Skip to main content

Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2017)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10176))

Included in the following conference series:

  • 1907 Accesses

Abstract

In this paper we study the implications of end-user behavior in applying software updates and patches on information-security vulnerabilities. To this end we tap into a large data set of measurements conducted on more than 400,000 Windows machines over four client-side applications, and separate out the impact of user and vendor behavior on the vulnerability states of hosts. Our modeling of users and the empirical evaluation of this model over vulnerability states of hosts reveal a peculiar relationship between vendors and end-users: the users’ promptness in applying software patches, and vendors’ policies in facilitating the installation of updates, while both contributing to the hosts’ security posture, are overshadowed by other characteristics such as the frequency of vulnerability disclosures and the vendors’ swiftness in deploying patches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

References

  1. Abdi, H.: Bonferroni and Šidák corrections for multiple comparisons. Sage (2007)

    Google Scholar 

  2. Alhazmi, O., Malaiya, Y.: Modeling the vulnerability discovery process. In: International Symposium on Software Reliability Engineering (2005)

    Google Scholar 

  3. Alhazmi, O., Malaiya, Y., Ray, I.: Measuring, analyzing and predicting security vulnerabilities in software systems. Comput. Secur. 26(3), 219–228 (2007)

    Article  Google Scholar 

  4. Arbaugh, W., Fithen, W., McHugh, J.: Windows of vulnerability: a case study analysis. IEEE Comput. 33(12), 52–59 (2000)

    Article  Google Scholar 

  5. Arora, A., Krishnan, R., Nandkumar, A., Telang, R., Yang, Y.: Impact of vulnerability disclosure and patch availability - an empirical analysis. In: Workshop on the Economics of Information Security (2004)

    Google Scholar 

  6. Bilge, L., Dumitraş, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  7. Cavusoglu, H., Cavusoglu, H., Raghunathan, S.: Emerging issues in responsible vulnerability disclosure. In: Workshop on Information Technology and Systems (2004)

    Google Scholar 

  8. Clark, S., Collis, M., Blaze, M., Smith, J.: Moving targets: security and rapid-release in Firefox. In: ACM SIGSAC Conference on Computer and Communications Security (2014)

    Google Scholar 

  9. Duebendorfer, T., Frei, S.: Web browser security update effectiveness. In: Rome, E., Bloomfield, R. (eds.) CRITIS 2009. LNCS, vol. 6027, pp. 124–137. Springer, Heidelberg (2010). doi:10.1007/978-3-642-14379-3_11

    Chapter  Google Scholar 

  10. Dumitraş, T., Shou, D.: Toward a standard benchmark for computer security research: the worldwide intelligence network environment (WINE). In: Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (2011)

    Google Scholar 

  11. Durumeric, Z., Kasten, J., Adrian, D., Halderman, J.A., Bailey, M., et al.: The matter of heartbleed. In: Internet Measurement Conference (2014)

    Google Scholar 

  12. Exploit kits. http://contagiodump.blogspot.com

  13. Gkantsidis, C., Karagiannis, T., Rodriguez, P., Vojnovic, M.: Planet scale software updates. In: ACM SIGCOMM Computer Communication Review (2006)

    Google Scholar 

  14. Grier, C., Ballard, L., Caballero, J., Chachra, N., Dietrich, C., et al.: Manufacturing compromise: the emergence of exploit-as-a-service. In: ACM Conference on Computer and Communications Security (2012)

    Google Scholar 

  15. Mathur, A., Engel, J., Sobti, S., Chang, V., Chetty, M.: “They keep coming back like zombies”: improving software updating interfaces. In: Symposium on Usable Privacy and Security (2016)

    Google Scholar 

  16. Mulligan, D., Schneider, F.: Doctrine for cybersecurity. Daedalus, J. Am. Acad. Arts Sci. 140(4), 70–92 (2011)

    Google Scholar 

  17. Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitraş, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: IEEE Symposium on Security and Privacy (2015)

    Google Scholar 

  18. Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: ACM Conference on Computer and Communications Security (2007)

    Google Scholar 

  19. NIST: National Vulnerability Database. https://nvd.nist.gov

  20. Ozment, A., Schechter, S.: Milk or wine: does software security improve with age? In: USENIX Security Symposium (2006)

    Google Scholar 

  21. Ramos, T.: The laws of vulnerabilities. In: RSA Conference (2006)

    Google Scholar 

  22. Rescorla, E.: Is finding security holes a good idea? In: IEEE Security and Privacy (2005)

    Google Scholar 

  23. Rescorla, E.: Security holes.. who cares. In: USENIX Security Symposium (2003)

    Google Scholar 

  24. Sabottke, C., Suciu, O., Dumitraş, T.: Vulnerability disclosure in the age of social media: exploiting Twitter for predicting real-world exploits. In: USENIX Security Symposium (2015)

    Google Scholar 

  25. Shahzad, M., Shafiq, M., Liu, A.: A large scale exploratory analysis of software vulnerability life cycles. In: International Conference on Software Engineering (2012)

    Google Scholar 

  26. Shankland, S.: Heartbleed bug undoes web encryption, reveals Yahoo passwords (2014). http://www.cnet.com/news/heartbleed-bug-undoes-web-encryption-reveals-user-passwords

  27. Software release dates. http://bit.ly/2jKrMPj

  28. Symantec Corporation: Symantec threat explorer (2012). http://www.symantec.com/security_response/threatexplorer/azlisting.jsp

  29. Vaniea, K., Rader, E., Wash, R.: Betrayed by updates: how negative experiences affect future security. In: ACM Conference on Human Factors in Computing (2014)

    Google Scholar 

  30. Yilek, S., Rescorla, E., Shacham, H., Enright, B., Savage, S.: When private keys are public: results from the 2008 Debian OpenSSL vulnerability. In: Internet Measurement Conference (2009)

    Google Scholar 

  31. Zhang, L., Choffnes, D., Dumitraş, T., Levin, D., Mislove, A., et al.: Analysis of SSL certificate reissues and revocations in the wake of Heartbleed. In: Internet Measurement Conference (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Armin Sarabi .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2017 Springer International Publishing AG

About this paper

Cite this paper

Sarabi, A., Zhu, Z., Xiao, C., Liu, M., Dumitraş, T. (2017). Patch Me If You Can: A Study on the Effects of Individual User Behavior on the End-Host Vulnerability State. In: Kaafar, M., Uhlig, S., Amann, J. (eds) Passive and Active Measurement. PAM 2017. Lecture Notes in Computer Science(), vol 10176. Springer, Cham. https://doi.org/10.1007/978-3-319-54328-4_9

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-54328-4_9

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-54327-7

  • Online ISBN: 978-3-319-54328-4

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics