User-dependent vulnerability discovery model and its interdisciplinary nature

Kansal, Yogita; Kapur, P. K.; Kumar, Uday; Kumar, Deepak

doi:10.1007/s41872-017-0003-y

Cited by 16 publications

(4 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Kansal et al developed a model that links the number of commercial software users (Kansal et al, 2018). In another study, Kansal et al investigated the relationship between the operational coverage function and the expected vulnerability count with a generalized statistical model (Kansal et al, 2017). Johnston used the Bayesian method in their Ph.D. thesis on vulnerability discovery modeling (Johnston, 2018).…”

Section: Literature Reviewmentioning

confidence: 99%

Analysis and Modeling of Android Software Vulnerabilities: A Numerical Approach

Gencer

Başçiftçi

2023

Preprint

View full text Add to dashboard Cite

A software security vulnerability is a mistake or violation of the security policy that occurs during the creation or development of the software. A vulnerability discovery model is a structure enabling the prediction of software security vulnerabilities that might occur after the software is released. In a more general sense, modeling is the method that allows us to analyze a phenomenon in detail and make accurate predictions for the future. The model must be able to explain the target environment in the best way possible and make the best predictions possible. Recently, there have been many studies on the subject of modeling security vulnerabilities. Most of these studies are concerned with desktop operating systems and internet browsers. Although there are studies based on the most popular mobile operating system, Android, there has never been a study that investigates different statistical distributions to find the most suitable one. The most popular model for vulnerability prediction is the Alhazmi-Malaiya Logistic (AML) model. This model has been observed to achieve better performance than other models in modeling security vulnerabilities. The AML model is similar to a logistic distribution, which has a symmetrical structure. In this study, certain aspects of Android security vulnerabilities were investigated using some symmetric and asymmetric distributions that are close to the AML distribution. The data used in this study was obtained from the National Vulnerability Database (NVD) by filtering Android vulnerabilities from 2016 to 2018, a time interval in which monthly information was continuously available. Furthermore, with the 0 to 10 scoring data obtained from the Common Vulnerability Scoring System (CVSS), the average monthly impact values of vulnerabilities have also been modeled. Logistic, Weibull, Normal, Nakagami, Gamma, and Log-logistic distributions were used to model the average monthly impact values of vulnerabilities, and the Logistic, Weibull, Nakagami, Gamma, and Log-logistic distributions were used to model the monthly vulnerability count. From the goodness-of-fit tests, which are methods to establish how well sample data matches the expected distribution values, Kolmogorov-Smirnov, Anderson-Darling, and Cramer-von Mises tests were applied. Akaike and Bayesian Information Criteria and Log-likelihood were used to see how robust the models were. As a result, the average monthly impact value and the monthly vulnerability count were observed to be best modeled by the Logistic and Nakagami distributions, respectively. Vulnerability detection models help us forecast software vulnerabilities and enable the necessary precautions to be taken, such as planning the generation of a patch. With suitable distributions, it has been shown that Android vulnerabilities can be modeled and forecasts can be made.

show abstract

Section: Literature Reviewmentioning

confidence: 99%

Analysis and Modeling of Android Software Vulnerabilities: A Numerical Approach

Gencer

Başçiftçi

2023

Preprint

View full text Add to dashboard Cite

show abstract

“…Nevertheless, a potential limitation of AME model is that it does not fully fit several operating systems, such as Windows 95 operating system. Moreover, Li HF, Wan YX et al [22]- [26] further study effort-based models, and make good suggestions on how to better evaluate and apply effort-based models. Lately, a few authors introduce multivariate or multiattribute methods to model VDMs.…”

Section: B Effort-based Modelsmentioning

confidence: 99%

E-WBM: An Effort-Based Vulnerability Discovery Model

Wang

Tian

et al. 2019

IEEE Access

View full text Add to dashboard Cite

Vulnerability discovery models (VDMs) have recently been proposed to estimate the cumulative number of vulnerabilities that will be disclosed after software is released. A precise VDM would offer an available quantitative insight to assess software security. Even though VDM has demonstrated its effectiveness in multiple software, it remains limited in accuracy, especially with weak versatility. We propose a novel effort-based VDMs, named E-WBM, to improve critical vulnerability discovery rate algorithm using Weibull probability distribution function towards efficient vulnerability discovery models. E-WBM accurately portrays the trend of software security vulnerabilities disclosure. We evaluate E-WBM on eight popular real-world operating systems and show the feasibility of the proposed model. We further compare E-WBM with a state-of-the-art effort-based model AME and time-based model JW on the above eight operating systems. Our comparison also demonstrates that E-WBM consistently outperforms AME and JW both at reducing the deviations and fitting curve trends. In addition to the model fitting, predictive capabilities of two effort-based models E-WBM and AME are also examined. The results show that the E-WBM model yields a more stable prediction with a significantly less error than AME.

show abstract

“…Huang et al (2013) evaluated software vulnerability prioritization using Fuzzy Analytical Hierarchy Process (FAHP) and fuzzy synthetic decision making approach. Kansal et al (2017) prioritized vulnerabilities using Analytic Network Process (ANP) method. Hence, no work has been done in the vulnerability prioritization using freshly developed MCDM approach called as best worst method (BWM) (Rezaei, 2016).…”

Section: Introductionmentioning

confidence: 99%

Assessment of Software Vulnerabilities using Best-Worst Method and Two-Way Analysis

Anjum¹,

Kapur²,

Agarwal³

et al. 2020

Int J Math, Eng, Manag Sci

Self Cite

View full text Add to dashboard Cite

Software is one of the most essential part in today’s world, with its requirements in every industry be it automotive, avionics, telecommunication, banking, pharmaceutical and many more. Software systems are generally a bit complicated and created by distinct programmers. Usually any mistake in the code by a programmer in the developing stage of a software can lead to loopholes that cause vulnerabilities. Vulnerability is a software flaw that an assaulter can exploit to conduct unlawful activities within a computer system. Despite the understanding of vulnerabilities by the academia and industry, the amount of vulnerabilities is growing exponentially as fresh characteristics are added to the software frequently. Developers and testers are faced with the challenge of fixing large amounts of vulnerabilities within limited resources and time. Thus, prioritizing software vulnerabilities is essential to reduce the usage of corporate assets and time, which is the motivation behind the present study. In the present paper, the issue of software vulnerability prioritization is addressed by utilizing a new multi-criterion decision-making (MCDM) technique known as the Best Worst method (BWM). Further, to assess the vulnerabilities in terms of their critical nature, we have applied Two-Way assessment technique. The BWM utilizes two pairwise comparison vectors to determine the weights of criteria. The two-way assessment framework takes into account the perspectives of both managers/developers and stakeholders/testers to highlight the severity of software vulnerabilities. This can act as a significant measure of efficiency and effectiveness for the prioritization and evaluation of vulnerability. The findings are validated with a software testing firm from North India.

show abstract

User-dependent vulnerability discovery model and its interdisciplinary nature

Cited by 16 publications

References 13 publications

Analysis and Modeling of Android Software Vulnerabilities: A Numerical Approach

Analysis and Modeling of Android Software Vulnerabilities: A Numerical Approach

E-WBM: An Effort-Based Vulnerability Discovery Model

Assessment of Software Vulnerabilities using Best-Worst Method and Two-Way Analysis

Contact Info

Product

Resources

About