Skip to main content
View expanded cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2021: Detection of Intrusions and Malware, and Vulnerability Assessment pp 215–236Cite as

Find My Sloths: Automated Comparative Analysis of How Real Enterprise Computers Keep Up with the Software Update Races

  • 639 Accesses

Part of the Lecture Notes in Computer Science book series (LNSC,volume 12756)

Abstract

A software update is a critical but complicated part of software security. Its delay poses risks due to vulnerabilities and defects of software. Despite the high demand to shorten the update lag and keep the software up-to-date, software updates involve factors such as human behavior, program configurations, and system policies, adding variety in the updates of software. Investigating these factors in a real environment poses significant challenges such as the knowledge of software release schedules from the software vendors and the deployment times of programs in each user’s machine. Obtaining software release plans requires information from vendors which is not typically available to public. On the users’ side, tracking each software’s exact update installation is required to determine the accurate update delay. Currently, a scalable and systematic approach is missing to analyze these two sides’ views of a comprehensive set of software. We performed a long term system-wide study of update behavior for all software running in an enterprise by translating the operating system logs from enterprise machines into graphs of binary executable updates showing their complex, and individualized updates in the environment. Our comparative analysis locates risky machines and software with belated or dormant updates falling behind others within an enterprise without relying on any third-party or domain knowledge, providing new observations and opportunities for improvement of software updates. Our evaluation analyzes real data from 113,675 unique programs used by 774 computers over 3 years.

This is a preview of subscription content, access via your institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • DOI: 10.1007/978-3-030-80825-9_11
  • Chapter length: 22 pages
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
eBook
USD   59.99
Price excludes VAT (USA)
  • ISBN: 978-3-030-80825-9
  • Instant PDF download
  • Readable on all devices
  • Own it forever
  • Exclusive offer for individuals only
  • Tax calculation will be finalised during checkout
Softcover Book
USD   79.99
Price excludes VAT (USA)
Learn about institutional subscriptions
Fig. 1.
Fig. 2.
Fig. 3.
Fig. 4.
Fig. 5.
Fig. 6.
Fig. 7.
Fig. 8.
Fig. 9.
Fig. 10.
Fig. 11.

Notes

  1. 1.

    FMS is an acronym of Find My Sloths, which refer to enterprise applications showing undesirable delayed update behavior.

  2. 2.

    This version number 64.0 is presented only for an illustration purpose. A lineage graph is constructed using binary hashes and their appearance orders without using the software’s specific version numbers, which may not always available or accurate.

References

  1. APT (Advanced Package Tool). https://ubuntu.com/server/docs/package-management. Accessed 14 May 2021

  2. Homebrew. https://brew.sh/. Accessed 14 May 2021

  3. Linux Audit. https://people.redhat.com/sgrubb/audit/. Accessed 14 May 2021

  4. National Software Reference Library. https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl. Accessed 14 May 2021

  5. Top 50 Vendors by Total Number of “Distinct” Vulnerabilities. https://www.cvedetails.com/top-50-vendors.php. Accessed 14 May 2021

  6. What Are Security Patches and Why Are They Important? https://www.idtheftcenter.org/Cybersecurity/what-are-security -patches-and-why-are-they-important.html. Accessed 20 May 2018

  7. Why Software Updates Are So Important. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/software-updates-important/. Accessed 14 May 2021

  8. Yum. http://yum.baseurl.org/. Accessed 14 May 2021

  9. Abu Odeh, M., Adkins, C., Setayeshfar, O., Doshi, P., Lee, K.H.: A novel AI-based methodology for identifying cyber attacks in honey pots. In: IAAI (2021)

    Google Scholar 

  10. Aditya, K., Grzonkowski, S., Le-Khac, N.A.: Riskwriter: predicting cyber risk of an enterprise. In: ICISSP (2018)

    Google Scholar 

  11. Ahmad, A., Saad, M., Bassiouni, M., Mohaisen, A.: Towards blockchain-driven, secure and transparent audit logs. CoRR (2018)

    Google Scholar 

  12. Apple: iTunes store. https://itunes.apple.com/us/. Accessed 14 Nov 2018

  13. Bilge, L., Han, Y., Dell’Amico, M.: Riskteller: predicting the risk of cyber incidents. In: CCS (2017)

    Google Scholar 

  14. Corley, C.S., Kraft, N.A., Etzkorn, L.H., Lukins, S.K.: Recovering traceability links between source code and fixed bugs via patch analysis. In: TEFSE (2011)

    Google Scholar 

  15. Corporation, T.M.: Common vulnerabilities and exposures (cve®). https://cve.mitre.org/. Accessed 13 June 2019

  16. Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: CCS (2017)

    Google Scholar 

  17. Duebendorfer, T., Frei, S.: Web browser security update effectiveness. In: CRITIS (2009)

    Google Scholar 

  18. Duebendorfer, T., Frei, S.: Why silent updates boost security. TIK (2009)

    Google Scholar 

  19. Gentoo Foundation, I.: Portage. https://wiki.gentoo.org/wiki/Handbook:X86/Working/Portage. Accessed 14 May 2021

  20. Gkantsidis, C., Karagiannis, T., VojnoviC, M.: Planet scale software updates. In: CCR (2006)

    Google Scholar 

  21. Han, X., et al.: SIGL: securing software installations through deep graph learning. arXiv (2020)

    Google Scholar 

  22. Kang, C., Park, N., Prakash, B.A., Serra, E., Subrahmanian, V.: Ensemble models for data-driven prediction of malware infections. In: WSDM (2016)

    Google Scholar 

  23. Kotzias, P., Bilge, L., Vervier, P.A., Caballero, J.: Mind your own business: a longitudinal study of threats and vulnerabilities in enterprises (2019)

    Google Scholar 

  24. Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)

    Google Scholar 

  25. Li, F., Paxson, V.: A large-scale empirical study of security patches. In: CCS (2017)

    Google Scholar 

  26. Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security (2015)

    Google Scholar 

  27. Mathur, A., Engel, J., Sobti, S., Chang, V., Chetty, M.: “They keep coming back like zombies”: improving software updating interfaces. In: SOUPS (2016)

    Google Scholar 

  28. Meneely, A., Srinivasan, H., Musa, A., Tejeda, A.R., Mokary, M., Spates, B.: When a patch goes bad: exploring the properties of vulnerability-contributing commits. In: ESEM (2013)

    Google Scholar 

  29. Microsoft: About Event Tracing. https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing. Accessed 14 May 2021

  30. Microsoft: Assemblies in .NET. https://docs.microsoft.com/en-us/dotnet/standard/assembly/#assembly-manifest. Accessed 14 May 2021

  31. Microsoft: Assembly Manifest. https://docs.microsoft.com/en-us/dotnet/standard/assembly/manifest. Accessed 14 May 2021

  32. Microsoft: Microsoft Store. https://www.microsoft.com/en-us/store/b/home. Accessed 14 May 2021

  33. Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: S&P (2015)

    Google Scholar 

  34. Okutan, A., Yang, S.J.: ASSERT: attack synthesis and separation with entropy redistribution towards predictive cyber defense. Cybersecurity 2, 1–8 (2019)

    CrossRef  Google Scholar 

  35. Ovelgönne, M., Dumitraş, T., Prakash, B.A., Subrahmanian, V., Wang, B.: Understanding the relationship between human behavior and susceptibility to cyber attacks: a data-driven approach. TIST 8, 1–25 (2017)

    CrossRef  Google Scholar 

  36. Perl, H., et al.: VCCfinder: finding potential vulnerabilities in open-source projects to assist code audits. In: CCS (2015)

    Google Scholar 

  37. Redmiles, E.M., Mazurek, M.L., Dickerson, J.P.: Dancing pigs or externalities?: measuring the rationality of security decisions. In: EC (2018)

    Google Scholar 

  38. RPM: RPM package manager. https://rpm.org/. Accessed 14 May 2021

  39. Sharif, M., Urakawa, J., Christin, N., Kubota, A., Yamada, A.: Predicting impending exposure to malicious content from user behavior. In: CCS (2018)

    Google Scholar 

  40. Shen, Y., Mariconti, E., Vervier, P.A., Stringhini, G.: Tiresias: predicting security events through deep learning. In: CCS (2018)

    Google Scholar 

  41. Shrivastava, G., Kumar, P.: SensDroid: analysis for malicious activity risk of android application. MTA 78(24), 35713–35731 (2019)

    Google Scholar 

  42. SUSE: Zypper. https://en.opensuse.org/Portal:Zypper. Accessed 14 May 2021

  43. Symantec: Internet security threat report 2017. https://www.symantec.com/content/dam/symantec/docs/reports/gistr22-government-report.pdf

  44. Team, P.D.: Pacman. https://www.archlinux.org/pacman/. Accessed 14 May 2021

  45. Verizon: 2015 data breach investigations report. https://iapp.org/media/pdf/resource_center/Verizon_data-breach-investigation-report-2015.pdf. Accessed 14 May 2021

  46. Verizon: 2017 data breach investigations report. https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf. Accessed 14 May 2021

  47. VirusTotal. https://www.virustotal.com. Accessed 14 May 2021

  48. Wash, R., Rader, E., Vaniea, K., Rizor, M.: Out of the loop: how automated software updates cause unintended security consequences. In: SOUPS (2014)

    Google Scholar 

  49. Xiao, C., Sarabi, A., Liu, Y., Li, B., Liu, M., Dumitras, T.: From patching delays to infection symptoms: using risk profiles for an early discovery of vulnerabilities exploited in the wild. In: USENIX Security (2018)

    Google Scholar 

  50. Xiao, J., Chen, S., He, Q., Feng, Z., Xue, X.: An android application risk evaluation framework based on minimum permission set identification. JSS 163, 110533 (2020)

    Google Scholar 

Download references

Acknowledgment

We thank the anonymous reviewers and our shepherd, Juan Caballero, for their helpful feedback. This material is supported, in part, by the National Science Foundation, under grant No. OAC-1909856 and SaTC-1909856. Any opinions, findings, and conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.

Author information

Authors and Affiliations

  1. University of Georgia, Athens, GA, 30605, USA

    Omid Setayeshfar & Kyu Hyung Lee

  2. University of Central Oklahoma, Edmond, OK, 73034, USA

    Junghwan “John” Rhee

  3. University of Texas at Dallas, Richardson, TX, 75080, USA

    Chung Hwan Kim

Authors
  1. Omid Setayeshfar
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Junghwan “John” Rhee
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Chung Hwan Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Kyu Hyung Lee
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Junghwan “John” Rhee .

Editor information

Editors and Affiliations

  1. NortonLifeLock Research Group, Biot, France

    Leyla Bilge

  2. King's College London, London, UK

    Lorenzo Cavallaro

  3. CISPA Helmholtz Center for Information Security, Saarbrücken, Germany

    Giancarlo Pellegrino

  4. University of Lisbon, Lisbon, Portugal

    Nuno Neves

Rights and permissions

Reprints and Permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Verify currency and authenticity via CrossMark

Cite this paper

Setayeshfar, O., Rhee, J.“., Kim, C.H., Lee, K.H. (2021). Find My Sloths: Automated Comparative Analysis of How Real Enterprise Computers Keep Up with the Software Update Races. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-80825-9_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-80824-2

  • Online ISBN: 978-3-030-80825-9

  • eBook Packages: Computer ScienceComputer Science (R0)