The Vulnerability Ecosystem: Exploring vulnerability discovery and the resulting cyberattacks through agent-based modelling

Software vulnerabilities are a major enabler for cyberattacks, and are therefore responsible for a sizeable portion of the risk for large organisations in cyberspace. Little research has been done on the dynamics underlying this risk. The goal of this paper is to find how organisations and software vendors can influence the overall risk level as a result of vulnerabilities. An agent-based model is developed to capture the behaviour and complexity of the vulnerability ecosystem. Somewhat counter intuitively, the model shows that not necessarily the number of vulnerabilities, but rather the diffusion of the knowledge on vulnerabilities, has a strong influence on the resulting attacks. Instead of trying to fix all vulnerabilities, focussing patching efforts on vulnerabilities that are actually being exploited can significantly reduce the risk of organisations. The model further showed that organisations should improve their own efforts to deploy patches on shorter notice to narrow down the window of vulnerability.

[1]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[2]  Simon Shiu,et al.  Analysing the Performance of Security Solutions to Reduce Vulnerability Exposure Window , 2008, 2008 Annual Computer Security Applications Conference (ACSAC).

[3]  Guido Schryen,et al.  A Comprehensive and Comparative Analysis of the Patching Behavior of Open Source and Closed Source Software Vendors , 2009, 2009 Fifth International Conference on IT Security Incident Management and IT Forensics.

[4]  Sam Ransbotham,et al.  The Impact of Immediate Disclosure on Attack Diffusion and Volume , 2011, WEIS.

[5]  Martin C. Libicki,et al.  The Defender's Dilemma , 2015 .

[6]  Sabah S. Al-Fedaghi System-based Approach to Software Vulnerability , 2010, 2010 IEEE Second International Conference on Social Computing.

[7]  Eric Bonabeau,et al.  Agent-based modeling: Methods and techniques for simulating human systems , 2002, Proceedings of the National Academy of Sciences of the United States of America.

[8]  Cormac Herley,et al.  Small World: Collisions Among Attackers in a Finite Population , 2013 .

[9]  William A. Arbaugh,et al.  A trend analysis of exploitations , 2001, Proceedings 2001 IEEE Symposium on Security and Privacy. S&P 2001.

[10]  Wei Ming Khoo Hunting for vulnerabilities in large software : the OpenOffice suite , 2010 .

[11]  Bernhard Plattner,et al.  Software Security Economics: Theory, in Practice , 2012, WEIS.

[12]  Juhee Kwon,et al.  An Organizational Learning Perspective on Proactive vs. Reactive investment in Information Security , 2011, WEIS.

[13]  Indrajit Ray,et al.  Measuring, analyzing and predicting security vulnerabilities in software systems , 2007, Comput. Secur..

[14]  Indrakshi Ray,et al.  Vulnerability Discovery in Multi-Version Software Systems , 2007, 10th IEEE High Assurance Systems Engineering Symposium (HASE'07).

[15]  Rahul Telang,et al.  Economics of software vulnerability disclosure , 2005, IEEE Security & Privacy.

[16]  Igor Nikolic,et al.  Agent-Based Modelling of Socio-Technical Systems , 2012, Agent-Based Social Systems.

[17]  Shrikant Mulik,et al.  An Approach for Selecting Software-as-a-Service (SaaS) Product , 2009, 2009 IEEE International Conference on Cloud Computing.

[18]  Kathleen M. Carley,et al.  Balancing the criticisms: Validating multi-agent models of social systems , 2008, Simul. Model. Pract. Theory.

[19]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[20]  Moamar Sayed-Mouchaweh,et al.  Conclusion and Discussion , 2014 .

[21]  Jens Grossklags,et al.  Given enough eyeballs, all bugs are shallow? Revisiting Eric Raymond with bug bounty programs , 2016, J. Cybersecur..

[22]  Bruce Edmonds,et al.  From KISS to KIDS - An 'Anti-simplistic' Modelling Approach , 2004, MABS.

[23]  Mikhael Shor,et al.  The Impact of Malicious Agents on the Enterprise Software Industry , 2010, MIS Q..

[24]  Wouter Joosen,et al.  On the secure software development process: CLASP, SDL and Touchpoints compared , 2009, Inf. Softw. Technol..

[25]  Peer-Olaf Siebers,et al.  Discrete-event simulation is dead, long live agent-based simulation! , 2010, J. Simulation.

[26]  P. Klemperer,et al.  Chapter 31 Coordination and Lock-In: Competition with Switching Costs and Network Effects , 2007 .

[27]  Fabio Massacci,et al.  Comparing Vulnerability Severity and Exploits Using Case-Control Studies , 2014, TSEC.

[28]  Omar H. Alhazmi,et al.  Quantitative vulnerability assessment of systems software , 2005, Annual Reliability and Maintainability Symposium, 2005. Proceedings..

[29]  Dimitris Gritzalis,et al.  The Big Four - What We Did Wrong in Advanced Persistent Threat Detection? , 2013, 2013 International Conference on Availability, Reliability and Security.

[30]  Igor Kotenko,et al.  The multi-agent systems for computer network security assurance: frameworks and case studies , 2002, Proceedings 2002 IEEE International Conference on Artificial Intelligence Systems (ICAIS 2002).

[31]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[32]  Martin C. Libicki,et al.  Markets for Cybercrime Tools and Stolen Data , 2014 .

[33]  Miles McQueen,et al.  Are Vulnerability Disclosure Deadlines Justified? , 2011, 2011 Third International Workshop on Security Measurements and Metrics.

[34]  Fabio Massacci,et al.  An independent validation of vulnerability discovery models , 2012, ASIACCS '12.

[35]  G. Stoneburner,et al.  Risk Management Guide for Information Technology Systems: Recommendations of the National Institute of Standards and Technology , 2002 .

[36]  Ross J. Anderson,et al.  Security in open versus closed systems - the dance of Boltzmann , 2002 .

[37]  Luis Antunes,et al.  Stepping on Earth: A Roadmap for Data-driven Agent-Based Modelling , 2008 .

[38]  Hadley Wickham,et al.  Reshaping Data with the reshape Package , 2007 .

[39]  Sandy Clark,et al.  Familiarity breeds contempt: the honeymoon effect and the role of legacy code in zero-day vulnerabilities , 2010, ACSAC '10.

[40]  Yashwant K. Malaiya,et al.  Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics , 2011 .

[41]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[42]  Igor Kotenko AGENT-BASED MODELING AND SIMULATION OF CYBERWARFARE BETWEEN MALEFACTORS AND SECURITY AGENTS IN INTERNET , 2005 .

[43]  Huseyin Cavusoglu,et al.  Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge , 2007, IEEE Transactions on Software Engineering.

[44]  Mehdi R. Zargham,et al.  Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database , 2013, IEEE Transactions on Reliability.

[45]  Dirk Helbing,et al.  Globally networked risks and how to respond , 2013, Nature.

[46]  Fabio Massacci,et al.  A preliminary analysis of vulnerability scores for attacks in wild: the ekits and sym datasets , 2012, BADGERS@CCS.

[47]  Tyler Moore,et al.  The iterated weakest link , 2010, IEEE Security & Privacy.

[48]  Yaman Roumani,et al.  Time series modeling of vulnerabilities , 2015, Comput. Secur..

[49]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[50]  Jun Zhang,et al.  Security Patch Management: Share the Burden or Share the Damage? , 2008, Manag. Sci..

[51]  Eijiroh Ohki,et al.  Information security governance framework , 2009, WISG '09.

[52]  Rahul Telang,et al.  Competition and patching of security vulnerabilities: An empirical analysis , 2010, Inf. Econ. Policy.

[53]  Jared D. DeMott,et al.  Fuzzing for Software Security Testing and Quality Assurance , 2008 .

[54]  Tom Longstaff,et al.  CERT Experience with Security Problems in Software , 2003 .

[55]  Moreno Marzolla,et al.  Netlogo , 2019, Economics for a Fairer Society.

[56]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[57]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[58]  Bernhard Plattner,et al.  Large-scale vulnerability analysis , 2006, LSAD '06.

[59]  Jun Zhang,et al.  Economics of Security Patch Management , 2006, WEIS.

[60]  Christopher J. Novak,et al.  2009 Data Breach Investigations Report , 2009 .

[61]  Bernhard Plattner,et al.  Modelling the Security Ecosystem- The Dynamics of (In)Security , 2009, WEIS.

[62]  Steve McConnell,et al.  Code complete - a practical handbook of software construction, 2nd Edition , 1993 .

[63]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[64]  Rainer Böhme,et al.  A Comparison of Market Approaches to Software Vulnerability Disclosure , 2006, ETRICS.

[65]  Yashwant K. Malaiya,et al.  Software Vulnerability Markets: Discoverers and Buyers , 2014 .

[66]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[67]  Yashwant K. Malaiya,et al.  Modeling the vulnerability discovery process , 2005, 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05).

[68]  R Core Team,et al.  R: A language and environment for statistical computing. , 2014 .

[69]  Yashwant K. Malaiya,et al.  Modeling vulnerability discovery process in Apache and IIS HTTP servers , 2011, Comput. Secur..

[70]  Leyla Bilge,et al.  Before we knew it: an empirical study of zero-day attacks in the real world , 2012, CCS.

[71]  Hadley Wickham,et al.  ggplot2 - Elegant Graphics for Data Analysis (2nd Edition) , 2017 .

[72]  Ross J. Anderson Why information security is hard - an economic perspective , 2001, Seventeenth Annual Computer Security Applications Conference.

[73]  Andrey Shorov,et al.  AGENT‑BASED MODELING AND SIMULATION OF BOTNETS AND BOTNET DEFENSE , 2010 .

[74]  Robert Axelrod,et al.  Advancing the art of simulation in the social sciences , 1997, Complex..

[75]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[76]  Matt Blaze,et al.  Blood in the Water - Are there Honeymoon Effects Outside Software? , 2010, Security Protocols Workshop.

[77]  Y.K. Malaiya,et al.  Prediction capabilities of vulnerability discovery models , 2006, RAMS '06. Annual Reliability and Maintainability Symposium, 2006..

[78]  Yashwant K. Malaiya,et al.  Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers , 2006, 2006 17th International Symposium on Software Reliability Engineering.

[79]  B. Campbell Table of Contents , 2018, Biological Psychiatry.

[80]  Jose J. Gonzalez,et al.  Understanding Hidden Information Security Threats: The Vulnerability Black Market , 2007, 2007 40th Annual Hawaii International Conference on System Sciences (HICSS'07).

[81]  Hadley Wickham,et al.  The Split-Apply-Combine Strategy for Data Analysis , 2011 .

[82]  Peng Liu,et al.  An Empirical Study of Web Vulnerability Discovery Ecosystems , 2015, CCS.