Abstract
In this paper we study the implications of end-user behavior in applying software updates and patches on information-security vulnerabilities. To this end we tap into a large data set of measurements conducted on more than 400,000 Windows machines over four client-side applications, and separate out the impact of user and vendor behavior on the vulnerability states of hosts. Our modeling of users and the empirical evaluation of this model over vulnerability states of hosts reveal a peculiar relationship between vendors and end-users: the users’ promptness in applying software patches, and vendors’ policies in facilitating the installation of updates, while both contributing to the hosts’ security posture, are overshadowed by other characteristics such as the frequency of vulnerability disclosures and the vendors’ swiftness in deploying patches.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Abdi, H.: Bonferroni and Šidák corrections for multiple comparisons. Sage (2007)
Alhazmi, O., Malaiya, Y.: Modeling the vulnerability discovery process. In: International Symposium on Software Reliability Engineering (2005)
Alhazmi, O., Malaiya, Y., Ray, I.: Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Secur. 26(3), 219–228 (2007)
Arbaugh, W., Fithen, W., McHugh, J.: Windows of vulnerability: a case study analysis. IEEE Comput. 33(12), 52–59 (2000)
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability - an empirical analysis. In: Workshop on the Economics of Information Security (2004)
Bilge, L., Dumitraş, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: ACM Conference on Computer and Communications Security (2012)
Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: Workshop on Information Technology and Systems (2004)
Clark, S., Collis, M., Blaze, M., Smith, J.: Moving targets: security and rapid-release in Firefox. In: ACM SIGSAC Conference on Computer and Communications Security (2014)
Duebendorfer, T., Frei, S.: Web browser security update effectiveness. In: Rome, E., Bloomfield, R. (eds.) CRITIS 2009. LNCS, vol. 6027, pp. 124–137. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14379-3_11
Dumitraş, T., Shou, D.: Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE). In: Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (2011)
Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., et al.: The matter of heartbleed. In: Internet Measurement Conference (2014)
Exploit kits. http://contagiodump.blogspot.com
Gkantsidis, C., Karagiannis, T., Rodriguez, P., Vojnovic, M.: Planet scale software updates. In: ACM SIGCOMM Computer Communication Review (2006)
Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C., et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: ACM Conference on Computer and Communications Security (2012)
Mathur, A., Engel, J., Sobti, S., Chang, V., Chetty, M.: “They keep coming back like zombies”: improving software updating interfaces. In: Symposium on Usable Privacy and Security (2016)
Mulligan, D., Schneider, F.: Doctrine for cybersecurity. Daedalus, J. Am. Acad. Arts Sci. 140(4), 70–92 (2011)
Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitraş, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: IEEE Symposium on Security and Privacy (2015)
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: ACM Conference on Computer and Communications Security (2007)
NIST: National Vulnerability Database. https://nvd.nist.gov
Ozment, A., Schechter, S.: Milk or wine: does software security improve with age? In: USENIX Security Symposium (2006)
Ramos, T.: The laws of vulnerabilities. In: RSA Conference (2006)
Rescorla, E.: Is finding security holes a good idea? In: IEEE Security and Privacy (2005)
Rescorla, E.: Security holes.. who cares. In: USENIX Security Symposium (2003)
Sabottke, C., Suciu, O., Dumitraş, T.: Vulnerability disclosure in the age of social media: exploiting Twitter for predicting real-world exploits. In: USENIX Security Symposium (2015)
Shahzad, M., Shafiq, M., Liu, A.: A large scale exploratory analysis of software vulnerability life cycles. In: International Conference on Software Engineering (2012)
Shankland, S.: Heartbleed bug undoes web encryption, reveals Yahoo passwords (2014). http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords
Software release dates. http://bit.ly/2jKrMPj
Symantec Corporation: Symantec threat explorer (2012). http://www.symantec.com/security_response/threatexplorer/azlisting.jsp
Vaniea, K., Rader, E., Wash, R.: Betrayed by updates: how negative experiences affect future security. In: ACM Conference on Human Factors in Computing (2014)
Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Internet Measurement Conference (2009)
Zhang, L., Choffnes, D., Dumitraş, T., Levin, D., Mislove, A., et al.: Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In: Internet Measurement Conference (2014)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Sarabi, A., Zhu, Z., Xiao, C., Liu, M., Dumitraş, T. (2017). Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham. https://doi.org/10.1007/978-3-319-54328-4_9
Download citation
DOI: https://doi.org/10.1007/978-3-319-54328-4_9
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-54327-7
Online ISBN: 978-3-319-54328-4
eBook Packages: Computer ScienceComputer Science (R0)