known exploited vulnerabilities compared with the total number of vulnerabilities, it is more difficult to model and predict when a vulnerability with a known exploit will be reported. In this paper, we introduce an approach for predicting the discovery pattern of publically known exploited vulnerabilities using all publically known vulnerabilities reported for a given software. Eight commonly used vulnerability discovery models (VDMs) and one neural network model (NNM) were utilized to evaluate the prediction capability of our approach. We compared their predictions results with the scenario when only exploited vulnerabilities were used for prediction. Our results show that, in terms of prediction accuracy, out of eight software we analyzed, our approach led to more accurate results in seven cases. Only in one case, the accuracy of our approach was worse by 1.6%.

[1]  Tadashi Dohi,et al.  Quantitative Security Evaluation for Software System from Vulnerability Database , 2013 .

[2]  Yashwant K. Malaiya,et al.  Modeling Skewness in Vulnerability Discovery , 2014, Qual. Reliab. Eng. Int..

[3]  Doina Caragea,et al.  An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities , 2011, DEXA.

[4]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[5]  Chusak Limsakul,et al.  Feature Extraction and Reduction of Wavelet Transform Coefficients for EMG Pattern Classification , 2012 .

[6]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[7]  Thomas A. Mazzuchi,et al.  Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery , 2019, Reliab. Eng. Syst. Saf..

[8]  Luca Allodi,et al.  The Heavy Tails of Vulnerability Exploitation , 2015, ESSoS.

[9]  Lynn Kuo,et al.  Bayesian computation for the superposition of nonhomogeneous poisson processes , 1999 .

[10]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[11]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[12]  Akbar Siami Namin,et al.  Forecasting Economics and Financial Time Series: ARIMA vs. LSTM , 2018, ArXiv.

[13]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[14]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[15]  Tadashi Dohi,et al.  Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[16]  R. K. Agrawal,et al.  An Introductory Study on Time Series Modeling and Forecasting , 2013, ArXiv.

[17]  Ilir Gashi,et al.  vepRisk - A Web Based Analysis Tool for Public Security Data , 2017, 2017 13th European Dependable Computing Conference (EDCC).

[18]  Thomas A. Mazzuchi,et al.  Multivariate models using MCMCBayes for web-browser vulnerability discovery , 2018, Reliab. Eng. Syst. Saf..

[19]  Bharat B. Madan,et al.  A method for modeling and quantifying the security attributes of intrusion tolerant systems , 2004, Perform. Evaluation.

[20]  Berna Yazici,et al.  Comparison of ARIMA, neural networks and hybrid models in time series: tourist arrival forecasting , 2007 .

[21]  Aderemi Oluyinka Adewumi,et al.  Comparison of ARIMA and Artificial Neural Networks Models for Stock Price Prediction , 2014, J. Appl. Math..

[22]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[23]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[24]  Paulo Veríssimo,et al.  Intrusion-tolerant middleware: the road to automatic security , 2006, IEEE Security & Privacy.

[25]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[26]  Fabio Massacci,et al.  A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets , 2012, BADGERS@CCS.

[27]  Mary Shaw,et al.  Empirical evaluation of defect projection models for widely-deployed production software systems , 2004, SIGSOFT '04/FSE-12.

[28]  Ilir Gashi,et al.  Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models , 2019, Comput. Secur..

[29]  Michael Y. Hu,et al.  Forecasting with artificial neural networks: The state of the art , 1997 .

[30]  Giovanni Besio,et al.  Problems in RMSE-based wave model validations , 2013 .

[31]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[32]  Tao Chen,et al.  Back propagation neural network with adaptive differential evolution algorithm for time series forecasting , 2015, Expert Syst. Appl..

[33]  Ilir Gashi,et al.  Cluster-based vulnerability assessment of operating systems and web browsers , 2018, Computing.