Abstract
Development of Secure Software was always a tedious task for IT industry. The insecurity issue of the software systems can be looked as two primary problems: vulnerability discovery and patching. Vulnerability discovery modeling tends to develop mathematical models that predict the behavior of vulnerabilities in a software system and patches are used to fix the vulnerabilities. In this work we are proposing a new approach to model vulnerability by categorizing them into two types (direct and indirect) based on how they are fixed by utilizing the vulnerability patching phenomenon with delay called lag time while fixing them after discovery. Numerical Illustration on a real life vulnerability data is provided to validate the proposed model.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: 16th IEEE International Symposium on Software Reliability Engineering. ISSRE 2005, pp. 10-pp. IEEE (2005)
Alhazmi, O.H., Malaiya, Y.K.: Application of vulnerability discovery models to major operating systems. IEEE Trans. Reliab. 57(1), 14–22 (2008)
Anand, A., Das, S., Aggrawal, D., Klochkov, Y.: Vulnerability discovery modelling for software with multi-versions. In: Ram, M., Davim, J. (eds.) Advances in Reliability and System Engineering. Management and Industrial Engineering, pp. 255–265. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-48875-2_11
Anderson, R.: Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England, pp. 1–15 (2002)
Bhatt, N., Anand, A., Yadavalli, V.S.S., Kumar, V.: Modeling and characterizing software vulnerabilities. Int. J. Math. Eng. Manag. Sci. 2(4), 288–299 (2017)
National Vulnerability Database. https://nvd.nist.gov/
Joh, H.C., Kim, J., Malaiya, Y.K.: Vulnerability discovery modeling using Weibull distribution. In: 19th International Symposium on Software Reliability Engineering. ISSRE 2008, pp. 299–300. IEEE (2008)
Kapur, P.K., Yadavali, V.S.S., Shrivastava, A.K.: A comparative study of vulnerability discovery modeling and software reliability growth modeling. In: 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), pp. 246–251. IEEE (2015)
Kim, J., Malaiya, Y.K., Ray, I.: Vulnerability discovery in multi-version software systems. In: 10th IEEE High Assurance Systems Engineering Symposium. HASE 2007, pp. 141–148. IEEE (2007)
Algarni, A., Malaiya, Y.: Software vulnerability markets: discoverers and buyers. Int. J. Comput., Inf. Sci. Eng. 8(3), 71–81 (2014)
Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3(1), 14–19 (2005)
Shrivastava, A.K., Sharma, R., Kapur, P.K.: Vulnerability discovery model for a software system using stochastic differential equation. In: 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), pp. 199–205. IEEE (2015)
Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. Manag. Sci. 54(4), 642–656 (2008)
Alhazmi, O.H., Malaiya, Y.K., Ray, I.: Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Secur. 26(3), 219–228 (2007)
Sharma, R., Sibal, R., Shrivastava, A.K.: Vulnerability discovery modeling for open and closed source software. Int. J. Secur. Softw. Eng. (IJSSE) 7(4), 19–38 (2016)
Okhravi, H., Nicol, D.: Evaluation of patch management strategies. Int. J. Comput. Intell.: Theory Pract. 3(2), 109–117 (2008)
Wang, B., Li, X., de Aguiar, L.P., Menasche, D.S., Shafiq, Z.: Characterizing and modeling patching practices of industrial control systems. Proc. ACM Meas. Anal. Comput. Syst. 1(1), 18 (2017)
Kansal, Y., Kumar, D., Kapur, P.K.: Vulnerability patch modeling. Int. J. Reliab. Qual. Saf. Eng. 23(06), 1640013 (2016)
Dey, D., Lahiri, A., Zhang, G.: Optimal policies for security patch management. INFORMS J. Comput. 27(3), 462–477 (2015)
Ozment, A.: Improving vulnerability discovery models. In: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11. ACM (2007)
Kapur, P.K., Pham, H., Gupta, A., Jha, P.C.: Software Reliability Assessment with OR Applications. Springer, London (2011). https://doi.org/10.1007/978-0-85729-204-9
Beattie, S., Arnold, S., Cowan, C., Wagle, P., Wright, C., Shostack, A.: Timing the application of security patches for optimal uptime. LISA 2, 233–242 (2002)
Zhu, X., Cao, C., Zhang, J.: Vulnerability severity prediction and risk metric modeling for software. J. Appl. Intell. 47(1), 828–836 (2017)
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing. Prentice Hall Professional Technical Reference, Upper Saddle River (2002)
Cavusoglu, H., Cavusoglu, H., Zhang, J.: Security patch management: share the burden or share the damage? Manag. Sci. 54(4), 657–670 (2008)
Sutton, M., Greene, A., Amini, P.: Fuzzing: Brute Force Vulnerability Discovery. Pearson Education, London (2007)
Telang, R., Wattal, S.: An empirical analysis of the impact of software vulnerability announcements on firm stock price. IEEE Trans. Softw. Eng. 33(8), 544–557 (2007)
Massacci, F., Nguyen, V.H.: An empirical methodology to evaluate vulnerability discovery models. IEEE Trans. Softw. Eng. 40(12), 1147–1162 (2014)
Bishop, M., Bailey, D.: A critical analysis of vulnerability taxonomies (No. CSE-96–11). California Univ Davis Dept of Computer Science (1996)
Okamura, H., Tokuzane, M., Dohi, T.: Optimal security patch release timing under non-homogeneous vulnerability-discovery processes. In: 20th International Symposium on Software Reliability Engineering, pp. 120–128. IEEE (2009)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2019 Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Shrivastava, A.K., Sharma, R. (2019). Modeling Vulnerability Discovery and Patching with Fixing Lag. In: Luhach, A., Singh, D., Hsiung, PA., Hawari, K., Lingras, P., Singh, P. (eds) Advanced Informatics for Computing Research. ICAICR 2018. Communications in Computer and Information Science, vol 956. Springer, Singapore. https://doi.org/10.1007/978-981-13-3143-5_47
Download citation
DOI: https://doi.org/10.1007/978-981-13-3143-5_47
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-13-3142-8
Online ISBN: 978-981-13-3143-5
eBook Packages: Computer ScienceComputer Science (R0)