№1, 2014


Yadigar N. Imamverdiyev

Prediction of the number of software vulnerabilities is important for assessing information security risks and resource planning for the rapid elimination of vulnerabilities. This paper proposes a GM(1, 1)-Markov model to predict the number of software vulnerabilities for given time period. The proposed model is tested for Microsoft XP operating system using a publicly available vulnerability database – the NVD (National Vulnerability Database). (pp. 26-37)

Keywords: information security; vulnerability; prediction; GM (1, 1)-Markov model
  • Igure V., Williams R. Taxonomies of attacks and vulnerabilities in computer systems // IEEE Communications Surveys & Tutorials, 2008, vol.10, no.1, pp.6–19.
  • Hoglund G., McGraw G. Exploiting Software: How to Break Code. Addison-Wesley Professional, 2004.
  • Whittaker J.A., Thompson H.H. How to Break Software Security: Effective Techniques for Security Testing. Pearson, 2003
  • Марков А.С., Фадин А.А. Систематика уязвимостей и дефектов безопасности программных ресурсов // Защита информации. INSIDE, 2013, №3, с.2–7.
  • National Infrastructure Advisory Council: Vulnerability Disclosure Framework, 2004.
  • Arbaugh W.A., Fithen W.L., McHugh J. Windows of vulnerability: A case study analysis // IEEE Computer, 2000, vol.33, no.12, pp.52–59.
  • Sezer E.C., Kil Ch., Ning P. Automated software vulnerability analysis. Advances in Information Security, 2010, vol.46, pp.201–223.
  • Takanen A., Vuorijärvi P., Laakso M., Röning J. Agents of responsibility in software vulnerability processes // Ethics and Information Technology, 2004, vol.6, no.2, pp.93–110.
  • Cavusoglu H., Cavusoglu H., Raghunathan S. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge // IEEE Transactions on Software Engineering, 2007, vol.33, no.3, pp.171–185.
  • Everett C. Zero-day, but not zero-risk // Infosecurity, 2007, vol.4, no.7, pp.36–39.
  • Miller C. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales / Proc. of the 6th Workshop on the Economics of Information Security, 2007, pp.1–10.
  • Radianti J., Gonzalez J.J. A preliminary model of the vulnerability black market / Proc. of the 25th International Conference of the System Dynamics Society, 2007, pp.1–30.
  • Evans N., Yuan X. Observation of recent Microsoft zero-day vulnerabilities / Proc. of the 49th Annual ACM Southeast Regional Conference, 2011, pp.328–329.
  • Anderson R. Security in open versus closed systems - the dance of Boltzmann, Coase and Moore / Proc. of Open Source Software: Economics, Law and Policy, 2002, pp.1–13.
  • Rescorla E. Is finding security holes a good idea? // IEEE Security and Privacy, 2005, vol.3, no.1, pp.14–19.
  • Alhazmi O.H., Malaiya Y.K. Modeling the vulnerability discovery process / Proc. of the 16th IEEE International Symposium on Software Reliability Engineering, 2005, pp.129–138.
  • Alhazmi O.H., Malaiya Y.K. Prediction capabilities of vulnerability discovery models / Proc. of the Annual Reliability and Maintainability Symposium, 2006, pp.86–91.
  • Alhazmi O.H., Malaiya Y.K., Ray I. Measuring, analyzing and predicting security vulnerabilities in software systems // Computers & Security, 2007, vol.26, no.3, pp.219–228.
  • Alhazmi O.H., Malaiya Y.K. Application of vulnerability discovery models to major operating systems // IEEE Transactions on Reliability, 2008, vol.57, no.1, pp.14–22.
  • Woo S.-W., Alhazmi O.H., Malaiya Y.K. An analysis of the vulnerability discovery process in web browsers / Proc. of 10th IASTED International Conference on Software Engineering and Applications, 2006, pp.172–177.
  • Woo S.-W., Joh H., Alhazmi O.H., Malaiya Y.K. Modeling vulnerability discovery process in Apache and IIS HTTP servers // Computers & Security, 2011, vol.30, no.1, pp.50–62.
  • Neuhaus S., Zimmermann T., Holler C., Zeller A. Predicting vulnerable software components / Proc. of the 14th ACM Conference on Computer and Communications Security, 2007, pp.529–540.
  • Nguyen V.H., Massacci F. An independent validation of vulnerability discovery models / Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2012, pp.6–7.
  • Ozment A. Improving vulnerability discovery models / Proc. of the ACM Workshop on Quality of Protection, 2007, pp.6–11.
  • Okamura H., Tokuzane M., Dohi T. Quantitative security evaluation for software system from vulnerability database // Journal of Software Engineering and Applications, 2013, vol.6, no.4A, pp.15–23.
  • Zhang S., Caragea D., Ou X. An empirical study on using the National Vulnerability Database to predict software vulnerabilities / Proc. of the 22nd International Conference on Database and Expert Systems Applications, 2011, Part I, pp.217–231.
  • Nguyen V. H., Massacci F. The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google Chrome vulnerabilities / Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2013, pp.493–498.
  • McQueen M.A., McQueen T.A., Boyer W.F., Chan M.R. Empirical estimates and observations of 0day vulnerabilities / Proc. of the 42nd Hawaii International Conference on System Sciences, 2009, pp.1–12.
  • Bilge L., Dumitras T. Before we knew it: An empirical study of zero-day attacks in the real world / Proc. of the ACM conference on Computer and Communications Security, 2012, pp.833–844.
  • Deng J. Introduction to grey system theory // Journal of Grey System, 1989, vol.1, no.1, pp.1–24.
  • Liu S., Lin Y. Grey systems theory and applications. Springer-Verlag Berlin Heidelberg. 2011, 379 p.
  • Kayacan E., Kaynak O., Ulutas B. Grey system theory-based models in time series prediction // Expert Systems with Application, 2010, vol.37, no.2, pp.1784–1789.
  • Wang Y.F. Predicting stock price using fuzzy grey prediction system // Expert Systems with Applications, 2002, vol.22, no.1, pp.33–39.
  • Chiu N.H. An early software-quality classification based on improved grey relational classifier // Expert Systems with Applications, 2009, vol.36, no.7, pp.10727–10734.
  • Zhang Y. Predicting model of traffic volume based on Grey-Markov // Modern Applied Science, 2010, vol.4, no.3, pp.46–50. 
  • Hsu C.C., Chen C.Y. Application of improved grey prediction model for power demand forecasting // Energy Conversion and Management, 2003, vol.44, no.14, pp.2241-2249.
  • Li C. Grey Markov model based on parameter fits and its application in stock price prediction / Proc. of the 6th International Conference on Intelligent Systems Design and Applications, 2006, vol.1, pp.594-598.
  • National Vulnerability Database (NVD). http://nvd.nist.gov/home.cfm
  • The open source vulnerability database. http://www.osvdb.org/, 2012.
  • TippingPoint: The Zero Day Initiative (ZDI). http://www.zerodayinitiative.com/
  • Mell P., Scarfone K., Romansky S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams, June 2007. www.first.org/cvss/cvss-guide.html.