Abstract
As more users suffer serious security threats from software vulnerabilities, software security becomes increasingly important. Vulnerability prediction and risk evaluation are two of the most concerning issues in software security management. In this paper, we propose a prediction model for software vulnerability in which the probability and severity of vulnerability occurrence are determined by the logistic function and binomial distribution, respectively. Using the parameters obtained by prediction, we developed a new risk metric model. We provided some metrics, including mean time to vulnerability, local risk rate, mean risk rate, and overall risk value, from the viewpoint of time and probability. Experiments were conducted on real software vulnerability datasets. The results show that the prediction is effective and the evaluation is easy to operate. Our work has several features: (1) users can predict the vulnerability state in the future, in particular, vulnerability severity; (2) unlike traditional evaluation methods with expert scoring, our evaluation model is based on prediction and uses historical vulnerability data; and (3) the risk metric value can be used in risk assessment, security rating, and patch management.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alhazmi O H, Malaiya Y K, Ray I (2007) Measuring, analyzing and predicting security vulnerabilities in software system. Comput Secur 26:219–228
Rahimi S, Zargham M (2013) Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database. IEEE Trans Reliab 62:395–407
Nie C J, Zhao X F, Chen K, Han Z Q (2011) An software vulnerability number prediction model based on micro-parameters. J Comput Res Dev 48:1279–1287
Okamura H, Etani Y, Dohi T (2010) A multi-factor software reliability model based on logistic regression IEEE 21st international symposium on software reliability engineering. IEEE, pp 31–40
Rescorla E (2005) Is finding security holes a good idea?. IEEE Secur Privacy 3:14–19
Alhazmi O, Malaiya Y (2006) Prediction capabilities of vulnerability discovery models Proceedings of the RAMS 06, annual reliability and maintainability symposium. IEEE, pp 86–91
Chen K, Feng D G, Su P R, Nie C J, Zhang X F (2010) Multi-cycle vulnerability discovery model for prediction. J Softw 21:2367– 2375
Joh H, Malaiya Y K (2014) Modeling skewness in vulnerability discovery. Qual Reliab Eng Int 30:1445–1459
Scandariato R, Walden J, Hovsepyan A, Joosen W (2014) Predicting vulnerable software components via text mining. IEEE Trans Softw Eng 40:993–1006
Liu Q X, Zhang C B, Zhang Y Q, Zhang B F (2012) Research on key technology of vulnerability threat classification. J Commun 33(Z1):79–87
Peter M, Karen S, Sasha R (2007) A complete guide to the common vulnerability scoring system Version 2.0 FIRST-Forum of Incident Response and Security Teams, pp 1–23
Homer J, Zhang S, Ou X, Schmidt D, Du Y, Rajagopalan S R, Singhal A (2013) Aggregating vulnerability metrics in enterprise networks using attack graphs. J Comput Secur 21:561–597
Gao N, Gao L, He Y Y, Lei Y, Gao Q (2016) Dynamic security risk assessment model based on bayesian attack graph. J Sichuan Univ 48:111–118
Ma CG, Wang CH, Zhang DH, Li YT (2015) A dynamic network risk assessment model based on attacker’s inclination. J Comput Res Dev 52:2056–2068
Hammons K (2014) Vulnerability management is not simple. www.issa.org/resource/resmgr/journalpdfs/feature0214.pdf
Zhao D M, Ma J F, Wang Y S (2007) Model of fuzzy risk assessment of the information system. J Commun 28:51–56,64
Luo X X, Tang Z Y, Zhao Y J (2015) Dynamic software reliability assessment based on Markov chain. Appl Res Comput 32:2400–2405
China National Vulnerability Database of Information Security. http://www.cnnvd.org.cn
Musa J D, Okumoto K (1988) Application of basic and logarithmic poisson execution time models in software reliability measurement. Software Reliability Modeling and Identification. Springer, Berlin Heidelberg, pp 68–100
Goel A L, Okumoto K (1979) Time-dependent error detection rate model for software reliability and other performance measures. IEEE Trans Reliab 28:206–211
Musa J D, Iannino A, Okumoto K (1999) Software reliability engineering. McGraw-Hill, New York, USA, pp 193–223
Xie J Y, AN J X, Zhu J H (2010) NHPP Software Reliability growth model considering imperfect debugging. J Softw 21:942–949
Acknowledgments
This work was supported by the Natural Science Foundation of Anhui Province under Grant number 1608085MF141; the Fundamental Research Funds for the Central Universities under Grant number J2014HGBZ0131; and the Humanity and Social Science Key Foundation of Anhui Province under Grant number SK2015A578.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhu, X., Cao, C. & Zhang, J. Vulnerability severity prediction and risk metric modeling for software. Appl Intell 47, 828–836 (2017). https://doi.org/10.1007/s10489-017-0925-0
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10489-017-0925-0