Abstract
Vulnerability Discovery Models (VDMs) attempt to estimate the potential vulnerabilities present in a software that will be discovered after a software is released. A general framework is required to encompass all the attributes such as number of detectors, their skill, market share, etc. that impact the discovery of vulnerability. VDMs have been developed by various industry and researchers to assess the vulnerability trend over time. In this proposal, we try to formulate the discovery process based on the software reporters that are the legitimately working to fetch-out the vulnerabilities in a software. The available reporters present in the market impact the discovery process significantly as a vulnerability is more likely to be discovered if a greater number of users are working simultaneously. The interdisciplinary approach highlights the association of vulnerability discovery process and the number of reporters. To empirically validate the preposition, we consider three datasets and the proposed methodology perform significantly better as compared to the traditional VDMs.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Alhazmi, O. H., & Malaiya, Y. K. (2005). Modeling the vulnerability discovery process. In 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05)(pp. 10-pp). IEEE.
Alhazmi, O. H., Malaiya, Y. K., & Ray, I. (2007). Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228.
Anand, A., & Bhatt, N. (2016). Vulnerability discovery modeling and weighted criteria based ranking. Journal of the Indian Society for Probability and Statistics, 17(1), 1–10.
Anand, A., Das, S., Aggrawal, D., & Klochkov, Y. (2017). Vulnerability discovery modelling for software with multi-versions. In: Advances in reliability and system engineering (pp. 255–256). Cham: Springer International Publishing.
Anderson, R. (2002). Security in open versus closed systems-the dance of Boltzmann. In Coase and Moore Conference on Open Source Software Economics, Toulouse, France.
Bass, F. M. (1969). A new product growth for model consumer durables. Management Science, 15(5), 215–227.
Bemmaor, A. C. (1992). Modeling the diffusion of new durable goods: Word-of-mouth effect versus consumer heterogeneity, In: Research traditions in marketing (pp. 201–229). Dordrecht: Springer.
Bhatt, N., Anand, A., Yadavalli, V. S. S., & Kumar, V. (2017). Modeling and characterizing software vulnerabilities. International Journal of Mathematical, Engineering and Management Sciences, 2(4), 288–299.
Blackman, A. W. (1971). A mathematical model for trend forecasts. Technological Forecasting and Social Change, 3, 441–452.
Brady, R. M., Anderson, R. J., & Ball, R. C. (1999). Murphy’s law, the fitness of evolving species, and the limits of software reliability (no. UCAM-cl-TR-471). University of Cambridge, Computer Laboratory.
Google Chrome (2018). Vulnerability Statistics, https://www.cvedetails.com/product/15031/Google-Chrome.html. Accessed 13 December 2018.
Harrison, P. J., & Pearce, S. F. (1972). The use of trend curves as an aid to market forecasting. Industrial Marketing Management, 1(2), 149–170.
Joh, H., Kim, J., & Malaiya, Y. K. (2008). Vulnerability discovery modeling using Weibull distribution. In 2008 19th International Symposium on Software Reliability Engineering (ISSRE) (pp. 299-300). IEEE.
Kapur, P. K., Sachdeva, N., & Khatri, S. K. (2015). Vulnerability discovery modeling. In International conference on quality, reliability, infocom technology and industrial technology management (pp. 34-54).
Kenny, G. Q. (1993). Estimating defects in commercial software during operational use. IEEE Transactions on Reliability, 42(1), 107–115.
Kim, J., Malaiya, Y. K., & Ray, I. (2007). Vulnerability discovery in multi-version software systems. In 10th IEEE High Assurance Systems Engineering Symposium (HASE'07) (pp. 141-148). IEEE.
Mahajan, V., Muller, E., & Srivastava, R. K. (1990). Determination of adopter categories by using innovation diffusion models. Journal of Marketing Research, 27(1), 37–50.
Massacci, F., & Nguyen, V. H. (2014). An empirical methodology to evaluate vulnerability discovery models. IEEE Transactions on Software Engineering, 40(12), 1147–1162.
Mozilla Firefox. (2018). Vulnerability Statistics, https://www.cvedetails.com/product/3264/?q=Firefox, Accessed 13 December 2018.
Mozilla Thunderbird. (2018). Vulnerability statistics, https://www.cvedetails.com/product/3678/?q= Thunderbird, Accessed 13 December 2018.
Ozment, A. J. (2007). Vulnerability discovery & software security. Doctoral dissertation. University of Cambridge. http://andyozment.com/papers/ozment_dissertation.pdf.
Pham, H. (2014). Loglog fault-detection rate and testing coverage software reliability models subject to random environments. Vietnam Journal of Computer Science, 1(1), 39–45.
Rescorla, E. (2005). Is finding security holes a good idea? IEEE Security & Privacy, 3(1), 14–19.
Rogers, E. M. (2010). Diffusion of innovations. Simon and Schuster.
Schultz Jr, E. E., Brown, D. S., & Longstaff, T. A. (1990). Responding to computer security incidents: Guidelines for incident handling (no. UCRL-ID-104689). Lawrence Livermore National Lab., CA (USA).
Sharif, M. N., & Islam, M. N. (1980). The Weibull distribution as a general model for forecasting technological change. Technological Forecasting and Social Change, 18(3), 247–256.
Sommestad, T., Holm, H., & Ekstedt, M. (2012). Effort estimates for vulnerability discovery projects. In 2012 45th Hawaii International Conference on System Sciences (pp. 5564-5573). IEEE.
Stapleton, E. (1976). The normal distribution as a model of technological substitution. Technological Forecasting and Social Change, 8(3), 325–334.
Symantec (2017). Symantec Internet Security Threat Report. http://www.symantec.com. Accessed 13 December 2018.
US-CERT (2015). Top 30 targeted high risk vulnerabilities. US-CERT Alert (TA15-119A). https://www.us-cert.gov/ncas/alerts/TA15-119A. Accessed 15 December 2018.
Woo, S. W., Alhazmi, O. H., & Malaiya, Y. K. (2006). An analysis of the vulnerability discovery process in web browsers. Proc. of 10th IASTED SEA, 6, 13-15.
Younis, A., Joh, H., Malaiya, Y. (2011). Modeling learningless vulnerability discovery using a folded distribution, in: Proc. of SAM (pp. 617-623).
Acknowledgements
This research did not receive any specific grant from funding agencies in the public, commercial, or not-for-profit sectors. Furthermore, the authors are anonymous reviewers for suggesting changes that has brought in a good articulation in the manuscript.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Anand, A., Bhatt, N. & Alhazmi, O.H. Modeling Software Vulnerability Discovery Process Inculcating the Impact of Reporters. Inf Syst Front 23, 709–722 (2021). https://doi.org/10.1007/s10796-020-10004-9
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-020-10004-9