Abstract
This paper aims to model the discovery and removal of software vulnerabilities based on queueing theory. The probabilistic characteristics of the arrival and service processes are the core elements of queueing theory. Discovering and removing software vulnerabilities corresponds arrival and service processes in queueing models, respectively. Vulnerabilities can be classified into groups depending upon its severity levels measured by CVSS (common vulnerability scoring system). Groups with higher severity levels are fixed more quickly than groups with lower severity levels. Priority queueing models can be used and give various performance indices: the number of unfixed vulnerabilities at arbitrary instances and waiting time before getting fixed. Moreover, the service rate to prevent the number or accumulated degree of vulnerabilities from exceeding the predetermined level can be estimated.
References
Joh, H.: Quantitative analyses of software vulnerabilities, Ph.D. Dissertation, Department of Computer Science, Colorado State University (2011)
Krsul, I.V.: Software vulnerability analysis, Ph.D. Dissertation, Department of Computer Science, Purdue University (1998)
Ozment, A.: Improving vulnerability discovery models. In QoP ’07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11. ACM, New York, USA (2007)
Pfleeger, C.P., Pfleeger, S.L.: Security in computing, 3rd edn. Prentice Hall PTR, Upper Saddle River (2003)
Vatamanu, C., Gavrilut, D., Benchea, R.: A practical approach on clustering malicious PDF documents. J. Compt. Virol. 8, 151–163 (2012)
Goichon, F., Salagnac, G., Parrend, P., Frénot, S.: Static vulnerability detection in Java service-oriented components. J. Compt. Virol. 9, 15–26 (2012)
MITRE Corporation. Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/
FIRST. CVSS Guide, http://www.first.org/cvss/cvss-guide/. Accessed 15 November 2013
FIRST. CVSS History, http://www.first.org/cvss/history/. Acce ssed 15 November 2013
Woo, S.W., Joh, H.C., Alhazmi, O.H., Malaiya, Y.K.: Modeling vulnerability discovery process in Apache and IIS HTTP servers. Comput. Secur. 30, 50–62 (2011)
Ozment, A.: Vulnerability discovery and software Security, Ph.D. Dissertation, Computer Laboratory Computer Security Group & Magdalene College, University of Cambridge (2007)
AIAA/ANSI: Recommended practice software reliability, R-013-1992, American Institute of Aeronautics and Astronautics (AIAA) (1993)
Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE International Symposium on Software, Reliability Engineering, pp. 129–138 (2005)
Anderson, R.J.: Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. In: Proceedings of the Conference on Open Source Software, Economics, pp. 1–15 (2002)
Rescola, E.: Is finding security holes a good idea? Secur. Priv. IEEE 3(1), 1–19 (2005)
Musa, J.D., Okumoto K.: A logarithmic Poisson execution time model for software reliability measurement. In: Proceedings of 7th International Conference on Software Engineering, pp. 230–238 (1984)
Alhazmi, O.H., Malaiya, Y.K.: Quantitative vulnerability assessment of systems software, In RAMS’05: Proceedings of the IEEE Reliability and Maintainability Symposium, pp. 615–620 (2005)
DB-Engines. DB-Engines Ranking, http://db-engines.com/. Accessed 15 November 2013
National Institute of Standards and Technology, National Vulnerability Database (NVD), http://nvd.nist.gov/. Accessed 15 November 2013
Huang, C.-Y., Huang, W.-C.: Software reliability analysis and measurement using finite and infinite server queueing models. IEEE Trans. Rel. 57(1), 192–203 (2008)
Takagi, H.: Queueing analysis, Volume 1: Vacation and Priority Systems, Part 1, North-Holland, Amsterdam (1991)
Little, J.D.C.: A proof for the queueing formula: \(L = \lambda W\). Oper. Res. 9(3), 383–387 (1961)
Acknowledgments
This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (NRF-2011-0025512). This work was supported by the National Research Foundation of Korea Grant funded by the Korean Government (NRF-2013S1A5A2A01017485). This research was supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea, under the “Employment Contract based Master’s Degree Program for Information Security” supervised by the KISA(Korea Internet Security Agency) (H2101-13-1001).
Author information
Authors and Affiliations
Corresponding author
Additional information
This paper is a contribution to the special issue on Mobile Communication Systems selected topic from the SDPM and it is coordinated by Sangyeob Oh, K. Chung, Supratip Ghose.
Rights and permissions
About this article
Cite this article
Lim, DE., Kim, TS. Modeling discovery and removal of security vulnerabilities in software system using priority queueing models. J Comput Virol Hack Tech 10, 109–114 (2014). https://doi.org/10.1007/s11416-014-0205-z
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-014-0205-z