Skip to main content
SpringerLink
Log in

Modeling discovery and removal of security vulnerabilities in software system using priority queueing models

  • Original Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

This paper aims to model the discovery and removal of software vulnerabilities based on queueing theory. The probabilistic characteristics of the arrival and service processes are the core elements of queueing theory. Discovering and removing software vulnerabilities corresponds arrival and service processes in queueing models, respectively. Vulnerabilities can be classified into groups depending upon its severity levels measured by CVSS (common vulnerability scoring system). Groups with higher severity levels are fixed more quickly than groups with lower severity levels. Priority queueing models can be used and give various performance indices: the number of unfixed vulnerabilities at arbitrary instances and waiting time before getting fixed. Moreover, the service rate to prevent the number or accumulated degree of vulnerabilities from exceeding the predetermined level can be estimated.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3

References

  1. Joh, H.: Quantitative analyses of software vulnerabilities, Ph.D. Dissertation, Department of Computer Science, Colorado State University (2011)

  2. Krsul, I.V.: Software vulnerability analysis, Ph.D. Dissertation, Department of Computer Science, Purdue University (1998)

  3. Ozment, A.: Improving vulnerability discovery models. In QoP ’07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11. ACM, New York, USA (2007)

  4. Pfleeger, C.P., Pfleeger, S.L.: Security in computing, 3rd edn. Prentice Hall PTR, Upper Saddle River (2003)

    Google Scholar 

  5. Vatamanu, C., Gavrilut, D., Benchea, R.: A practical approach on clustering malicious PDF documents. J. Compt. Virol. 8, 151–163 (2012)

    Article  Google Scholar 

  6. Goichon, F., Salagnac, G., Parrend, P., Frénot, S.: Static vulnerability detection in Java service-oriented components. J. Compt. Virol. 9, 15–26 (2012)

    Article  Google Scholar 

  7. MITRE Corporation. Common Vulnerabilities and Exposures (CVE), http://cve.mitre.org/

  8. FIRST. CVSS Guide, http://www.first.org/cvss/cvss-guide/. Accessed 15 November 2013

  9. FIRST. CVSS History, http://www.first.org/cvss/history/. Acce ssed 15 November 2013

  10. Woo, S.W., Joh, H.C., Alhazmi, O.H., Malaiya, Y.K.: Modeling vulnerability discovery process in Apache and IIS HTTP servers. Comput. Secur. 30, 50–62 (2011)

    Article  Google Scholar 

  11. Ozment, A.: Vulnerability discovery and software Security, Ph.D. Dissertation, Computer Laboratory Computer Security Group & Magdalene College, University of Cambridge (2007)

  12. AIAA/ANSI: Recommended practice software reliability, R-013-1992, American Institute of Aeronautics and Astronautics (AIAA) (1993)

  13. Alhazmi, O.H., Malaiya, Y.K.: Modeling the vulnerability discovery process. In: Proceedings of the 16th IEEE International Symposium on Software, Reliability Engineering, pp. 129–138 (2005)

  14. Anderson, R.J.: Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. In: Proceedings of the Conference on Open Source Software, Economics, pp. 1–15 (2002)

  15. Rescola, E.: Is finding security holes a good idea? Secur. Priv. IEEE 3(1), 1–19 (2005)

    Article  Google Scholar 

  16. Musa, J.D., Okumoto K.: A logarithmic Poisson execution time model for software reliability measurement. In: Proceedings of 7th International Conference on Software Engineering, pp. 230–238 (1984)

  17. Alhazmi, O.H., Malaiya, Y.K.: Quantitative vulnerability assessment of systems software, In RAMS’05: Proceedings of the IEEE Reliability and Maintainability Symposium, pp. 615–620 (2005)

  18. DB-Engines. DB-Engines Ranking, http://db-engines.com/. Accessed 15 November 2013

  19. National Institute of Standards and Technology, National Vulnerability Database (NVD), http://nvd.nist.gov/. Accessed 15 November 2013

  20. Huang, C.-Y., Huang, W.-C.: Software reliability analysis and measurement using finite and infinite server queueing models. IEEE Trans. Rel. 57(1), 192–203 (2008)

    Article  Google Scholar 

  21. Takagi, H.: Queueing analysis, Volume 1: Vacation and Priority Systems, Part 1, North-Holland, Amsterdam (1991)

  22. Little, J.D.C.: A proof for the queueing formula: \(L = \lambda W\). Oper. Res. 9(3), 383–387 (1961)

    Article  MATH  MathSciNet  Google Scholar 

Download references

Acknowledgments

This research was supported by Basic Science Research Program through the National Research Foundation of Korea (NRF) funded by the Ministry of Education, Science and Technology (NRF-2011-0025512). This work was supported by the National Research Foundation of Korea Grant funded by the Korean Government (NRF-2013S1A5A2A01017485). This research was supported by the MSIP (Ministry of Science, ICT & Future Planning), Korea, under the “Employment Contract based Master’s Degree Program for Information Security” supervised by the KISA(Korea Internet Security Agency) (H2101-13-1001).

Author information

Authors and Affiliations

  1. Division of Business and Commerce, Baekseok University, Cheonan, Chungnam, Republic of Korea

    Dae-Eun Lim

  2. Department of Management Information Systems, Chungbuk National University, Cheongju, Chungbuk, Republic of Korea

    Tae-Sung Kim

Authors
  1. Dae-Eun Lim
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Tae-Sung Kim
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Tae-Sung Kim.

Additional information

This paper is a contribution to the special issue on Mobile Communication Systems selected topic from the SDPM and it is coordinated by Sangyeob Oh, K. Chung, Supratip Ghose.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lim, DE., Kim, TS. Modeling discovery and removal of security vulnerabilities in software system using priority queueing models. J Comput Virol Hack Tech 10, 109–114 (2014). https://doi.org/10.1007/s11416-014-0205-z

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-014-0205-z

Keywords

Search

Navigation