Cited By
View all- Wunder JCorona AHammer ABenenson Z(2024)On NVD Users’ Attitudes, Experiences, Hopes, and HurdlesDigital Threats: Research and Practice10.1145/36888065:3(1-19)Online publication date: 21-Aug-2024
Measuring and Modeling Software Vulnerability Security Advisory Platforms
Authors: 
Lucas Miranda, Daniel Vieira, Mateus Nogueira, Leonardo Ventura, Miguel Bicudo, Matheus Martins, Lucas Senos, 
Leandro P. de Aguiar, Enrico Lovat, Daniel MenascheAuthors Info & Claims
Pages 31 - 48
Abstract
In this paper, we report results on a large scale measurement campaign to collect temporal information about events associated with software vulnerabilities. The data is curated so as to extract dates from each of the analyzed security advisories. The resulting time series are our object of study. From our measurements we were able to identify which role was assumed by different platforms (such as websites and forums) in the security landscape, including sources and aggregators of information about vulnerabilities. Then, we propose an analytical model to express the flow of information through security advisories across multiple platforms. The model is based on a queueing network, where each platform corresponds to a queue which adds a delay in the information propagation. Such delays, in turn, have an impact on the visibility of the information at different platforms. Leveraging the proposed model and the collected data, we assess how different system parameters, such as the delays incurred by each platform to propagate its messages, impact the overall flow of information across platforms.
References
[1]
de Boer MH, Bakker BJ, et al. Text mining in cybersecurity Multimodal Technol. Interact. 2019 3 3 62
[2]
Decan, A., Mens, T., Constantinou, E.: On the impact of security vulnerabilities in the NPM package dependency network. In: Proceedings of the 15th International Conference on Mining Software Repositories, pp. 181–191 (2018)
[3]
Frei, S., May, M., Fiedler, U., Plattner, B.: Large-scale vulnerability analysis. In: SIGCOMM Workshop on Large-Scale Attack Defense, pp. 131–138 (2006)
[4]
Gai, K., et al.: A novel secure big data cyber incident analytics framework for cybersecurity insurance. In: Big Data Security on Cloud, pp. 171–176. IEEE (2016)
[5]
Georgescu TM Natural language processing model for automatic analysis of cybersecurity-related documents Symmetry 2020 12 3 354
[6]
Harchol-Balter M Performance Modeling and Design of Computer Systems: Queueing Theory in Action 2013 Cambridge Cambridge University Press
[7]
Horawalavithana, S., Bhattacharjee, A., et al.: Mentions of security vulnerabilities on Reddit, Twitter and Github. In: International Conference on Web Intelligence, pp. 200–207 (2019)
[8]
Hu, W., Wang, Y., Liu, X., Sun, J., Gao, Q., Huang, Y.: Open source software vulnerability propagation analysis algorithm based on knowledge graph. In: IEEE International Conference on Smart Cloud, pp. 121–127. IEEE (2019)
[9]
Huang, S., Tang, H., et al.: Text clustering on national vulnerability database. In: Computer Engineering and Applications, vol. 2, pp. 295–299. IEEE (2010)
[10]
Joh, H., Malaiya, Y.K.: A framework for software security risk evaluation using the vulnerability lifecycle and CVSS metrics. In: Proceedings of International Workshop on Risk and Trust in Extended Enterprises, pp. 430–434 (2010)
[11]
Johnson P, Gorton D, Lagerström R, and Ekstedt M Time between vulnerability disclosures Comput. Secur. 2016 62 278-295
[12]
Li, V.G., Dunn, M., Pearce, P., et al.: Reading the tea leaves: a comparative analysis of threat intelligence. In: USENIX Security 2019, pp. 851–867 (2019)
[13]
MITRE: Common vulnerabilities and exposures (2020). https://cve.mitre.org/
[14]
Rassam, M.A., Maarof, M., Zainal, A., et al.: Big data analytics adoption for cybersecurity. J. Inf. Assur. Secur. 12(4) (2017)
[15]
Rosen C and Shihab E What are mobile developers asking about? A large scale study using stack overflow Empirical Softw. Eng. 2016 21 3 1192-1223
[16]
Ruohonen J A look at the time delays in CVSS vulnerability scoring Appl. Comput. Inf. 2019 15 2 129-135
[17]
Ruohonen J, Hyrynsalmi S, and Leppänen V Modeling the delivery of security advisories and CVEs Comput. Sci. Inf. Syst. 2017 14 2 537-555
[18]
Shahzad, M., Shafiq, M.Z., Liu, A.X.: A large scale exploratory analysis of software vulnerability life cycles. In: International Conference on Software Engineering, pp. 771–781 (2012)
[19]
Wang B, Li X, de Aguiar LP, Menasche DS, and Shafiq Z Characterizing and modeling patching practices of industrial control systems Proc. ACM Meas. Anal. Comput. Syst. 2017 1 1 1-23
[20]
Woods D and Moore T Does insurance have a future in governing cybersecurity? IEEE Secur. Privacy Mag. 2019 18 1 21-27
[21]
Zhang S, Ou X, and Caragea D Predicting cyber risks through national vulnerability database Inf. Secur. J. 2015 24 4–6 194-206
Index Terms
- Measuring and Modeling Software Vulnerability Security Advisory Platforms
Index terms have been assigned to the content through auto-classification.
Recommendations
Measuring and ranking attacks based on vulnerability analysis
As the number of software vulnerabilities increases, the research on software vulnerabilities becomes a focusing point in information security. A vulnerability could be exploited to attack the information asset with the weakness related to the ...
Hardware/software security co-verification and vulnerability detection: An information flow perspective
AbstractSecurity vulnerabilities provide attackers unauthorized access to critical resources and effective attack surfaces to compromise a system. Security verification is an emerging technique for detecting and locating such threats. However, existing ...
Highlights- Developing a formal model for precisely modeling information flows in both HW and SW.
- Proposing a HW/SW security co-verification method using standing EDA tools.
- Providing a vulnerability detection method through formal security co-...
Software-driven Security Attacks: From Vulnerability Sources to Durable Hardware Defenses
There is an increasing body of work in the area of hardware defenses for software-driven security attacks. A significant challenge in developing these defenses is that the space of security vulnerabilities and exploits is large and not fully understood. ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Nov 2020
377 pages
ISBN:978-3-030-68886-8
DOI:10.1007/978-3-030-68887-5
© Springer Nature Switzerland AG 2021.
Publisher
Springer-Verlag
Berlin, Heidelberg
Publication History
Published: 04 November 2020
Qualifiers
- Article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- View Citations1Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 05 Mar 2025
Other Metrics
Citations
Cited By
View all- Wunder JCorona AHammer ABenenson Z(2024)On NVD Users’ Attitudes, Experiences, Hopes, and HurdlesDigital Threats: Research and Practice10.1145/36888065:3(1-19)Online publication date: 21-Aug-2024