论文信息 - Large-scale vulnerability analysis

Large-scale vulnerability analysis

The security level of networks and systems is determined by the software vulnerabilities of its elements. Defending against large scale attacks requires a quantitative understanding of the vulnerability lifecycle. Specifically, one has to understand how exploitation and remediation of vulnerabilities, as well as the distribution of information thereof is handled by industry.In this paper, we examine how vulnerabilities are handled in large-scale, analyzing more than 80,000 security advisories published since 1995. Based on this information, we quantify the performance of the security industry as a whole. We discover trends and discuss their implications. We quantify the gap between exploit and patch availability and provide an analytical representation of our data which lays the foundation for further analysis and risk management.

[1] EschelbeckGerhard. The Laws of Vulnerabilities , 2005 .

[2] Ramayya Krishnan,et al. An Empirical Analysis of Software Vendors' Patching Behavior: Impact of Vulnerability Disclosure , 2006, ICIS.

[3] Shirley M. Radack,et al. National Vulnerability Database: Helping Information Technology System Users and Developers Find Current Information about Cyber Security Vulnerabilities | NIST , 2005 .

[4] S. Radack. The Common Vulnerability Scoring System (CVSS) , 2007 .

[5] Hao Xu,et al. Economic analysis of the market for software vulnerability disclosure , 2004, 37th Annual Hawaii International Conference on System Sciences, 2004. Proceedings of the.

[6] Huseyin Cavusoglu,et al. Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[7] A. Arora,et al. Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[8] Bruce Schneier. The nonsecurity of secrecy , 2004, CACM.

[9] Karthik N. Kannan,et al. An Economic Analysis of Market for Software Vulnerabilities , 2004 .

[10] Ross J. Anderson. Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[11] William A. Arbaugh,et al. IEEE 52 Computer , 1985 .

[12] Steve W. Manzuik,et al. Windows of Vulnerability , 2006 .

[13] Ramayya Krishnan,et al. An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.