Vulnerability Discovery Modelling With Vulnerability Severity

Web browsers are primary targets of attacks because of their extensive uses and the fact that they interact with sensitive data. Vulnerabilities present in a web browser can pose serious risk to millions of users. Thus, it is pertinent to address these vulnerabilities to provide adequate protection for personally identifiable information. Research done in the past has showed that few vulnerability discovery models (VDMs) highlight the characterization of vulnerability discovery process. In these models, severity which is one of the most crucial properties has not been considered. Vulnerabilities can be categorized into different levels based on their severity. The discovery process of each kind of vulnerabilities is different from the other. Hence, it is essential to incorporate the severity of the vulnerabilities during the modelling of the vulnerability discovery process. This paper proposes a model to assess the vulnerabilities present in the software quantitatively with consideration for the severity of the vulnerabilities. It is possible to apply the proposed model to approximate the number of vulnerabilities along with vulnerability discovery rate, future occurrence of vulnerabilities, risk analysis, etc. Vulnerability data obtained from one of the major web browsers (Google Chrome) is deployed to examine goodness-of-fit and predictive capability of the proposed model. Experimental results justify the fact that the model proposed herein can estimate the required information better than the existing VDMs.

[1]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[2]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[3]  Mahesh Chandra Govil,et al.  Predicting Cross-Site Scripting (XSS) security vulnerabilities in web applications , 2015, 2015 12th International Joint Conference on Computer Science and Software Engineering (JCSSE).

[4]  P. K. Kapur,et al.  Vulnerability discovery model for a software system using stochastic differential equation , 2015, 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE).

[5]  David Last Using historical software vulnerability data to forecast future vulnerabilities , 2015, 2015 Resilience Week (RWS).

[6]  Lwin Khin Shar,et al.  Predicting SQL injection and cross site scripting vulnerabilities through mining input sanitization patterns , 2013, Inf. Softw. Technol..

[7]  Fabio Massacci,et al.  An Empirical Methodology to Evaluate Vulnerability Discovery Models , 2014, IEEE Transactions on Software Engineering.

[8]  Lionel C. Briand,et al.  Web Application Vulnerability Prediction Using Hybrid Program Analysis and Machine Learning , 2015, IEEE Transactions on Dependable and Secure Computing.

[9]  Yashwant K. Malaiya,et al.  Periodicity in software vulnerability discovery, patching and exploitation , 2016, International Journal of Information Security.

[10]  Yashwant K. Malaiya,et al.  Application of Vulnerability Discovery Models to Major Operating Systems , 2008, IEEE Transactions on Reliability.

[11]  Amrit L. Goel,et al.  Time-Dependent Error-Detection Rate Model for Software Reliability and Other Performance Measures , 1979, IEEE Transactions on Reliability.

[12]  Mitsuhiro Kimura Software vulnerability: Definition, modelling, and practical evaluation for e-mail transfer software , 2006 .

[13]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[14]  Jongmoon Baik,et al.  Improving vulnerability prediction accuracy with Secure Coding Standard violation measures , 2016, 2016 International Conference on Big Data and Smart Computing (BigComp).

[15]  Donghai Tian,et al.  E-WBM: An Effort-Based Vulnerability Discovery Model , 2019, IEEE Access.

[16]  Воробьев Антон Александрович Анализ уязвимостей вычислительных систем на основе алгебраических структур и потоков данных National Vulnerability Database , 2013 .

[17]  Kazi Zakia Sultana Towards a software vulnerability prediction model using traceable code patterns and software metrics , 2017, 2017 32nd IEEE/ACM International Conference on Automated Software Engineering (ASE).

[18]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[19]  Lwin Khin Shar,et al.  Predicting common web application vulnerabilities from input validation and sanitization code patterns , 2012, 2012 Proceedings of the 27th IEEE/ACM International Conference on Automated Software Engineering.

[20]  Riccardo Scandariato,et al.  The Effect of Dimensionality Reduction on Software Vulnerability Prediction Models , 2017, IEEE Transactions on Reliability.

[21]  Yashwant K. Malaiya,et al.  AN ANALYSIS OF THE VULNERABILITY DISCOVERY PROCESS IN WEB BROWSERS , 2006 .

[22]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[23]  Yves Le Traon,et al.  Vulnerability Prediction Models: A Case Study on the Linux Kernel , 2016, 2016 IEEE 16th International Working Conference on Source Code Analysis and Manipulation (SCAM).

[24]  Wouter Joosen,et al.  Software vulnerability prediction using text analysis techniques , 2012, MetriSec '12.

[25]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[26]  Baldoino Fonseca dos Santos Neto,et al.  Experimenting Machine Learning Techniques to Predict Vulnerabilities , 2016, 2016 Seventh Latin-American Symposium on Dependable Computing (LADC).

[27]  Mehdi R. Zargham,et al.  Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database , 2013, IEEE Transactions on Reliability.