An Optimization of Vulnerability Discovery Models Using Multiple Errors Iterative Analysis Method
An Optimization of Vulnerability Discovery Models
Keywords:
Optimization, Vulnerability, HPEIAM, Discovery models, Artificial neural networkAbstract
A vulnerability discovery model (VDMs) play a central role to model the rate at which vulnerabilities are discovered for software. Though, these models have various shortcomings viz., multi VDMs, changes in VDMs, and development of new VDMS for different datasets due to diverse approaches and assumptions in their analytical formation. There is a clear need for intensive investigation and extensive use of these models to enhance the predictive accuracy of existing VDMs. In this paper, to enhance the predictive accuracy of existing VDMs, a multiple error iterative analysis method (MEIAM) along with artificial neural network sign estimators has been proposed based on the residual errors. Our findings reveal that the proposed method optimizes to fit historical vulnerability accurately and helps to predict future trends of vulnerabilities across different datasets and models. Repeated calculations of residual errors using these models are used to improve and adjust the forecast accuracy to the expected level. The experiment performed by using real vulnerability data of three type’s popular software: Windows 10 (613), Android 7.0 (1018), Internet Explorer 11 (60), and Firefox 20 (502), starting from the first day of the issue or the earliest available in NVD database. The results demonstrate that the method is universally applicable to any of the VDMs to improve predictive accuracy.
References
C. P. Pfleeger, and S. L. Pfleeger, Security in computing: Prentice Hall Professional Technical Reference (2002).
V. H. Nguyen and L. M. S. Tran, Predicting vulnerable software components with dependency graphs, in Proceedings of the 6th International Workshop on Security Measurements and Metrics, (2010)
S. Rahimi, and M. Zargham, Vulnerability scrying method for software vulnerability discovery prediction without a vulnerability database, IEEE Transactions on Reliability, 62: 395-407 (2013).
R. Scandariato, J. Walden, A. Hovsepyan, and W. Joosen, Predicting vulnerable software components via text mining, IEEE Transactions on Software Engineering, 40: 993-1006 (2014).
J. A. Harer, L. Y. Kim, R. L. Russell, O. Ozdemir, L. R. Kosta, A. Rangamani, et al., Automated software vulnerability detection with machine learning, arXiv preprint arXiv:1803.04497 (2018).
Y. Shin, and L. Williams, Can traditional fault prediction models be used for vulnerability prediction?," Empirical Software Engineering, 18: 25-59 (2013).
G. Jabeen, L. Ping, J. Akram, and A. A. Shah, An Integrated Software Vulnerability Discovery Model based on Artificial Neural Network, in SEKE: 349- 458 (2019).
G. Jabeen, and L. Ping, A Unified Measurable Software Trustworthy Model Based on Vulnerability Loss Speed Index, in 2019 18th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/13th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE), 18-25 (2019).
R. Anderson, Security in open versus closed systems—the dance of Boltzmann, Coase and Moore, Technical report, Cambridge University, England (2002).
E. Rescorla, Is finding security holes a good idea?,IEEE Security & Privacy, 3: 14-19 (2005).
J. D. Musa and K. Okumoto, A logarithmic Poisson execution time model for software reliability measurement, in Proceedings of the 7th international conference on Software engineering, 230-238 (1984).
S. Rahimi, Security vulnerabilities: Discovery, prediction, effect, and mitigation: Southern Illinois University at Carbondale (2013).
O. H. Alhazmi and Y. K. Malaiya, Quantitative vulnerability assessment of systems software, in Annual Reliability and Maintainability Symposium, 2005. Proceedings, 615-620 (2005).
O. H. Alhazmi, Y. K. Malaiya, and I. Ray Measuring, analyzing, and predicting security vulnerabilities in software systems, Computers & Security, 26: 219-228 (2007).
O. H. Alhazmi and Y. K. Malaiya, Measuring and enhancing prediction capabilities of vulnerability discovery models for Apache and IIS HTTP servers," in 2006 17th International Symposium on Software Reliability Engineering 343-352 (2006).
O. H. Alhazmi and Y. K. Malaiya, "Application of vulnerability discovery models to major operating systems, IEEE Transactions on Reliability, 57: 14-22 (2008).
K. Chen, D. Feng, P. Su, C. Nie, and X. Zhang, Multicycle vulnerability discovery model for prediction, Journal of Software, 21: 2367-2375 (2010).
H. Joh and Y. K. Malaiya, "Modeling skewness in vulnerability discovery, Quality, and Reliability Engineering International, 30: 1445-1459 (2014).
R. Johnston, S. Sarkani, T. Mazzuchi, T. Holzer, and T. Eveleigh, Multivariate models using MCMCBayes for web-browser vulnerability discovery, Reliability Engineering & System Safety, 176: 52-61 (2018).
R. Johnston, S. Sarkani, T. Mazzuchi, T. Holzer, and T. Eveleigh, Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery, Reliability Engineering & System Safety, 183: 341-359 (2019).
Y. Movahedi, M. Cukier, and I. Gashi, Vulnerability prediction capability: A comparison between vulnerability discovery models and neural network models, Computers & Security, 87: 101596 (2019).
P. Kapur, V. S. Yadavali, and A. Shrivastava, A comparative study of vulnerability discovery modeling and software reliability growth modeling, min 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE), 246-251 (2015).
H. Joh and Y. K. Malaiya, Periodicity in software vulnerability discovery, patching and exploitation, International Journal of Information Security, 16:673-690 (2017).
R. Sharma and R. Singh, Vulnerability Discovery in Open-and Closed-Source Software: A New Paradigm," in Software Engineering, ed: Springer, 2019, pp. 533-539.
B. Liu, L. Shi, Z. Cai, and M. Li, Software vulnerability discovery techniques: A survey," in 2012 fourth international conference on multimediainformation networking and security, 152-156(2012).
S. H. Houmb, V. N. Franqueira, and E. A. Engum Quantifying security risk level from CVSS estimates of frequency and impact, Journal of Systems and Software, 83: 1622-1634 (2010).
