PNPM '01 Proceedings of the 9th international Workshop on Petri Nets and Performance Models (PNPM'01)
Is Finding Security Holes a Good Idea?
IEEE Security and Privacy
Matching attack patterns to security vulnerabilities in software-intensive system designs
SESS '05 Proceedings of the 2005 workshop on Software engineering for secure systems—building trustworthy applications
Large-scale vulnerability analysis
Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense
Milk or wine: does software security improve with age?
USENIX-SS'06 Proceedings of the 15th conference on USENIX Security Symposium - Volume 15
Improving VRSS-based vulnerability prioritization using analytic hierarchy process
Journal of Systems and Software
Network vulnerability analysis using text mining
ACIIDS'12 Proceedings of the 4th Asian conference on Intelligent Information and Database Systems - Volume Part II
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
| Hi-index | 0.00 |
This paper presents the quantitative characterization of vulnerability life cycle and of exploit creation by probability distributions. This work aims at helping the production of quantitative measures of information system security considering system environment. In this paper, we focus on two environmental factors: 1) the vulnerability life cycle and 2) the attacker behaviour. We look for the probability distributions and their parameters that could model quantatively these environmental factor events. Thus, to obtain precise measures, it is needed to characterize these events using real data. For that purpose, we first selected an appropriate vulnerability database by comparing the existing and available ones. We choose the Open Source Vulnerability DataBase. After having brought back the data we need, we evaluate quantitatively the model parameters related to the vulnerability life cycle and the attacker behaviour. In doing so, we look for specificities of vulnerability categories to define the parameterization of our quantitative security evaluation modelling more precisely.