International Journal of Information Security

, Volume 16, Issue 6, pp 673–690 | Cite as

Periodicity in software vulnerability discovery, patching and exploitation

Regular Contribution

Abstract

Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also examine weekly periodicity in the patching and exploitation of the vulnerabilities. Accurate projections of the vulnerability discovery process are required to optimally allocate the effort needed to develop patches for handling discovered vulnerabilities. A time series analysis that combines the periodic pattern and longer-term trends allows the developers to predict future needs more accurately. We analyze eighteen datasets of software systems for annual seasonality in their vulnerability discovery processes. This analysis shows that there are indeed repetitive annual patterns. Next, some of the datasets from a large number of major organizations that record the result of daily scans are examined for potential weekly periodicity and its statistical significance. The results show a 7-day periodicity in the presence of unpatched vulnerabilities, as well as in the exploitation pattern. The seasonal index approach is used to examine the statistical significance of the observed periodicity. The autocorrelation function is used to identify the exact periodicity. The results show that periodicity needs to be considered for optimal resource allocations and for evaluation of security risks.

Keywords

Vulnerability Laws of vulnerabilities Seasonality Periodicity Operating system 

References

  1. 1.
    Alhazmi, O.H., Malaiya, Y.K.: Application of vulnerability discovery models to major operating systems. IEEE Trans. Reliab. 57(1), 14–22 (2008)CrossRefGoogle Scholar
  2. 2.
    Anbalagan, P., Vouk, M.: “Days of the week” effect in predicting the time taken to fix defects. In: DEFECTS’09: Proceedings of the 2nd International Workshop on Defects in Large Software Systems, pp. 29–30, New York, NY, USA. ACM (2009)Google Scholar
  3. 3.
    Anderson, R: Security in open versus closed systems—the dance of boltzmann, coase and moore. In: Conference on Open Source Software, Economics, Law and Policy, pp. 1–15 (2002)Google Scholar
  4. 4.
    Arora, A., Telang, R.: Economics of software vulnerability disclosure. IEEE Secur. Priv. 3(1), 20–25 (2005)CrossRefGoogle Scholar
  5. 5.
    Bowerman, B.L., O’connell, R.T.: Time Series Forecsting: Unified Concepts and Computer Implementation, 2nd edn. Duxbury Press, Boston (1987)MATHGoogle Scholar
  6. 6.
    Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’10, pp. 105–114, New York, NY, USA. ACM (2010)Google Scholar
  7. 7.
    Carrion-Baralt, J.R., Smith, C.J., Rossy-Fullana, E., Lewis-Femandez, R., Davis, K.L., Silverman, J.M.: Seasonality effects on schizophrenic births in multiplex families in a tropical island. Psychiatry Res. 142(1), 93–97 (2006)CrossRefGoogle Scholar
  8. 8.
    Chen, K., Feng, D.-G., Su, P.-R., Nie, C.-J., Zhang, X.-F.: Multi-cycle vulnerability discovery model for prediction. J. Softw. 21(9), 2367–2375 (2010)Google Scholar
  9. 9.
    Condon, E., He, A., Cukier, M.: Analysis of computer security incident data using time series models. In: ISSRE’08: Proceedings of the 2008 19th International Symposium on Software Reliability Engineering, pp. 77–86, Washington, DC, USA. IEEE Computer Society (2008)Google Scholar
  10. 10.
    Eick, S.G., Graves, T.L., Karr, A.F., Marron, J.S., Mockus, A.: Does code decay? Assessing the evidence from change management data. IEEE Trans. Softw. Eng. 27(1), 1–12 (2001)CrossRefGoogle Scholar
  11. 11.
    Goonatilake, R., Herath, A., Herath, S., Herath, S., Herath, J.: Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security. J. Comput. Small Coll. 23, 255–263 (2007)MATHGoogle Scholar
  12. 12.
    Heston, S.L., Sadka, R.: Seasonality in the cross-section of stock returns. J. Financ. Econ. 87(2), 418–445 (2008)CrossRefGoogle Scholar
  13. 13.
    Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Addison-Wesley Professional, Boston (2007)Google Scholar
  14. 14.
    Jegadeesh, N.: Evidence of predictable behavior of security returns. J. Finance 45(3), 881-98 (1990)CrossRefGoogle Scholar
  15. 15.
    Joh, H., Chaichana, S., Malaiya, Y.K.: Short-term periodicity in security vulnerability activity. In: International Symposium on Software Reliability Engineering, pp. 408–409 (2010)Google Scholar
  16. 16.
    Joh, H., Malaiya, Y. K.: Seasonal variation in the vulnerability discovery process. In: ICST’09: International Conference on Software Testing, Verification, and Validation, pp. 191–200, Los Alamitos, CA, USA. IEEE Computer Society (2009)Google Scholar
  17. 17.
    Joh, H., Malaiya, Y.K.: Modeling skewness in vulnerability discovery. Qual. Reliab. Eng. Int. 30(8), 1445–1459 (2014). doi:10.1002/qre.1567
  18. 18.
    Kim, J., Malaiya, Y.K., Ray, I.: Vulnerability discovery in multi-version software systems. In: HASE’07: Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium, pp. 141–148, Washington, DC, USA. IEEE Computer Society (2007)Google Scholar
  19. 19.
    Koc, E., Altinay, G.: An analysis of seasonality in monthly per person tourist spending in Turkish inbound tourism from a market segmentation perspective. Tour. Manag. 28(1), 227–237 (2007)CrossRefGoogle Scholar
  20. 20.
    Kozina, M., Golub, M., Groš, S.: A method for identifying web applications. Int. J. Inf. Secur. 8(6), 455–467 (2009)CrossRefGoogle Scholar
  21. 21.
    Maes, J., Van Damme, S., Meire, P., Ollevier, F.: Statistical modeling of seasonal and environmental influences on the population dynamics of an estuarine fish community. Mar. Biol. 145, 1033–1042 (2004)CrossRefGoogle Scholar
  22. 22.
    Massacci, F., Nguyen, V.H.: Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox. Technical report. University of Trento, Italy (2010)Google Scholar
  23. 23.
    Ott, R.L., Longnecker, M.T.: An Introduction to Statistical Methods and Data Analysis, 5th edn. Duxbury press, North Scituate (2000)Google Scholar
  24. 24.
    Ozment, A.: Improving vulnerability discovery models. In: QoP’07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11, New York, NY, USA. ACM (2007)Google Scholar
  25. 25.
    Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS’06: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2006)Google Scholar
  26. 26.
    Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR, Upper Saddle River (2003)MATHGoogle Scholar
  27. 27.
    Qualys, I.: The laws of vulnerabilities 2.0. In Black Hat 2009, Presented by Wolfgang Kandek (CTO) (July 28, 2009)Google Scholar
  28. 28.
    Rescorla, E.: Security holes. who cares? In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 75–90, Berkeley, CA, USA. USENIX Association (2003)Google Scholar
  29. 29.
    Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3, 14–19 (2005)CrossRefGoogle Scholar
  30. 30.
    Rios, M., Garcia, J.M., Sanchez, J.A., Perez, D.: A statistical analysis of the seasonality in pulmonary tuberculosis. Eur. J. Epidemiol. 16(5), 483-8 (2000)CrossRefGoogle Scholar
  31. 31.
    Romanov, A., Tsubaki, H., Okamoto, E.: An approach to perform quantitative information security risk assessment in it landscapes. JIP 18, 213–226 (2010)Google Scholar
  32. 32.
    Salehian, A.: Arima time series modeling for forecasting thermal rating of transmission lines. In: Transmission and Distribution Conference and Exposition, 2003 IEEE PES, vol. 3, pp. 875–879 (2003)Google Scholar
  33. 33.
    Symantec. Symantec global internet security threat report: trends for 2009, vol. XV (2010)Google Scholar
  34. 34.
    Tran, N., Reed, D.: Automatic arima time series modeling for adaptive i/o prefetching. IEEE Trans. Parallel Distrib. Syst. 15(4), 362–377 (2004)CrossRefGoogle Scholar
  35. 35.
    Zhang, Z., Zheng, X., Zeng, D., Cui, K., Luo, C., He, S., Leischow, S.: Discovering seasonal patterns of smoking behavior using online search information. In: Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on, pp. 371–373 (2013)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2016

Authors and Affiliations

  1. 1.Department of Computer EngineeringKyungil UniversityGyeongsanKorea
  2. 2.Computer Science DepartmentColorado State UniversityFort CollinsUSA

Personalised recommendations