3 research outputs found
Recommended from our members
Predicting the Discovery Pattern of Publically Known Exploited Vulnerabilities
Vulnerabilities with publically known exploits typically form 2-7% of all vulnerabilities reported for a given software version. With a smaller number of known exploited vulnerabilities compared with the total number of vulnerabilities, it is more difficult to model and predict when a vulnerability with a known exploit will be reported. In this paper, we introduce an approach for predicting the discovery pattern of publically known exploited vulnerabilities using all publically known vulnerabilities reported for a given software. Eight commonly used vulnerability discovery models (VDMs) and one neural network model (NNM) were utilized to evaluate the prediction capability of our approach. We compared their predictions results with the scenario when only exploited vulnerabilities were used for prediction. Our results show that, in terms of prediction accuracy, out of eight software we analyzed, our approach led to more accurate results in seven cases. Only in one case, the accuracy of our approach was worse by 1.6%
A Case Study on Software Vulnerability Coordination
Context: Coordination is a fundamental tenet of software engineering.
Coordination is required also for identifying discovered and disclosed software
vulnerabilities with Common Vulnerabilities and Exposures (CVEs). Motivated by
recent practical challenges, this paper examines the coordination of CVEs for
open source projects through a public mailing list. Objective: The paper
observes the historical time delays between the assignment of CVEs on a mailing
list and the later appearance of these in the National Vulnerability Database
(NVD). Drawing from research on software engineering coordination, software
vulnerabilities, and bug tracking, the delays are modeled through three
dimensions: social networks and communication practices, tracking
infrastructures, and the technical characteristics of the CVEs coordinated.
Method: Given a period between 2008 and 2016, a sample of over five thousand
CVEs is used to model the delays with nearly fifty explanatory metrics.
Regression analysis is used for the modeling. Results: The results show that
the CVE coordination delays are affected by different abstractions for noise
and prerequisite constraints. These abstractions convey effects from the social
network and infrastructure dimensions. Particularly strong effect sizes are
observed for annual and monthly control metrics, a control metric for weekends,
the degrees of the nodes in the CVE coordination networks, and the number of
references given in NVD for the CVEs archived. Smaller but visible effects are
present for metrics measuring the entropy of the emails exchanged, traces to
bug tracking systems, and other related aspects. The empirical signals are
weaker for the technical characteristics. Conclusion: [...