Cluster-based vulnerability assessment of operating systems and web browsers

Organizations face the issue of how to best allocate their security resources. Thus, they need an accurate method for assessing how many new vulnerabilities will be reported for the operating systems (OSs) and web browsers they use in a given time period. Our approach consists of clustering vulnerabilities by leveraging the text information within vulnerability records, and then simulating the mean value function of vulnerabilities by relaxing the monotonic intensity function assumption, which is prevalent among the studies that use software reliability models (SRMs) and nonhomogeneous Poisson process in modeling. We applied our approach to the vulnerabilities of four OSs (Windows, Mac, IOS, and Linux) and four web browsers (Internet Explorer, Safari, Firefox, and Chrome). Out of the total eight OSs and web browsers we analyzed using a power-law model issued from a family of SRMs, the model was statistically adequate for modeling in six cases. For these cases, in terms of estimation and forecasting capability, our results, compared to a power-law model without clustering, are more accurate in all cases but one.

[1]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[2]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[3]  J. Gower Some distance properties of latent root and vector methods used in multivariate analysis , 1966 .

[4]  Fabio Massacci,et al.  An automatic method for assessing the versions affected by a vulnerability , 2015, Empirical Software Engineering.

[5]  James Andrew Ozment,et al.  Vulnerability discovery & software security , 2007 .

[6]  Mohammad Modarres,et al.  Reliability engineering and risk analysis : a practical guide , 2016 .

[7]  Richard A. Johnson,et al.  Applied Multivariate Statistical Analysis , 1983 .

[8]  Jie Tian,et al.  Text Clustering on National Vulnerability Database , 2010, 2010 Second International Conference on Computer Engineering and Applications.

[9]  Lynn Kuo,et al.  Bayesian computation for the superposition of nonhomogeneous poisson processes , 1999 .

[10]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[11]  Yashwant K. Malaiya,et al.  Assessing Vulnerabilities in Apache and IIS HTTP Servers , 2006, 2006 2nd IEEE International Symposium on Dependable, Autonomic and Secure Computing.

[12]  Ilir Gashi,et al.  vepRisk - A Web Based Analysis Tool for Public Security Data , 2017, 2017 13th European Dependable Computing Conference (EDCC).

[13]  Warren S. Sarle,et al.  Cubic Clustering Criterion , 1983 .

[14]  Robert Tibshirani,et al.  Estimating the number of clusters in a data set via the gap statistic , 2000 .

[15]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[16]  Eric Rescorla Security Holes . . . Who Cares? , 2003, USENIX Security Symposium.

[17]  Indrakshi Ray,et al.  Vulnerability Discovery in Multi-Version Software Systems , 2007 .

[18]  Hee-Cheul Kim The Assessing Comparative Study for Statistical Process Control of Software Reliability Model Based on Musa-Okumo and Power-law Type , 2015 .

[19]  Yashwant K. Malaiya,et al.  Modeling Skewness in Vulnerability Discovery , 2014, Qual. Reliab. Eng. Int..

[20]  Muhammad Zubair Shafiq,et al.  A large scale exploratory analysis of software vulnerability life cycles , 2012, 2012 34th International Conference on Software Engineering (ICSE).

[21]  Tadashi Dohi,et al.  Quantitative Security Evaluation for Software System from Vulnerability Database , 2013 .

[22]  Stuart E. Schechter,et al.  Milk or Wine: Does Software Security Improve with Age? , 2006, USENIX Security Symposium.

[23]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[24]  Paulo Veríssimo,et al.  Intrusion-tolerant middleware: the road to automatic security , 2006, IEEE Security & Privacy.

[25]  Indrakshi Ray,et al.  Vulnerability Discovery in Multi-Version Software Systems , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[26]  Ki Hoon Kwon,et al.  DDoS attack detection method using cluster analysis , 2008, Expert Syst. Appl..

[27]  Tudor Dumitras,et al.  Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits , 2015, USENIX Security Symposium.

[28]  Luca Allodi,et al.  The Heavy Tails of Vulnerability Exploitation , 2015, ESSoS.

[29]  Tadashi Dohi,et al.  Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes , 2009, 2009 20th International Symposium on Software Reliability Engineering.

[30]  Tae-Hyun Yoo,et al.  A Relative Research of the Software NHPP Reliability Based on Weibull Extension Distribution and Power Law Model , 2016 .

[31]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[32]  Giovanni Besio,et al.  Problems in RMSE-based wave model validations , 2013 .

[33]  Kinji Mori,et al.  Multi-layered Data Consistency Technology, An Enhanced Autonomous Decentralized Data Consistency Technology for IC Card Ticket System , 2007 .

[34]  Yong Zhang,et al.  Statistical Analysis of Time-Varying Characteristics of Testability Index Based on NHPP , 2017, IEEE Access.

[35]  David Wright,et al.  Towards Operational Measures of Computer Security , 1993, J. Comput. Secur..

[36]  Indrajit Ray,et al.  Assessing vulnerability exploitability risk using software properties , 2016, Software Quality Journal.

[37]  Yoo Tae-Hyun The Infinite NHPP Software Reliability Model based on Monotonic Intensity Function , 2015 .