Cluster-based vulnerability assessment of operating systems and web browsers

Movahedi, Yazdan; Cukier, Michel; Andongabo, Ambrose; Gashi, Ilir

doi:10.1007/s00607-018-0663-0

Cited by 10 publications

(11 citation statements)

References 30 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While a number of studies utilize vulnerability data associated with separate version of software (e.g. Windows 7) on which to apply VDMs [20], [28], there are papers that consider all versions of a software together [23], [32]. The first group expects that each version of a given software is an independent and all around characterized item, yet distinguishing the sources of reliance in vulnerability data is not a simple task.…”

Section: Discussion and Limitationsmentioning

confidence: 99%

“…Allodi [31] demonstrated that discovered vulnerabilities may pursue a Power-law distribution. The model utilized in this paper was applied on vulnerability data as a VDM in [32], [33]. The main assumption of this model is that the number of discovered vulnerabilities pursues a nonhomogeneous Poisson process.…”

Section: Related Workmentioning

confidence: 99%

“…We leveraged the vulnerability CVE IDs to compare the reporting date of each vulnerability in NVD with the dates in other public repositories on vulnerabilities 1 . We updated the reporting dates to the earliest date that a given vulnerability was publically known in any of the vulnerability databases used [33]. To obtain exploited vulnerability data, we used Exploit Database (EDB) 2 .…”

Section: Dataset Usedmentioning

confidence: 99%

See 2 more Smart Citations

Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities

Movahedi

Cukier

Gashi

2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

Vulnerabilities with publically known exploits typically form 2-7% of all vulnerabilities reported for a given software version. With a smaller number of known exploited vulnerabilities compared with the total number of vulnerabilities, it is more difficult to model and predict when a vulnerability with a known exploit will be reported. In this paper, we introduce an approach for predicting the discovery pattern of publically known exploited vulnerabilities using all publically known vulnerabilities reported for a given software. Eight commonly used vulnerability discovery models (VDMs) and one neural network model (NNM) were utilized to evaluate the prediction capability of our approach. We compared their predictions results with the scenario when only exploited vulnerabilities were used for prediction. Our results show that, in terms of prediction accuracy, out of eight software we analyzed, our approach led to more accurate results in seven cases. Only in one case, the accuracy of our approach was worse by 1.6%.

show abstract

Section: Discussion and Limitationsmentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Dataset Usedmentioning

confidence: 99%

See 1 more Smart Citation

Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities

Movahedi

Cukier

Gashi

2021

IEEE Trans. Dependable and Secure Comput.

Self Cite

View full text Add to dashboard Cite

show abstract

“…Several studies applied existing VDMs or a modified versions of them to different types of software packages, such as OSs and web servers, to simulate the vulnerability discovery rate and predict the number of vulnerabilities that may potentially be present but not yet found [14]- [17]. Other studies tried to increase the accuracy of vulnerability discovery modeling by taking the skewness of the vulnerability data into consideration [8] or using the clustering techniques [18], [19], commonly used in social media studies [20] .…”

Section: Related Workmentioning

confidence: 99%

Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models

Movahedi

Cukier

Gashi

2019

Computers & Security

Self Cite

View full text Add to dashboard Cite

In this paper, we introduce an approach for predicting the cumulative number of software vulnerabilities that is in most cases more accurate than vulnerability discovery models (VDMs). Our approach uses a neural network model (NNM) to model the nonlinearities associated with vulnerability disclosure. Nine common VDMs were used to compare their prediction capability with our approach. The different models were applied to vulnerabilities associated with eight well-known software (four operating systems and four web browsers). The models were assessed in terms of prediction accuracy and prediction bias. Out of eight software we analyzed, the NNM outperformed the VDMs in all the cases in terms of prediction accuracy, and provided smaller values of absolute average bias in seven cases. This study shows that NNMs are promising for accurate predictions of software vulnerabilities disclosures.

show abstract

“…The NHPP has been used for analyzing software's failure times, and prediction of the next failure time. The subject model has been shown to be effective and useful not only in software reliability assessment [2]- [11], but also in cybersecurity; the attack detection in cloud systems [12] [13], breast and skin cancer treatments' effectiveness, [14] [15] [16], respectively, finance; modeling of financial markets at the ultra-high frequency level [17], trnasportation; modeling passengers' arrivals [18] [19] [20] [21] [22], and in the formulation of a software cost model [23].…”

Section: Introductionmentioning

confidence: 99%

The Effectiveness of the Squared Error and Higgins-Tsokos Loss Functions on the Bayesian Reliability Analysis of Software Failure Times under the Power Law Process

Alenezi¹,

Tsokos²

2019

ENG

View full text Add to dashboard Cite

Reliability analysis is the key to evaluate software's quality. Since the early 1970s, the Power Law Process, among others, has been used to assess the rate of change of software reliability as time-varying function by using its intensity function. The Bayesian analysis applicability to the Power Law Process is justified using real software failure times. The choice of a loss function is an important entity of the Bayesian settings. The analytical estimate of likelihood-based Bayesian reliability estimates of the Power Law Process under the squared error and Higgins-Tsokos loss functions were obtained for different prior knowledge of its key parameter. As a result of a simulation analysis and using real data, the Bayesian reliability estimate under the Higgins-Tsokos loss function not only is robust as the Bayesian reliability estimate under the squared error loss function but also performed better, where both are superior to the maximum likelihood reliability estimate. A sensitivity analysis resulted in the Bayesian estimate of the reliability function being sensitive to the prior, whether parametric or non-parametric, and to the loss function. An interactive user interface application was additionally developed using Wolfram language to compute and visualize the Bayesian and maximum likelihood estimates of the intensity and reliability functions of the Power Law Process for a given data.

show abstract

Cluster-based vulnerability assessment of operating systems and web browsers

Cited by 10 publications

References 30 publications

Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities

Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities

Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models

The Effectiveness of the Squared Error and Higgins-Tsokos Loss Functions on the Bayesian Reliability Analysis of Software Failure Times under the Power Law Process

Contact Info

Product

Resources

About