Abstract
Mathematical modeling and accurate representation of malware spread in a network is a difficult process because of our lack of understanding of several features that form the basis of such spread. Models have been used to analyze and predict the behavior of epidemic spread in networks over the years, to gain a better understanding of the process. The aim of this paper is to understand the process of emergence of vulnerabilities and its relationship with a network epidemic. Eighteen years of vulnerability emergence data has been used in this work. The data includes the total count of vulnerabilities emerging every month. The pattern reveals several important characteristics of the process including frequency peaks at seasonal locations. A steady state distribution of the process is defined. The transition of vulnerability into an exploit is characterized. Finally an interface between this vulnerability model and epidemic models is established through a description of the relationship between the epidemic force of infection and types of vulnerabilities. The paper concludes with several results that can be useful in our attempts to better approximate the spread of malware in networks.
Similar content being viewed by others
References
Bencsath B, Pek G, Buttyan L, Felegyhazi M (2011) Duqu: a Stuxnet-like malware found in the wild, technical report. In: Laboratory of cryptography of systems security (CrySyS). http://www.crysys.hu/publications/files/bencsathPBF11duqu.pdf
Cohen F (1985) Computer viruses. Ph.D. thesis, University of Southern California. http://all.net/books/Dissertation.pdf
Cooke RM, Goossens LHJ (2004) Expert judgment elicitation for risk assessments of critical infrastructures. J Risk Res 7(6):643–656
Coulthard A, Vuori TA (2002) Computer viruses: a quantitative analysis. Logist Inf Manag 15(5/6):400–409
Cutter SL, Barnes L, Berry M, Burton C, Evans E, Tate E, Webb J (2008) A place-based model for understanding community resilience to natural disasters. Glob Environ Change 18(4):598–606
Eusgeld I, Kroger W, Sansavini G, Schläpfer M, Zio E (2009) The role of network theory and object-oriented modeling within a framework for the vulnerability analysis of critical infrastructures. Reliab Eng Syst Saf 94(5):954–963
Ezell BC (2007) Infrastructure vulnerability assessment model (I-VAM). Risk Anal 27(3):571–583
Filiol E, Helenius M, Zanero S (2006) Open problems in computer virology. J Comput Virol 1(3–4):55–66
Garnett O, Mandelbaum A, Reiman M (2002) Designing a call center with impatient customers. Manuf Serv Oper Manag 4(3)
Haldar K, Mishra BK (2014) A mathematical model for a distributed attack on targeted resources in a computer network. Commun Nonlinear Sci Numer Simulat 19:3149–3160
Hoehl M (2013) Framework for building a Comprehensive Enterprise Security Patch Management Program, SANS Institute. http://www.sans.org/reading-room/whitepapers/iso17799/framework-building-comprehensive-enterprise-security-patch-management-program-34450
Kephart JO, White SR (1991) Directed-graph epidemiological models of computer viruses. In: IEEE symposium on security and privacy, pp 343–361
Kleinrock L (1967) Time-shared systems: a theoretical treatment. ACM 14(2):242–261
Kushner D (2013) The real story of stuxnet: how Kaspersky lab tracked down the malware that stymied Iran’s nuclear-fuel enrichment program. In: IEEE spectrum. http://spectrum.ieee.org/telecom/security/the-real-story-of-stuxnet
Moore D, Shannon C, Brown J (2002) Code-red: a case study on the spread and victims of an internet worm. In: Proceedings of the ACM SIGCOMM/USENIX internet measurement workshop
National Vulnerability Database. http://web.nvd.nist.gov/view/vuln/statistics
Ouyang M, Hong L, Maoa Z, Yua M, Qi F (2009) A methodological approach to analyze vulnerability of interdependent infrastructures. Simul Model Pract Theory 17(5):817–828
Parks RC, Rogers E (2008) Vulnerability assessment for critical infrastructure control systems. IEEE Secur Priv 6(6):37–43
Roubos A, Jouini O (2013) Call centers with hyperexponential patience modeling. Int J Prod Econ 141(1):307–315
Schiffman M, Eschelbeck G, Ahmad D, Wright A, Romanosky S (2004) CVSS: a common vulnerability scoring system In: National Infrastructure Advisory Council (NIAC)
Shirey R (2000) RFC 2828, Internet Security Glossary. www.ietf.org/rfc/rfc2828.txt
Spinellis D (2003) Reliable identification of bounded-length viruses is NP-complete. IEEE Trans Inf Theory 49(1):280–284
Staniford S, Paxson V, Weaver N (2002) How to own the internet in your spare time. In: Proceedings of the 11th USENIX security symposium (Security’02)
Symantec Corporation (2012) Internet Security Threat Report 2011 Trends, vol 17
Symantec Corporation (2013) Internet Security Threat Report 2012 Trends, vol 18
Symantec Corporation (2014) Internet Security Threat Report 2013 Trends, vol 19
Whalley I, Arnold B, Chess D, Morar J, Segal A, Swimmer M (2000) An environment for controlled worm replication and analysis. In: Proceedings of the virus bulletin conference
Zuo Z, Zhou M (2003) On the time complexity of computer viruses. IEEE Trans Inf Theory 51(8):2962–2966
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Haldar, K., Mishra, B.K. Mathematical model on vulnerability characterization and its impact on network epidemics. Int J Syst Assur Eng Manag 8, 378–392 (2017). https://doi.org/10.1007/s13198-016-0441-3
Received:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-016-0441-3