Abstract
Security vulnerabilities have been of huge concern as an un-patched vulnerability can potentially permit a security breach. Vulnerability Discovery Modelling (VDM) has been a methodical approach that has helped the developers to effectively plan for resource allocation required to develop patches for problematic software releases; and thus improving the security aspect of the software. Many researchers have proposed discovery modelling pertaining to a specific version of software and talked about time window between the discovery (of vulnerability) and release of the patch as its remedy. In today’s cut throat and neck to neck competitive market scenario, when every firm comes up with the successive version of its previous release; fixing of associated susceptibilities in the software becomes a more cumbersome task. Based on the fundamental of shared code among multi-version software system, in this chapter of the book, we propose a systematic approach for quantification of number of vulnerabilities discovered. With the aim of predicting and scrutinising the loopholes the applicability of the approach has been examined using various versions of Windows and Windows Server Operating Systems.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Abbreviations
- \(\Omega _{i} (t)\) :
-
Expected number of vulnerabilities discovered by time t(\(i = 1,{\kern 1pt} 2,{\kern 1pt} 3 \ldots n\))
- \(F_{i} (t)\) :
-
Probability distributions function for vulnerability discovery process (\(i = 1,{\kern 1pt} 2,3 \ldots n\))
- \(a_{i}\) :
-
Total number of vulnerabilities in the software (\(i = 1,{\kern 1pt} 2,3 \ldots n\))
- \(b_{i}\) :
-
Vulnerability detection rate function of software (\(i = 1,{\kern 1pt} 2,3 \ldots n\))
- \(\beta_{i}\) :
-
Learning parameter for vulnerability discovery process (\(i = 1,{\kern 1pt} 2,3 \ldots n\))
References
Vulnerability Examples, https://securelist.com/threats/vulnerabilities-examples/, July 10, 2016.
Symantec Security Response, http://www.symantec.com/connect/blogs/sandworm-windows-zero-day-vulnerability-being-actively-exploited-targeted-attacks, July 10, 2016.
Schneier B., “Full Disclosure and the Window of Vulnerability”, Crypto-Gram http: //www.counterpane.com/cryptogram-0009.html#1, September 15, 2000.
Schultz E. E., Brown Jr., D. S. and Longstaffs T. A., “Responding to Computer Security Incidents”, Lawrence Livermore National Laboratory, 165 ftp://ftp.cert.dfn.de/pub/docs/csir/ihg.ps.gz , July 23, 1990.
Pfleeger C. P. and Pfleeger S. L., “Security in Computing”, 3rd ed. Prentice Hall PTR, 2003.
Browne H. K., Arbaugh W. A., McHugh J., and Fithen W. L., “A Trend Analysis of Exploitations”, University of Maryland and CMU Technical Reports, 2000.
Rescorla E., “Is finding security holes a good idea?” IEEE Security and Privacy, 3(1):14–19, 2005.
Anand A., and Bhatt N., “Vulnerability Discovery Modeling and Weighted Criteria Based Ranking”, Journal of Indian Society for Probability and Statistic, Springer, 17, pp. 1–10, 2016.
Chou, A., Yang, J., Chelf, B., Hallem, S., and Engler, D., “An Empirical Study of Operating Systems Errors”, Symposium on Operating Systems Principles, 2001.
Anderson R. J., “Security in Opens versus Closed Systems-The Dance of Boltzmann, Coase and Moore” Open Source Software: Economics, Law and Policy, Toulouse, France, June 20-21, 2002.
Rescorla E., “Security holes…Who Cares?”, USENIX Security, 2003.
Alhazmi O. H. and Malaiya Y. K., “Modeling the vulnerability discovery process”, In Proceedings of 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), pp. 129–138, 2005.
Alhazmi O. H. and Malaiya Y. K., “Quantitative Vulnerability Assessment of Systems Software,” in Proc. Annual Reliability and Maintainability Symposium, pp. 615–620, January 2005.
Miller K.W., Morell L.J., Noonan R.E., Park S.K., Nicol D.M., Murrill B.W., and M. Voas. “Estimating the Probability of Failure when Testing Reveals no Failures”, IEEE Transactions on Software Engineering, 18(1):33–43, January 1992.
Yin J., Tang C., Zhang X., and McIntosh M., “On Estimating the Security Risks of Composite Software Services” In Proc. PASSWORD Workshop, June 2006.
Tofts C. and Monahan B., “Towards an Analytic Model of Security Flaws” Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.
Ozment A., “Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions”, ACM, Alexandria, Virginia, USA, 2007.
Arora A., Telang R., and Xu H., “Optimal Policy for Software Vulnerability Disclosure”, Management Science, 54(4), pp. 642-656, 2008.
Kapur P. K., Sachdeva N. and Khatri S. K., “Vulnerability Discovery Modeling”, International Conference on Quality, Reliability, Infocom Technology and Industrial Technology Management, pp. 34-54, ISBN 978-93-84588-57-1, 2012.
Kim J., Malaiya Y. K., and Ray I., “Vulnerability Discovery in Multi-version Software Systems”, In 10th IEEE High Assurance Systems Engineering Symposium, pp. 141–148, 2007.
Windows, “Vulnerability Statistics”, http://www.cvedetails.com/product/739/Microsoft-Windows.html?vendor_id=26. Accessed 20 Feb 2016.
Windows Server, “Vulnerability Statistics”, http://www.cvedetails.com/product/739/Microsoft-Windows.html?vendor_id=26. Accessed 20 Feb 2016.
SAS Institute Inc., “SAS/ETS user’s guide version 9.1”, Cary, NC: SAS Institute Inc., 2004.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this chapter
Cite this chapter
Anand, A., Das, S., Aggrawal, D., Klochkov, Y. (2017). Vulnerability Discovery Modelling for Software with Multi-versions. In: Ram, M., Davim, J. (eds) Advances in Reliability and System Engineering. Management and Industrial Engineering. Springer, Cham. https://doi.org/10.1007/978-3-319-48875-2_11
Download citation
DOI: https://doi.org/10.1007/978-3-319-48875-2_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-48874-5
Online ISBN: 978-3-319-48875-2
eBook Packages: EngineeringEngineering (R0)