Skip to main content
SpringerLink
Log in

Periodicity in software vulnerability discovery, patching and exploitation

  • Regular Contribution
  • Published:
International Journal of Information Security Aims and scope Submit manuscript

Abstract

Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also examine weekly periodicity in the patching and exploitation of the vulnerabilities. Accurate projections of the vulnerability discovery process are required to optimally allocate the effort needed to develop patches for handling discovered vulnerabilities. A time series analysis that combines the periodic pattern and longer-term trends allows the developers to predict future needs more accurately. We analyze eighteen datasets of software systems for annual seasonality in their vulnerability discovery processes. This analysis shows that there are indeed repetitive annual patterns. Next, some of the datasets from a large number of major organizations that record the result of daily scans are examined for potential weekly periodicity and its statistical significance. The results show a 7-day periodicity in the presence of unpatched vulnerabilities, as well as in the exploitation pattern. The seasonal index approach is used to examine the statistical significance of the observed periodicity. The autocorrelation function is used to identify the exact periodicity. The results show that periodicity needs to be considered for optimal resource allocations and for evaluation of security risks.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7

Similar content being viewed by others

References

  1. Alhazmi, O.H., Malaiya, Y.K.: Application of vulnerability discovery models to major operating systems. IEEE Trans. Reliab. 57(1), 14–22 (2008)

    Article  Google Scholar 

  2. Anbalagan, P., Vouk, M.: “Days of the week” effect in predicting the time taken to fix defects. In: DEFECTS’09: Proceedings of the 2nd International Workshop on Defects in Large Software Systems, pp. 29–30, New York, NY, USA. ACM (2009)

  3. Anderson, R: Security in open versus closed systems—the dance of boltzmann, coase and moore. In: Conference on Open Source Software, Economics, Law and Policy, pp. 1–15 (2002)

  4. Arora, A., Telang, R.: Economics of software vulnerability disclosure. IEEE Secur. Priv. 3(1), 20–25 (2005)

    Article  Google Scholar 

  5. Bowerman, B.L., O’connell, R.T.: Time Series Forecsting: Unified Concepts and Computer Implementation, 2nd edn. Duxbury Press, Boston (1987)

    MATH  Google Scholar 

  6. Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’10, pp. 105–114, New York, NY, USA. ACM (2010)

  7. Carrion-Baralt, J.R., Smith, C.J., Rossy-Fullana, E., Lewis-Femandez, R., Davis, K.L., Silverman, J.M.: Seasonality effects on schizophrenic births in multiplex families in a tropical island. Psychiatry Res. 142(1), 93–97 (2006)

    Article  Google Scholar 

  8. Chen, K., Feng, D.-G., Su, P.-R., Nie, C.-J., Zhang, X.-F.: Multi-cycle vulnerability discovery model for prediction. J. Softw. 21(9), 2367–2375 (2010)

    Google Scholar 

  9. Condon, E., He, A., Cukier, M.: Analysis of computer security incident data using time series models. In: ISSRE’08: Proceedings of the 2008 19th International Symposium on Software Reliability Engineering, pp. 77–86, Washington, DC, USA. IEEE Computer Society (2008)

  10. Eick, S.G., Graves, T.L., Karr, A.F., Marron, J.S., Mockus, A.: Does code decay? Assessing the evidence from change management data. IEEE Trans. Softw. Eng. 27(1), 1–12 (2001)

    Article  Google Scholar 

  11. Goonatilake, R., Herath, A., Herath, S., Herath, S., Herath, J.: Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security. J. Comput. Small Coll. 23, 255–263 (2007)

    MATH  Google Scholar 

  12. Heston, S.L., Sadka, R.: Seasonality in the cross-section of stock returns. J. Financ. Econ. 87(2), 418–445 (2008)

    Article  Google Scholar 

  13. Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Addison-Wesley Professional, Boston (2007)

    Google Scholar 

  14. Jegadeesh, N.: Evidence of predictable behavior of security returns. J. Finance 45(3), 881-98 (1990)

    Article  Google Scholar 

  15. Joh, H., Chaichana, S., Malaiya, Y.K.: Short-term periodicity in security vulnerability activity. In: International Symposium on Software Reliability Engineering, pp. 408–409 (2010)

  16. Joh, H., Malaiya, Y. K.: Seasonal variation in the vulnerability discovery process. In: ICST’09: International Conference on Software Testing, Verification, and Validation, pp. 191–200, Los Alamitos, CA, USA. IEEE Computer Society (2009)

  17. Joh, H., Malaiya, Y.K.: Modeling skewness in vulnerability discovery. Qual. Reliab. Eng. Int. 30(8), 1445–1459 (2014). doi:10.1002/qre.1567

  18. Kim, J., Malaiya, Y.K., Ray, I.: Vulnerability discovery in multi-version software systems. In: HASE’07: Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium, pp. 141–148, Washington, DC, USA. IEEE Computer Society (2007)

  19. Koc, E., Altinay, G.: An analysis of seasonality in monthly per person tourist spending in Turkish inbound tourism from a market segmentation perspective. Tour. Manag. 28(1), 227–237 (2007)

    Article  Google Scholar 

  20. Kozina, M., Golub, M., Groš, S.: A method for identifying web applications. Int. J. Inf. Secur. 8(6), 455–467 (2009)

    Article  Google Scholar 

  21. Maes, J., Van Damme, S., Meire, P., Ollevier, F.: Statistical modeling of seasonal and environmental influences on the population dynamics of an estuarine fish community. Mar. Biol. 145, 1033–1042 (2004)

    Article  Google Scholar 

  22. Massacci, F., Nguyen, V.H.: Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox. Technical report. University of Trento, Italy (2010)

  23. Ott, R.L., Longnecker, M.T.: An Introduction to Statistical Methods and Data Analysis, 5th edn. Duxbury press, North Scituate (2000)

    Google Scholar 

  24. Ozment, A.: Improving vulnerability discovery models. In: QoP’07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11, New York, NY, USA. ACM (2007)

  25. Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS’06: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2006)

  26. Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR, Upper Saddle River (2003)

    MATH  Google Scholar 

  27. Qualys, I.: The laws of vulnerabilities 2.0. In Black Hat 2009, Presented by Wolfgang Kandek (CTO) (July 28, 2009)

  28. Rescorla, E.: Security holes. who cares? In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 75–90, Berkeley, CA, USA. USENIX Association (2003)

  29. Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3, 14–19 (2005)

    Article  Google Scholar 

  30. Rios, M., Garcia, J.M., Sanchez, J.A., Perez, D.: A statistical analysis of the seasonality in pulmonary tuberculosis. Eur. J. Epidemiol. 16(5), 483-8 (2000)

    Article  Google Scholar 

  31. Romanov, A., Tsubaki, H., Okamoto, E.: An approach to perform quantitative information security risk assessment in it landscapes. JIP 18, 213–226 (2010)

    Google Scholar 

  32. Salehian, A.: Arima time series modeling for forecasting thermal rating of transmission lines. In: Transmission and Distribution Conference and Exposition, 2003 IEEE PES, vol. 3, pp. 875–879 (2003)

  33. Symantec. Symantec global internet security threat report: trends for 2009, vol. XV (2010)

  34. Tran, N., Reed, D.: Automatic arima time series modeling for adaptive i/o prefetching. IEEE Trans. Parallel Distrib. Syst. 15(4), 362–377 (2004)

    Article  Google Scholar 

  35. Zhang, Z., Zheng, X., Zeng, D., Cui, K., Luo, C., He, S., Leischow, S.: Discovering seasonal patterns of smoking behavior using online search information. In: Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on, pp. 371–373 (2013)

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Kyungil University, Gyeongsan, Korea

    HyunChul Joh

  2. Computer Science Department, Colorado State University, Fort Collins, CO, 80523, USA

    Yashwant K. Malaiya

Authors
  1. HyunChul Joh
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yashwant K. Malaiya
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to HyunChul Joh.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Joh, H., Malaiya, Y.K. Periodicity in software vulnerability discovery, patching and exploitation. Int. J. Inf. Secur. 16, 673–690 (2017). https://doi.org/10.1007/s10207-016-0345-x

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10207-016-0345-x

Keywords

Search

Navigation