Empirical Characterization of the Likelihood of Vulnerability Discovery

doi:10.23940/ijpe.20.07.p3.10081018

Abstract

Abstract: Assessing the risk of the likelihood of a vulnerability discovery is very important for decision-makers to prioritize which vulnerability should be investigated and fixed first. Currently, the likelihood of vulnerability discovery is being assessed based on expert opinion which could potentially hinder its accuracy. In this study, we propose using Time to Vulnerability Disclosure (TTVD) as a proxy for assessing the likelihood of vulnerability discovery. We will then empirically explore characterizing TTVD using intrinsic vulnerability attributes including CVSS Base metrics and vulnerabilities types. We examine 799 reported vulnerabilities of Chrome and 156 vulnerabilities of the Apache HTTP server. The results show that TTVD correlated at a statistically significant level to some of the intrinsic attributes, namely, access complexity metric, confidentiality, and integrity metrics, and the vulnerabilities' types. Our results from machine learning analysis also show ranges of TTVD values are associated with specific combined values of the metrics under consideration.

Key words: likelihood of vulnerability discovery, CWSS, OWASP, software vulnerability, CVSS base score, vulnerability lifecycle, machine learning

Carl Wilhjelm, Taslima Kotadiya, and Awad A. Younis. Empirical Characterization of the Likelihood of Vulnerability Discovery [J]. Int J Performability Eng, 2020, 16(7): 1008-1018.

Add to citation manager EndNote|Reference Manager|ProCite|BibTeX|RefWorks

References

1. B. Martin, “Common Weakness Scoring System (CWSS),” The Mitre Corporation, June 2011
2. OWASP Risk Rating Methodology,(https://owasp.org/www-community/OWASP_Risk_Rating_Methodology, accessed May 20 2020)
3. A. Younis, Y. K. Malaiya,I. Ray, “Assessing Vulnerability Exploitability Risk using Software Properties,” Software Quality Journal, Vol. 24, No. 1, pp. 159-202, DOI: 10.1007/s11219-015-9274-6, March 2016
4. M. Bozorgi, L. K. Saul, S. Savage,G. M. Voelker, “Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits,” inProceedings of the ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 105-113, DOI: 10.1145/1835804.1835821, 2010
5. S. F. Accenture, B. P. E.Zurich, and B. T. E. Zurich, “Modeling the Security Ecosystem-The Dynamics of (In)Security PRIvacy-Aware Secure Monitoring (PRISM) View Project BETEUS View Project,”Springer, pp. 79-106, DOI: 10.1007/978-1-4419-6967-5_6, 2010
6. S. Frei, M. May, U. Fiedler,B. Plattner, “Large-Scale Vulnerability Analysis,” inProceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06, Vol. 2006, pp. 131-138, DOI: 10.1145/1162666.1162671, 2006
7. L. Allodi and F. Massacci, “A Preliminary Analysis of Vulnerability Scores for Attacks in Wild: The EKITS and SYM Datasets,” inProceedings of the ACM Conference on Computer and Communications Security, pp. 17-24, DOI: 10.1145/2382416.2382427, 2012
8. K. Nayak, D. Marino, P. Efstathopoulos, and T. Dumitraş, “Some Vulnerabilities are Different than Others: Studying Vulnerabilities and Attack Surfaces in the Wild,” in Lecture Notes in Computer Science (Including Subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), Vol. 8688 LNCS, pp. 426-446, DOI: 10.1007/978-3-319-11379-1_21, 2014
9. C. Sabottke, O. Suciu, T. Dumitraş,T. Dumitras, “Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits,” inProceedings of the 24th USENIX Conference on Security Symposium, pp. 1041-1056, August 2015
10. A. Younis, Y. K. Malaiya, C. Anderson,I. Ray, “To Fear or Not to Fear that is the Question: Code Characteristics of a Vulnerable Function with an Existing Exploit,” in Proceedings of the 6th ACM Conference on Data and Application Security and Privacy, pp. 97-104, DOI: 10.1145/2857705.2857750, March 2016
11. A. Younis, Y. K. Malaiya, and I. Ray, “Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability,” in Proceedings of 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering, HASE 2014, DOI: 10.1109/HASE.2014.10, 2014
12. M. McQueen, T. McQueen, W. Boyer,M. Chaffin, “Empirical Estimates and Observations of 0day Vulnerabilities,” (https://ieeexplore.ieee.org/abstract/document/4755605/?casa_token=gf4z5-32oO0AAAAA:6pl3f2yzMR9fGaYm0ap_lXafVqQ CCO4qNiIWl9qzBhxdaEBk2MyATwANDYDzD_LT0hfea8AshQ, accessed January 2009)
13. NVD - Home, (https://nvd.nist.gov/, accessed May 21 2020)
14. O. S.-S, “Guidelines for Security Vulnerability Reporting and Response. c2004,” (http://www.oisafety. org/guidelines/Guidelines, accessed May 21 2020
15. The CERT Division | Software Engineering Institute,(https://www.sei.cmu.edu/about/divisions/cert/index.cfm, accessed May 21 2020)
16. W. Arbaugh, W. Fithen,J. McHugh, “Windows of Vulnerability: A Case Study Analysis,” (https://ieeexplore.ieee.org /abstract/document/889093/?casa_token=Cp2JuRWLF5EAAAAA:7jNmY5s8n5WgsHYItCvV-vnjoWpaB_eOZxqYY-71gXesT6yn6Gw85MFKS04Lrd59s46PjPWUmg, accessed December 2000)
17. P. Mell, K. Scarfone,S. Romanosky, “A Complete Guide to the Common Vulnerability Scoring System Version 2.0,” (http://www.first.org/cvss/cvss-guide.pdf, accessed June 2007
18. CWE - Common Weakness Enumeration,(https://cwe.mitre.org/, accessed May 21 2020)
19. M. Hafiz and M. Fang, “Game of Detections: How are Security Vulnerabilities Discovered in the Wild?” Empirical Software Engineering, Vol. 21, No. 5, pp. 1920-1959, DOI: 10.1007/s10664-015-9403 7, October 2016
20. Google Chrome Version History - Wikipedia,(https://en.wikipedia.org/wiki/Google_Chrome_version_history, accessed May 21 2020)
21. Chrome Releases, (https://chromereleases.googleblog.com/, accessed May 21 2020)
22. Welcome! - The Apache HTTP Server Project,(https://httpd.apache.org/, accessed May 21 2020)
23. Apache HTTP Server - Wikipedia,(https://en.wikipedia.org/wiki/Apache_HTTP_Server, accessed May 21, 2020)
24. S. -C. -G, Newsletter and undefined 2000, “Full Disclosure and the Window of Exposure,” (https://www.mendeley.com /catalogue/fceceeb1-8021-30a1-aac6-0da5b105200b/, accessed June 2014)
25. S. Muegge and S. Murshed, “Time to Discover and Fix Software Vulnerabilities in Open Source Software Projects: Notes on Measurement and Data Availability,” (https://ieeexplore.ieee.org/abstract/document/8481833/?casa_token=_AOGGP7YAnsAA AAA:Agnz012T8OxA1Dh7YIbuy_PcujWbWvkDst89Wdyo7ha-ftHXn9Y2ebP5Ccr_xRuD9TP-spJmHg, accessed October 2018)
26. H. Joh and Y. K. Malaiya, “Defining and Assessing Quantitative Security Risk Measures Using Vulnerability Lifecycle and CVSS Metrics,” (http://www.cs.colostate.edu/~malaiya/p/johrisk11.pdf, accessed May 22 2020
27. T. Sommestad, H. Holm,M. Ekstedt, “Effort Estimates for Vulnerability Discovery Projects,” (https://ieeexplore.ieee.org/ abstract/document/6149570/?casa_token=ohd5jKeIcGkAAAAA: oNn-H1sJjUJwmTo-Kea6RX47pomKJ-yQt0iZckT3uTnMFC 9Tgin_rYQkXtJsWguIdhNMSZTRug, accessed February 2012)
28. H. Holm, M. Ekstedt,T. Sommestad, “Effort Estimates on Web Application Vulnerability Discovery,” (https://ieeexplore.ieee.org/abstract/document/6480453/?casa_token=7HDCaZgP05gAAAAA:P5pu2w0RwFa77WSSea1hgRu0UkwRE5BZhL9PLtqg0skzoi1sh0midPinDyN16Z2I3wdDQ1IDpA, accessed March 2013)
29. An Empirical Study of Vulnerability Rewards Programs - Google Scholar,(https://scholar.google.com/scholar?hl= en&as_sdt=0%2C11&q=An+empirical+study+of+vulnerability+rewards+programs&btnG=, accessed May 22 2020)
30. A. Younis, Y. K. Malaiya,I. Ray, “Evaluating CVSS base Score using Vulnerability Rewards Programs,”ICT Systems Security and Privacy Protection, Vol. 471, pp. 62-75, 2016
31. YEARFRAC Function - Office Support,(https://support.office.com/en-us/article/yearfrac-function-3844141e-c76d-4143-82b6-208454ddc6a8, accessed May 25 2020)
32. A. M.De Guyon, “An Introduction to Variable and Feature Selection André Elisseeff,” (http://www.jmlr.org/papers/v3/ guyon03a.html, accessed 2003
33. M. Zhao, J. Grossklags,P. Liu, “An Empirical Study of Web Vulnerability Discovery Ecosystems,” inProceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pp. 1105-1117, DOI: 10.1145/2810103.2813704, October 2015
34. L. Glanz, S. Schmidt, S. Wollny,B. Hermann, “A Vulnerability's Lifetime: Enhancing Version Information in CVE Databases,” inProceedings of the 15th International Conference on Knowledge Technologies and Data-Driven Business, No. 28, pp. 1-4, DOI: 10.1145/2809563.2809612, 2015

[1]	C. Rohith Bhat and Madhusundar Nelson. Artificial Intelligence Based Credit Card Fraud Detection for Online Transactions Optimized with Sparrow Search Algorithm [J]. Int J Performability Eng, 2023, 19(9): 624-632.
[2]	Savita Khurana, Gaurav Sharma, and Bhawna Sharma. Hybrid Machine Learning Model for Load Prediction in Cloud Environment [J]. Int J Performability Eng, 2023, 19(8): 507-515.
[3]	K. Eswara Rao, Bala Murali Pydi, T. Panduranga Vital, P. Annan Naidu, U. D. Prasann, and T. Ravikumar. An Advanced Machine Learning Approach for Student Placement Prediction and Analysis [J]. Int J Performability Eng, 2023, 19(8): 536-546.
[4]	Babaljeet Kaur and Shalli Rani. Are the Customers Receiving Exact Recommendations from the E-Commerce Companies? Towards the Identification of Gray Sheep Users Using Personality Parameters [J]. Int J Performability Eng, 2023, 19(7): 425-433.
[5]	Kshitij Kumar Sinha, Manoj Mathur, and Arun Sharma. Suitability Index Prediction for Residential Apartments Through Machine Learning [J]. Int J Performability Eng, 2023, 19(7): 434-442.
[6]	Manpreet Kaur and Shalli Rani. Recommender System: Towards Identification of Shilling Attacks in Rating System Using Machine Learning Algorithms [J]. Int J Performability Eng, 2023, 19(7): 443-451.
[7]	Srishti Bhugra and Puneet Goswami. Exploratory Review of Machine Learning-Based Software Component Reusability Prediction [J]. Int J Performability Eng, 2023, 19(7): 452-461.
[8]	Harsha Gaikwad, Sanil Gandhi, Arvind Kiwelekar, and Manjushree Laddha. Analyzing Brain Signals for Predicting Students’ Understanding of Online Learning: A Machine Learning Approach [J]. Int J Performability Eng, 2023, 19(7): 462-470.
[9]	Rakesh Kumar, Sunny Arora, Ashima Arya, Neha Kohli, Vaishali Arya, and Ekta Singh. Ensemble Learning for Appraising English Text Readability using Gompertz Function [J]. Int J Performability Eng, 2023, 19(6): 388-396.
[10]	Pranshu Kumar Soni and Leema Nelson. PCP: Profit-Driven Churn Prediction using Machine Learning Techniques in Banking Sector [J]. Int J Performability Eng, 2023, 19(5): 303-311.
[11]	Ramneet Kaur, Deepali Gupta, and Mani Madhukar. Learner-Centric Hybrid Filtering-Based Recommender System for Massive Open Online Courses [J]. Int J Performability Eng, 2023, 19(5): 324-333.
[12]	Mahima Yadav and Ishan Kumar. Image Processing-Based Transliteration from Hindi to English [J]. Int J Performability Eng, 2023, 19(5): 334-341.
[13]	Harshita Batra and Leema Nelson. DCADS: Data-Driven Computer Aided Diagnostic System using Machine Learning Techniques for Polycystic Ovary Syndrome [J]. Int J Performability Eng, 2023, 19(3): 193-202.
[14]	Shobhanam Krishna and Sumati Sidharth. AI-Powered Workforce Analytics: Maximizing Business and Employee Success through Predictive Attrition Modelling [J]. Int J Performability Eng, 2023, 19(3): 203-215.
[15]	Bhagirath, Neetu Mittal, and Sushil Kumar. Impact of Real Time Fraud Prevention on Online Resale Platform using Machine Learning and Device Fingerprint Techniques [J]. Int J Performability Eng, 2023, 19(2): 94-104.