Skip to main content

Vulnerability severity prediction and risk metric modeling for software

Abstract

As more users suffer serious security threats from software vulnerabilities, software security becomes increasingly important. Vulnerability prediction and risk evaluation are two of the most concerning issues in software security management. In this paper, we propose a prediction model for software vulnerability in which the probability and severity of vulnerability occurrence are determined by the logistic function and binomial distribution, respectively. Using the parameters obtained by prediction, we developed a new risk metric model. We provided some metrics, including mean time to vulnerability, local risk rate, mean risk rate, and overall risk value, from the viewpoint of time and probability. Experiments were conducted on real software vulnerability datasets. The results show that the prediction is effective and the evaluation is easy to operate. Our work has several features: (1) users can predict the vulnerability state in the future, in particular, vulnerability severity; (2) unlike traditional evaluation methods with expert scoring, our evaluation model is based on prediction and uses historical vulnerability data; and (3) the risk metric value can be used in risk assessment, security rating, and patch management.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4

References

  1. Alhazmi O H, Malaiya Y K, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software system. Comput Secur 26:219–228

    Article  Google Scholar 

  2. Rahimi S, Zargham M (2013) Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Trans Reliab 62:395–407

    Article  Google Scholar 

  3. Nie C J, Zhao X F, Chen K, Han Z Q (2011) An software vulnerability number prediction model based on micro-parameters. J Comput Res Dev 48:1279–1287

    Google Scholar 

  4. Okamura H, Etani Y, Dohi T (2010) A multi-factor software reliability model based on logistic regression IEEE 21st international symposium on software reliability engineering. IEEE, pp 31–40

  5. Rescorla E (2005) Is finding security holes a good idea?. IEEE Secur Privacy 3:14–19

    Article  Google Scholar 

  6. Alhazmi O, Malaiya Y (2006) Prediction capabilities of vulnerability discovery models Proceedings of the RAMS 06, annual reliability and maintainability symposium. IEEE, pp 86–91

  7. Chen K, Feng D G, Su P R, Nie C J, Zhang X F (2010) Multi-cycle vulnerability discovery model for prediction. J Softw 21:2367– 2375

    Google Scholar 

  8. Joh H, Malaiya Y K (2014) Modeling skewness in vulnerability discovery. Qual Reliab Eng Int 30:1445–1459

    Article  Google Scholar 

  9. Scandariato R, Walden J, Hovsepyan A, Joosen W (2014) Predicting vulnerable software components via text mining. IEEE Trans Softw Eng 40:993–1006

    Article  Google Scholar 

  10. Liu Q X, Zhang C B, Zhang Y Q, Zhang B F (2012) Research on key technology of vulnerability threat classification. J Commun 33(Z1):79–87

    Google Scholar 

  11. Peter M, Karen S, Sasha R (2007) A complete guide to the common vulnerability scoring system Version 2.0 FIRST-Forum of Incident Response and Security Teams, pp 1–23

    Google Scholar 

  12. Homer J, Zhang S, Ou X, Schmidt D, Du Y, Rajagopalan S R, Singhal A (2013) Aggregating vulnerability metrics in enterprise networks using attack graphs. J Comput Secur 21:561–597

    Article  Google Scholar 

  13. Gao N, Gao L, He Y Y, Lei Y, Gao Q (2016) Dynamic security risk assessment model based on bayesian attack graph. J Sichuan Univ 48:111–118

    MathSciNet  Google Scholar 

  14. Ma CG, Wang CH, Zhang DH, Li YT (2015) A dynamic network risk assessment model based on attacker’s inclination. J Comput Res Dev 52:2056–2068

    Google Scholar 

  15. Hammons K (2014) Vulnerability management is not simple. www.issa.org/resource/resmgr/journalpdfs/feature0214.pdf

  16. Zhao D M, Ma J F, Wang Y S (2007) Model of fuzzy risk assessment of the information system. J Commun 28:51–56,64

    Google Scholar 

  17. Luo X X, Tang Z Y, Zhao Y J (2015) Dynamic software reliability assessment based on Markov chain. Appl Res Comput 32:2400–2405

    Google Scholar 

  18. China National Vulnerability Database of Information Security. http://www.cnnvd.org.cn

  19. Musa J D, Okumoto K (1988) Application of basic and logarithmic poisson execution time models in software reliability measurement. Software Reliability Modeling and Identification. Springer, Berlin Heidelberg, pp 68–100

    Google Scholar 

  20. Goel A L, Okumoto K (1979) Time-dependent error detection rate model for software reliability and other performance measures. IEEE Trans Reliab 28:206–211

    Article  MATH  Google Scholar 

  21. Musa J D, Iannino A, Okumoto K (1999) Software reliability engineering. McGraw-Hill, New York, USA, pp 193–223

    Google Scholar 

  22. Xie J Y, AN J X, Zhu J H (2010) NHPP Software Reliability growth model considering imperfect debugging. J Softw 21:942–949

    Article  Google Scholar 

Download references

Acknowledgments

This work was supported by the Natural Science Foundation of Anhui Province under Grant number 1608085MF141; the Fundamental Research Funds for the Central Universities under Grant number J2014HGBZ0131; and the Humanity and Social Science Key Foundation of Anhui Province under Grant number SK2015A578.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Xiaoling Zhu.

Rights and permissions

Reprints and Permissions

About this article

Verify currency and authenticity via CrossMark

Cite this article

Zhu, X., Cao, C. & Zhang, J. Vulnerability severity prediction and risk metric modeling for software. Appl Intell 47, 828–836 (2017). https://doi.org/10.1007/s10489-017-0925-0

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10489-017-0925-0

Keywords

  • Software vulnerability
  • Vulnerability severity
  • Prediction model
  • Risk metric