Abstract
This work discusses an approach to estimate the likelihood of occurrence and evolution in time of software security issues. First, software vulnerability assessment is revised under the light of recent studies. Then, guidelines are proposed that allow for (formal) modelling stochastic aspects of cybersecurity-relevant scenarios. This opens a connection to the field of formal methods, where automated tools like statistical model checkers can estimate the value of property queries characterising such scenarios. But exploitable vulnerabilities and attacks in cybersecurity are rare events, which calls for specialised tools. In view of this, the work finalises presenting FIG, a statistical model checker specialised on rare event simulation. FIG, an open source software tool freely available at https://git.cs.famaf.unc.edu.ar/dsg/fig, can be used to estimate the probability of an attack within the next release cycle.
Funded by the EU under GA n.101067199 (ProSVED). Views and opinions expressed are those of the author(s) only and do not necessarily reflect those of the European Union or The European Research Executive Agency. Neither the European Union nor the granting authority can be held responsible for them.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
This is rather encryption, a sub-field of cryptography. For a more precise (and serious) understanding of cryptography we refer the interested reader to e.g. [4, chs. 1 and 3].
- 2.
In \(\textsc {ml}\), predict refers to classification, i.e. identify code affected by a CVE or known vulnerable pattern. This is not the same as foretelling the occurrence of vulnerabilities in the future, e.g. a yet-to-come CVE. Here we are interested in estimating the latter.
- 3.
Transitions among states are governed by stochastic distributions, that describe the jump probabilities from past evidence. Stochastic Automata encode this via “clocks”.
- 4.
References
Akram, J., Luo, P.: SQVDT: a scalable quantitative vulnerability detection technique for source code security assessment. Softw. Practice Exp. 51(2), 294–318 (2021). https://doi.org/10.1002/spe.2905
Alohaly, M., Takabi, H.: When do changes induce software vulnerabilities? In: CIC, pp. 59–66. IEEE (2017). https://doi.org/10.1109/CIC.2017.00020
Alves, H., Fonseca, B., Antunes, N.: Software metrics and security vulnerabilities: dataset and exploratory study. In: EDCC, pp. 37–44. IEEE (2016). https://doi.org/10.1109/EDCC.2016.34
Aumasson, J.P.: Serious Cryptography: A Practical Introduction to Modern Encryption. No Starch Press (2017)
Baier, C., Katoen, J.P.: Principles of Model Checking. MIT Press (2008)
Barbot, B., Haddad, S., Picaronny, C.: Coupling and importance sampling for statistical model checking. In: Flanagan, C., König, B. (eds.) TACAS 2012. LNCS, vol. 7214, pp. 331–346. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-28756-5_23
Bilgin, Z., Ersoy, M.A., Soykan, E.U., Tomur, E., Çomak, P., Karaçay, L.: Vulnerability prediction from source code using machine learning. IEEE Access 8, 150672–150684 (2020). https://doi.org/10.1109/ACCESS.2020.3016774
Budde, C.E.: Automation of Importance Splitting Techniques for Rare Event Simulation. Ph.D. thesis, Universidad Nacional de Córdoba, Córdoba, Argentina (2017)
Budde, C.E.: FIG: The Finite Improbability Generator v1.3. SIGMETRICS Perform. Eval. Rev. 49(4), 59–64 (2022). https://doi.org/10.1145/3543146.3543160
Budde, C.E., D’Argenio, P.R., Hartmanns, A.: Automated compositional importance splitting. Sci. Comput. Program. 174, 90–108 (2019). https://doi.org/10.1016/j.scico.2019.01.006
Budde, C.E., D’Argenio, P.R., Monti, R.E., Stoelinga, M.: Analysis of non-Markovian repairable fault trees through rare event simulation. Int. J. Softw. Tools Technol. Transfer (to appear) (2022). https://doi.org/10.1007/s10009-022-00675-x
Chakraborty, S., Krishna, R., Ding, Y., Ray, B.: Deep learning based vulnerability detection: are we there yet. IEEE Trans. Softw. Eng. 48(9), 3280–3296 (2021). https://doi.org/10.1109/TSE.2021.3087402
Chowdhury, I., Zulkernine, M.: Using complexity, coupling, and cohesion metrics as early indicators of vulnerabilities. J. Syst. Architect. 57(3), 294–313 (2011). https://doi.org/10.1016/j.sysarc.2010.06.003
D’Argenio, P.R., Katoen, J.P.: A theory of stochastic systems part I: Stochastic automata. Inf. Comput. 203(1), 1–38 (2005). https://doi.org/10.1016/j.ic.2005.07.001
D’Argenio, P.R., Monti, R.E.: Input/output stochastic automata with urgency: confluence and weak determinism. In: Fischer, B., Uustalu, T. (eds.) ICTAC 2018. LNCS, vol. 11187, pp. 132–152. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-02508-3_8
Dragoni, N., Lafuente, A.L., Massacci, F., Schlichtkrull, A.: Are we preparing students to build security in? A survey of European cybersecurity in higher education programs [education]. IEEE Secur. Privacy 19(01), 81–88 (2021). https://doi.org/10.1109/MSEC.2020.3037446
Fang, Z., Fu, H., Gu, T., Qian, Z., Jaeger, T., Hu, P., Mohapatra, P.: A model checking-based security analysis framework for IoT systems. High-Confidence Comput. 1(1) (2021). https://doi.org/10.1016/j.hcc.2021.100004
Faqeh, R., Fetzer, C., Hermanns, H., Hoffmann, J., Klauck, M., Köhl, M.A., Steinmetz, M., Weidenbach, C.: Towards dynamic dependable systems through evidence-based continuous certification. In: Margaria, T., Steffen, B. (eds.) ISoLA 2020. LNCS, vol. 12477, pp. 416–439. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-61470-6_25
Furnell, S., Clarke, N.: Power to the people? the evolving recognition of human aspects of security. Comput. Secur. 31(8), 983–988 (2012). https://doi.org/10.1016/j.cose.2012.08.004
Ganesh, S., Ohlsson, T., Palma, F.: Predicting security vulnerabilities using source code metrics. In: SweDS, pp. 1–7. IEEE (2021). https://doi.org/10.1109/SweDS53855.2021.9638301
Ghaffarian, S.M., Shahriari, H.R.: Software vulnerability analysis and discovery using machine-learning and data-mining techniques: a survey. ACM Comput. Surv. 50(4) (2017). https://doi.org/10.1145/3092566
Hartmanns, A.: On the analysis of stochastic timed systems. Ph.D. thesis, Saarland University (2015). https://doi.org/10.22028/D291-26597
Hole, K.J.: Anti-fragile ICT Systems. Springer (2016). https://doi.org/10.1007/978-3-319-30070-2
Khan, S., Katoen, J.P.: Synergising reliability modelling languages: BDMPs and repairable DFTs. In: PRDC, pp. 113–122. IEEE (2021). https://doi.org/10.1109/PRDC53464.2021.00023
L’Ecuyer, P., Le Gland, F., Lezaud, P., Tuffin, B.: Splitting techniques. In: Rubino and Tuffin [41], pp. 39–61. https://doi.org/10.1002/9780470745403.ch3
Li, H., Kwon, H., Kwon, J., Lee, H.: A scalable approach for vulnerability discovery based on security patches. In: Batten, L., Li, G., Niu, W., Warren, M. (eds.) ATIS 2014. CCIS, vol. 490, pp. 109–122. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45670-5_11
Li, Q., Song, J., Tan, D., Wang, H., Liu, J.: PDGraph: a large-scale empirical study on project dependency of security vulnerabilities. In: DSN, pp. 161–173. IEEE (2021). https://doi.org/10.1109/DSN48987.2021.00031
Massacci, F., Pashchenko, I.: Technical leverage in a software ecosystem: development opportunities and security risks. In: ICSE, pp. 1386–1397. IEEE (2021). https://doi.org/10.1109/ICSE43902.2021.00125
Meneely, A., Williams, L.: Secure open source collaboration: an empirical study of linus’ law. In: CCS, pp. 453–462. ACM (2009). https://doi.org/10.1145/1653662.1653717
Meneely, A., Williams, L.: Strengthening the empirical analysis of the relationship between Linus’ law and software security. In: ESEM. ACM (2010). https://doi.org/10.1145/1852786.1852798
Parsons, K., Calic, D., Pattinson, M., Butavicius, M., McCormac, A., Zwaans, T.: The human aspects of information security questionnaire (HAIS-Q): two further validation studies. Comput. Secur. 66, 40–51 (2017). https://doi.org/10.1016/j.cose.2017.01.004
Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vulnerable open source dependencies: counting those that matter. In: ESEM, pp. 42:1–42:10. ACM (2018). https://doi.org/10.1145/3239235.3268920
Pashchenko, I., Plate, H., Ponta, S.E., Sabetta, A., Massacci, F.: Vuln4Real: a methodology for counting actually vulnerable dependencies. IEEE Trans. Software Eng. 48(5), 1592–1609 (2022). https://doi.org/10.1109/TSE.2020.3025443
Post, G.V., Kagan, A.: Evaluating information security tradeoffs: restricting access can interfere with user tasks. Comput. Secur. 26(3), 229–237 (2007). https://doi.org/10.1016/j.cose.2006.10.004
Prana, G.A.A., et al.: Out of sight, out of mind? how vulnerable dependencies affect open-source projects. Empir. Softw. Eng. 26(4), 1–34 (2021). https://doi.org/10.1007/s10664-021-09959-3
Rindell, K., Ruohonen, J., Holvitie, J., Hyrynsalmi, S., Leppänen, V.: Security in agile software development: a practitioner survey. Inf. Softw. Technol. 131 (2021). https://doi.org/10.1016/j.infsof.2020.106488
Roberts, R., Lewis, B., Hartmanns, A., Basu, P., Roy, S., Chakraborty, K., Zhang, Z.: Probabilistic verification for reliability of a two-by-two network-on-chip system. In: Lluch Lafuente, A., Mavridou, A. (eds.) FMICS 2021. LNCS, vol. 12863, pp. 232–248. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-85248-1_16
Rose, A.Z., Miller, N.: Measurement of Cyber Resilience from an Economic Perspective, chap. 10, pp. 253–274. John Wiley & Sons, Ltd (2021). https://doi.org/10.1002/9781119287490.ch10
Roumani, Y., Nwankpa, J.K., Roumani, Y.F.: Time series modeling of vulnerabilities. Comput. Secur. 51, 32–40 (2015). https://doi.org/10.1016/j.cose.2015.03.003
Rubino, G., Tuffin, B.: Introduction to rare event simulation. In: Rubino and Tuffin [41], pp. 1–13. https://doi.org/10.1002/9780470745403.ch1
Rubino, G., Tuffin, B. (eds.): Rare Event Simulation Using Monte Carlo Methods. Wiley (2009). https://doi.org/10.1002/9780470745403
Stoelinga, M., Kolb, C., Nicoletti, S.M., Budde, C.E., Hahn, E.M.: The marriage between safety and cybersecurity: still practicing. In: Laarman, A., Sokolova, A. (eds.) SPIN 2021. LNCS, vol. 12864, pp. 3–21. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84629-9_1
Sultana, K.Z., Deo, A., Williams, B.J.: Correlation analysis among Java nano-patterns and software vulnerabilities. In: HASE, pp. 69–76. IEEE (2017). https://doi.org/10.1109/HASE.2017.18
Walden, J., Stuckman, J., Scandariato, R.: Predicting vulnerable components: software metrics vs text mining. In: ISSRE, pp. 23–33. IEEE (2014). https://doi.org/10.1109/ISSRE.2014.32
Weiss, J.: A system security engineering process. In: Proceedings of the 14th National Computer Security Conference. Information System Security: Requirements & Practices, vol. 249, pp. 572–581 (1991)
Yasasin, E., Prester, J., Wagner, G., Schryen, G.: Forecasting IT security vulnerabilities - an empirical analysis. Comput. Secur. 88 (2020). https://doi.org/10.1016/j.cose.2019.101610
Younes, H.L.S., Simmons, R.G.: Probabilistic verification of discrete event systems using acceptance sampling. In: Brinksma, E., Larsen, K.G. (eds.) CAV 2002. LNCS, vol. 2404, pp. 223–235. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45657-0_17
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Budde, C.E. (2023). Using Statistical Model Checking for Cybersecurity Analysis. In: Skarmeta, A., Canavese, D., Lioy, A., Matheu, S. (eds) Digital Sovereignty in Cyber Security: New Challenges in Future Vision. CyberSec4Europe 2022. Communications in Computer and Information Science, vol 1807. Springer, Cham. https://doi.org/10.1007/978-3-031-36096-1_2
Download citation
DOI: https://doi.org/10.1007/978-3-031-36096-1_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-36095-4
Online ISBN: 978-3-031-36096-1
eBook Packages: Computer ScienceComputer Science (R0)