Modeling the Security Ecosystem - The Dynamics of (In)Security

Frei, Stefan; Schatzmann, Dominik; Plattner, Bernhard; Trammell, Brian

doi:10.1007/978-1-4419-6967-5_6

Cited by 70 publications

(81 citation statements)

References 16 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Parsers are crawlers or scrapers designed to crawl the web and extract specific information about vulnerabilities, patches and exploits from the selected data sources. Currently we have parsers for six different vulnerability data sources (National Vulnerability Database data source 3 , Security database data source 4 , CVE data source 5 , CVE Details data source 6 , Security , Cisco 12 etc.,) and exploits from Exploit database 13 (illustrated by the left-most column in Figure 2). Due to the modular structure of the data collation framework, more parsers for other security data sources can easily be added.…”

Section: A Backendmentioning

confidence: 99%

“…This analysis is inspired by the work from Frei et al [3]. It allows an analyst to check how long it would take for a vulnerability to be exploited, for it to be patched, or for an exploited vulnerability to be patched.…”

Section: B Inter-event Time Series Analysismentioning

confidence: 99%

“…Examples include the work in [5] (statistical analysis and trends), [1] (application of vulnerability discovery models to vulnerability data), [2] (competing risk model using vulnerabilities, patches and exploits), [3] (analysis of trends and inter-event times between vulnerabilities, patches and exploits).…”

Section: Related Workmentioning

confidence: 99%

“…The main focus has been on the vulnerability lifecycle and studying individual vulnerability metrics. Others, such as the work from Frei et al [3] have provided analysis of multiple risk factors (vulnerabilities, exploits and patches), but they considered a particular period of time (up to 2009 in [3]). This makes it difficult for an organization to assess their current risk exposure.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

vepRisk - A Web Based Analysis Tool for Public Security Data

Andongabo

Gashi

2017

2017 13th European Dependable Computing Conference (EDCC)

View full text Add to dashboard Cite

Abstract-We present vepRisk (Vulnerabilities, Exploits and Patches Risk analysis tool): a web-based tool for analyzing publically available security data. The tool has a backend modules that mine, extract, parse and store data from public repositories of vulnerabilities, exploits and patches; and a frontend web-based application that provides functionality for analyzing the data. The frontend uses shinyR, hence allowing integration with the R statistical analysis package and seamless use of R functions. We also present initial analysis we have done with the tool, and outline the extensions and future development we plan to integrate into the tool in the near future.

show abstract

Section: A Backendmentioning

confidence: 99%

Section: B Inter-event Time Series Analysismentioning

confidence: 99%

Section: Related Workmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

vepRisk - A Web Based Analysis Tool for Public Security Data

Andongabo

Gashi

2017

2017 13th European Dependable Computing Conference (EDCC)

View full text Add to dashboard Cite

show abstract

“…Depending on how we view systems, software security can be measured by several possible metrics [1,2]. Through examining the number of vulnerabilities and their discovery rates, many researchers have established models to quantitatively analyze software security [3][4][5].…”

Section: Introductionmentioning

confidence: 99%

Using CVSS to quantitatively analyze risks to software caused by vulnerabilities

Gao

Zhang

Xiao-hua

2015

MATEC Web of Conferences

View full text Add to dashboard Cite

Abstract. Quantitative methods for evaluating and managing software security are becoming reliable with the ever increasing vulnerability datasets. The Common Vulnerability Scoring System (CVSS) provides a way to quantitatively evaluate individual vulnerability. However it cannot be applied to evaluate software risk directly and some metrics of CVSS are hard to assess. To overcome these shortcomings, this paper presents a novel method, which combines the CVSS base score with market share and software patches, to quantitatively evaluate the software risk. It is based on CVSS and includes three indicators: Absolute Severity Value (ASV), Relative Severity Value (RSV) and Severity Value Variation Rate (SVVR). Experimental results indicate that by using these indicators, the method can quantitatively describe the risk level of software systems, and thus strengthen software security.

show abstract

Increasing Android Security Using a Lightweight OVAL-Based Vulnerability Assessment Framework

Barrère

Hurel

Badonnel

et al. 2013

Automated Security Management

View full text Add to dashboard Cite

Mobile computing devices and the services offered by them are utilized by millions of users on a daily basis. However, they operate in hostile environments getting exposed to a wide variety of threats. Accordingly, vulnerability management mechanisms are highly required. We present in this paper a novel approach for increasing the security of mobile devices by efficiently detecting vulnerable configurations. In that context, we propose a modeling for performing vulnerability assessment activities as well as an OVAL-based distributed framework for ensuring safe configurations within the Android platform. We also describe an implementation prototype and evaluate its performance through an extensive set of experiments.3 Malicious software including virus, worms and spyware among others 4 Open Vulnerability and Assessment Language

show abstract

Modeling the Security Ecosystem - The Dynamics of (In)Security

Cited by 70 publications

References 16 publications

vepRisk - A Web Based Analysis Tool for Public Security Data

vepRisk - A Web Based Analysis Tool for Public Security Data

Using CVSS to quantitatively analyze risks to software caused by vulnerabilities

Increasing Android Security Using a Lightweight OVAL-Based Vulnerability Assessment Framework

Contact Info

Product

Resources

About