Skip to main content
SpringerLink
Log in

Modeling Vulnerability Discovery and Patching with Fixing Lag

  • Conference paper
  • First Online:
Advanced Informatics for Computing Research (ICAICR 2018)

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 956))

Abstract

Development of Secure Software was always a tedious task for IT industry. The insecurity issue of the software systems can be looked as two primary problems: vulnerability discovery and patching. Vulnerability discovery modeling tends to develop mathematical models that predict the behavior of vulnerabilities in a software system and patches are used to fix the vulnerabilities. In this work we are proposing a new approach to model vulnerability by categorizing them into two types (direct and indirect) based on how they are fixed by utilizing the vulnerability patching phenomenon with delay called lag time while fixing them after discovery. Numerical Illustration on a real life vulnerability data is provided to validate the proposed model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: 16th IEEE International Symposium on Software Reliability Engineering. ISSRE 2005, pp. 10-pp. IEEE (2005)

    Google Scholar 

  2. Alhazmi, O.H., Malaiya, Y.K.: Application of vulnerability discovery models to major operating systems. IEEE Trans. Reliab. 57(1), 14–22 (2008)

    Article  Google Scholar 

  3. Anand, A., Das, S., Aggrawal, D., Klochkov, Y.: Vulnerability discovery modelling for software with multi-versions. In: Ram, M., Davim, J. (eds.) Advances in Reliability and System Engineering. Management and Industrial Engineering, pp. 255–265. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-48875-2_11

    Chapter  Google Scholar 

  4. Anderson, R.: Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England, pp. 1–15 (2002)

    Google Scholar 

  5. Bhatt, N., Anand, A., Yadavalli, V.S.S., Kumar, V.: Modeling and characterizing software vulnerabilities. Int. J. Math. Eng. Manag. Sci. 2(4), 288–299 (2017)

    Google Scholar 

  6. National Vulnerability Database. https://nvd.nist.gov/

  7. Joh, H.C., Kim, J., Malaiya, Y.K.: Vulnerability discovery modeling using Weibull distribution. In: 19th International Symposium on Software Reliability Engineering. ISSRE 2008, pp. 299–300. IEEE (2008)

    Google Scholar 

  8. Kapur, P.K., Yadavali, V.S.S., Shrivastava, A.K.: A comparative study of vulnerability discovery modeling and software reliability growth modeling. In: 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), pp. 246–251. IEEE (2015)

    Google Scholar 

  9. Kim, J., Malaiya, Y.K., Ray, I.: Vulnerability discovery in multi-version software systems. In: 10th IEEE High Assurance Systems Engineering Symposium. HASE 2007, pp. 141–148. IEEE (2007)

    Google Scholar 

  10. Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput., Inf. Sci. Eng. 8(3), 71–81 (2014)

    Google Scholar 

  11. Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3(1), 14–19 (2005)

    Article  Google Scholar 

  12. Shrivastava, A.K., Sharma, R., Kapur, P.K.: Vulnerability discovery model for a software system using stochastic differential equation. In: 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), pp. 199–205. IEEE (2015)

    Google Scholar 

  13. Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Manag. Sci. 54(4), 642–656 (2008)

    Article  Google Scholar 

  14. Alhazmi, O.H., Malaiya, Y.K., Ray, I.: Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Secur. 26(3), 219–228 (2007)

    Article  Google Scholar 

  15. Sharma, R., Sibal, R., Shrivastava, A.K.: Vulnerability discovery modeling for open and closed source software. Int. J. Secur. Softw. Eng. (IJSSE) 7(4), 19–38 (2016)

    Article  Google Scholar 

  16. Okhravi, H., Nicol, D.: Evaluation of patch management strategies. Int. J. Comput. Intell.: Theory Pract. 3(2), 109–117 (2008)

    Google Scholar 

  17. Wang, B., Li, X., de Aguiar, L.P., Menasche, D.S., Shafiq, Z.: Characterizing and modeling patching practices of industrial control systems. Proc. ACM Meas. Anal. Comput. Syst. 1(1), 18 (2017)

    Google Scholar 

  18. Kansal, Y., Kumar, D., Kapur, P.K.: Vulnerability patch modeling. Int. J. Reliab. Qual. Saf. Eng. 23(06), 1640013 (2016)

    Article  Google Scholar 

  19. Dey, D., Lahiri, A., Zhang, G.: Optimal policies for security patch management. INFORMS J. Comput. 27(3), 462–477 (2015)

    Article  MathSciNet  Google Scholar 

  20. Ozment, A.: Improving vulnerability discovery models. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11. ACM (2007)

    Google Scholar 

  21. Kapur, P.K., Pham, H., Gupta, A., Jha, P.C.: Software Reliability Assessment with OR Applications. Springer, London (2011). https://doi.org/10.1007/978-0-85729-204-9

    Book  MATH  Google Scholar 

  22. Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the application of security patches for optimal uptime. LISA 2, 233–242 (2002)

    Google Scholar 

  23. Zhu, X., Cao, C., Zhang, J.: Vulnerability severity prediction and risk metric modeling for software. J. Appl. Intell. 47(1), 828–836 (2017)

    Article  Google Scholar 

  24. Pfleeger, C.P., Pfleeger, S.L.: Security in Computing. Prentice Hall Professional Technical Reference, Upper Saddle River (2002)

    MATH  Google Scholar 

  25. Cavusoglu, H., Cavusoglu, H., Zhang, J.: Security patch management: share the burden or share the damage? Manag. Sci. 54(4), 657–670 (2008)

    Article  Google Scholar 

  26. Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, London (2007)

    Google Scholar 

  27. Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33(8), 544–557 (2007)

    Article  Google Scholar 

  28. Massacci, F., Nguyen, V.H.: An empirical methodology to evaluate vulnerability discovery models. IEEE Trans. Softw. Eng. 40(12), 1147–1162 (2014)

    Article  Google Scholar 

  29. Bishop, M., Bailey, D.: A critical analysis of vulnerability taxonomies (No. CSE-96–11). California Univ Davis Dept of Computer Science (1996)

    Google Scholar 

  30. Okamura, H., Tokuzane, M., Dohi, T.: Optimal security patch release timing under non-homogeneous vulnerability-discovery processes. In: 20th International Symposium on Software Reliability Engineering, pp. 120–128. IEEE (2009)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Fortune Institute of International Business, Delhi, India

    A. K. Shrivastava

  2. Netaji Subhas Institute of Technology, Delhi, India

    Ruchi Sharma

Authors
  1. A. K. Shrivastava
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ruchi Sharma
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to A. K. Shrivastava .

Editor information

Editors and Affiliations

  1. Department of Computer Science and Engineering, Maharshi Dayanand University, Rohtak, Haryana, India

    Ashish Kumar Luhach

  2. Namibia University of Science and Technology, Windhoek, Namibia

    Dharm Singh

  3. National Chung Cheng University, Minxiong Township, Chiayi County, Taiwan

    Pao-Ann Hsiung

  4. Electrical and Electronics Engineering, Universiti Malaysia Pahang, Pekan, Pahang, Malaysia

    Kamarul Bin Ghazali Hawari

  5. Saint Mary’s University, Halifax, NS, Canada

    Pawan Lingras

  6. Department of Computer Science and Engineering, Jaypee University of Information Technology, Kandaghat, India

    Pradeep Kumar Singh

Rights and permissions

Reprints and permissions

Copyright information

© 2019 Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Shrivastava, A.K., Sharma, R. (2019). Modeling Vulnerability Discovery and Patching with Fixing Lag. In: Luhach, A., Singh, D., Hsiung, PA., Hawari, K., Lingras, P., Singh, P. (eds) Advanced Informatics for Computing Research. ICAICR 2018. Communications in Computer and Information Science, vol 956. Springer, Singapore. https://doi.org/10.1007/978-981-13-3143-5_47

Download citation

  • DOI: https://doi.org/10.1007/978-981-13-3143-5_47

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-13-3142-8

  • Online ISBN: 978-981-13-3143-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation