AZERBAIJAN NATIONAL ACADEMY OF SCIENCES
GM (1, 1)-MARKOV MODEL FOR SOFTWARE VULNERABILITIES PREDICTION (rus.)
Yadigar N. Imamverdiyev

Prediction of the number of software vulnerabilities is important for assessing information security risks and resource planning for the rapid elimination of vulnerabilities. This paper proposes a GM(1, 1)-Markov model to predict the number of software vulnerabilities for given time period. The proposed model is tested for Microsoft XP operating system using a publicly available vulnerability database – the NVD (National Vulnerability Database). (pp. 26-37)

Keywords: information security; vulnerability; prediction; GM (1, 1)-Markov model
References
  • Igure V., Williams R. Taxonomies of attacks and vulnerabilities in computer systems // IEEE Communications Surveys & Tutorials, 2008, vol.10, no.1, pp.6–19.
  • Hoglund G., McGraw G. Exploiting Software: How to Break Code. Addison-Wesley Professional, 2004.
  • Whittaker J.A., Thompson H.H. How to Break Software Security: Effective Techniques for Security Testing. Pearson, 2003
  • Марков А.С., Фадин А.А. Систематика уязвимостей и дефектов безопасности программных ресурсов // Защита информации. INSIDE, 2013, №3, с.2–7.
  • National Infrastructure Advisory Council: Vulnerability Disclosure Framework, 2004.
  • Arbaugh W.A., Fithen W.L., McHugh J. Windows of vulnerability: A case study analysis // IEEE Computer, 2000, vol.33, no.12, pp.52–59.
  • Sezer E.C., Kil Ch., Ning P. Automated software vulnerability analysis. Advances in Information Security, 2010, vol.46, pp.201–223.
  • Takanen A., Vuorijärvi P., Laakso M., Röning J. Agents of responsibility in software vulnerability processes // Ethics and Information Technology, 2004, vol.6, no.2, pp.93–110.
  • Cavusoglu H., Cavusoglu H., Raghunathan S. Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge // IEEE Transactions on Software Engineering, 2007, vol.33, no.3, pp.171–185.
  • Everett C. Zero-day, but not zero-risk // Infosecurity, 2007, vol.4, no.7, pp.36–39.
  • Miller C. The legitimate vulnerability market: Inside the secretive world of 0-day exploit sales / Proc. of the 6th Workshop on the Economics of Information Security, 2007, pp.1–10.
  • Radianti J., Gonzalez J.J. A preliminary model of the vulnerability black market / Proc. of the 25th International Conference of the System Dynamics Society, 2007, pp.1–30.
  • Evans N., Yuan X. Observation of recent Microsoft zero-day vulnerabilities / Proc. of the 49th Annual ACM Southeast Regional Conference, 2011, pp.328–329.
  • Anderson R. Security in open versus closed systems - the dance of Boltzmann, Coase and Moore / Proc. of Open Source Software: Economics, Law and Policy, 2002, pp.1–13.
  • Rescorla E. Is finding security holes a good idea? // IEEE Security and Privacy, 2005, vol.3, no.1, pp.14–19.
  • Alhazmi O.H., Malaiya Y.K. Modeling the vulnerability discovery process / Proc. of the 16th IEEE International Symposium on Software Reliability Engineering, 2005, pp.129–138.
  • Alhazmi O.H., Malaiya Y.K. Prediction capabilities of vulnerability discovery models / Proc. of the Annual Reliability and Maintainability Symposium, 2006, pp.86–91.
  • Alhazmi O.H., Malaiya Y.K., Ray I. Measuring, analyzing and predicting security vulnerabilities in software systems // Computers & Security, 2007, vol.26, no.3, pp.219–228.
  • Alhazmi O.H., Malaiya Y.K. Application of vulnerability discovery models to major operating systems // IEEE Transactions on Reliability, 2008, vol.57, no.1, pp.14–22.
  • Woo S.-W., Alhazmi O.H., Malaiya Y.K. An analysis of the vulnerability discovery process in web browsers / Proc. of 10th IASTED International Conference on Software Engineering and Applications, 2006, pp.172–177.
  • Woo S.-W., Joh H., Alhazmi O.H., Malaiya Y.K. Modeling vulnerability discovery process in Apache and IIS HTTP servers // Computers & Security, 2011, vol.30, no.1, pp.50–62.
  • Neuhaus S., Zimmermann T., Holler C., Zeller A. Predicting vulnerable software components / Proc. of the 14th ACM Conference on Computer and Communications Security, 2007, pp.529–540.
  • Nguyen V.H., Massacci F. An independent validation of vulnerability discovery models / Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2012, pp.6–7.
  • Ozment A. Improving vulnerability discovery models / Proc. of the ACM Workshop on Quality of Protection, 2007, pp.6–11.
  • Okamura H., Tokuzane M., Dohi T. Quantitative security evaluation for software system from vulnerability database // Journal of Software Engineering and Applications, 2013, vol.6, no.4A, pp.15–23.
  • Zhang S., Caragea D., Ou X. An empirical study on using the National Vulnerability Database to predict software vulnerabilities / Proc. of the 22nd International Conference on Database and Expert Systems Applications, 2011, Part I, pp.217–231.
  • Nguyen V. H., Massacci F. The (un)reliability of NVD vulnerable versions data: an empirical experiment on Google Chrome vulnerabilities / Proc. of the 8th ACM Symposium on Information, Computer and Communications Security, 2013, pp.493–498.
  • McQueen M.A., McQueen T.A., Boyer W.F., Chan M.R. Empirical estimates and observations of 0day vulnerabilities / Proc. of the 42nd Hawaii International Conference on System Sciences, 2009, pp.1–12.
  • Bilge L., Dumitras T. Before we knew it: An empirical study of zero-day attacks in the real world / Proc. of the ACM conference on Computer and Communications Security, 2012, pp.833–844.
  • Deng J. Introduction to grey system theory // Journal of Grey System, 1989, vol.1, no.1, pp.1–24.
  • Liu S., Lin Y. Grey systems theory and applications. Springer-Verlag Berlin Heidelberg. 2011, 379 p.
  • Kayacan E., Kaynak O., Ulutas B. Grey system theory-based models in time series prediction // Expert Systems with Application, 2010, vol.37, no.2, pp.1784–1789.
  • Wang Y.F. Predicting stock price using fuzzy grey prediction system // Expert Systems with Applications, 2002, vol.22, no.1, pp.33–39.
  • Chiu N.H. An early software-quality classification based on improved grey relational classifier // Expert Systems with Applications, 2009, vol.36, no.7, pp.10727–10734.
  • Zhang Y. Predicting model of traffic volume based on Grey-Markov // Modern Applied Science, 2010, vol.4, no.3, pp.46–50. 
  • Hsu C.C., Chen C.Y. Application of improved grey prediction model for power demand forecasting // Energy Conversion and Management, 2003, vol.44, no.14, pp.2241-2249.
  • Li C. Grey Markov model based on parameter fits and its application in stock price prediction / Proc. of the 6th International Conference on Intelligent Systems Design and Applications, 2006, vol.1, pp.594-598.
  • National Vulnerability Database (NVD). http://nvd.nist.gov/home.cfm
  • The open source vulnerability database. http://www.osvdb.org/, 2012.
  • TippingPoint: The Zero Day Initiative (ZDI). http://www.zerodayinitiative.com/
  • Mell P., Scarfone K., Romansky S. A Complete Guide to the Common Vulnerability Scoring System Version 2.0. Forum of Incident Response and Security Teams, June 2007. www.first.org/cvss/cvss-guide.html.