Time Lag-Based Modelling for Software Vulnerability Exploitation Process

Authors

  • Adarsh Anand Department of Operational Research, University of Delhi, India
  • Navneet Bhatt Department of Operational Research, University of Delhi, India https://orcid.org/0000-0003-3737-7736
  • Jasmine Kaur Department of Operational Research, University of Delhi, India https://orcid.org/0000-0002-3683-0909
  • Yoshinobu Tamura Department of Industrial & Management Systems Engineering, Faculty of Knowledge Engineering, Tokyo City University, Japan https://orcid.org/0000-0001-7665-5765

DOI:

https://doi.org/10.13052/jcsm2245-1439.1042

Keywords:

Exploits, Patch, Security, Updates, Vulnerability, Vulnerability Discovery Models

Abstract

With the increase in the discovery of vulnerabilities, the expected exploits occurred in various software platform has shown an increased growth with respect to time. Only after being discovered, the potential vulnerabilities might be exploited. There exists a finite time lag in the exploitation process; from the moment the hackers get information about the discovery of a vulnerability and the time required in the final exploitation. By making use of the time lag approach, we have developed a framework for the vulnerability exploitation process that occurred in multiple stages. The time lag between the discovery and exploitation of a vulnerability has been bridged via the memory kernel function over a finite time interval. The applicability of the proposed model has been validated using various software exploit datasets.

Downloads

Download data is not yet available.

Author Biographies

Adarsh Anand, Department of Operational Research, University of Delhi, India

Adarsh Anand did his doctorate in the area of Software Reliability Assessment and Innovation Diffusion Modeling in Marketing. Presently he is working as an Assistant Professor in the Department of Operational Research, University of Delhi (INDIA). He has been conferred with Young Promising Researcher in the field of Technology Management and Software Reliability by Society for Reliability Engineering, Quality and Operations Management (SREQOM) in 2012. He is a lifetime member of the SREQOM. He has publications in journals of national and international repute. His research interest includes software reliability growth modelling, modelling innovation adoption and successive generations in marketing, and social network analysis. He has worked with CRC Press for two editorial projects; “System Reliability Management: Solutions and Technologies” and “Recent Advancements in Software Reliability Assurance”. He has also authored one text book with CRC group; “Market Assessment with OR Applications”.

Navneet Bhatt, Department of Operational Research, University of Delhi, India

Navneet Bhatt received his B.Sc. in Computer Science, M.Sc. in Applied Operational Research and Ph.D. degrees from University of Delhi in 2011, 2013 and 2021, respectively. He is a lifetime member of the Society for Reliability Engineering, Quality and Operations Management (SREQOM). His current research is focused on Software Vulnerability Discovery Modeling, Software Reliability, Machine Learning and Multi-criteria decision modeling.

Jasmine Kaur, Department of Operational Research, University of Delhi, India

Jasmine Kaur is presently pursuing Ph.D. from Department of Operational Research, University of Delhi, Delhi (INDIA). She obtained her B.Sc. (H) Mathematics, M.Sc. in Applied Operational Research, M.Phil. in Operational Research degree in 2013, 2015 and 2017 respectively from University of Delhi, Delhi (INDIA). She joined as a research scholar in the Department of Operational Research in 2015. Her research areas are Software Reliability and Software Security. She has publications in journals of national and international repute.

Yoshinobu Tamura, Department of Industrial & Management Systems Engineering, Faculty of Knowledge Engineering, Tokyo City University, Japan

Yoshinobu Tamura received the BSE, MS, and Ph.D. degrees from Tottori University in 1998, 2000, and 2003, respectively. From 2003 to 2006, he was a Research Assistant at Tottori University of Environmental Studies. From 2006 to 2009, he was a Lecturer and Associate Professor at Faculty of Applied Information Science of Hiroshima Institute of Technology, Hiroshima, Japan. From 2009 to 2017, he was an Associate Professor at the Graduate School of Sciences and Technology for Innovation, Yamaguchi University, Ube, Japan. From 2017 to 2019, he has been working as a Doctor at the Faculty of Knowledge Engineering, Tokyo City University, Tokyo, Japan. Since 2020, he has been working as a Doctor at the Faculty of Information Technology, Tokyo City University, Tokyo, Japan. His research interests include reliability assessment for open-source software, big data, clouds, reliability. He is a regular member of the Institute of Electronics, the Information and Communication Engineers of Japan, the Operations Research Society of Japan, the Society of Project Management of Japan, the Reliability Engineering Association of Japan, and the IEEE. He has authored the book entitled as OSS Reliability Measurement and Assessment (Springer International Publishing, 2016). Dr. Tamura received the Presentation Award of the Seventh International Conference on Industrial Management in 2004 , the IEEE Reliability Society Japan Chapter Awards in 2007, the Research Leadership Award in Area of Reliability from the ICRITO in 2010, The Best Paper Award of the IEEE International Conference on Industrial Engineering and Engineering Management in 2012, Honorary Professor from Amity University of India in 2017, the Best Paper Award of the 24th ISSAT International Conference on Reliability and Quality in Design in 2018.

References

Krsul, I. V. 1998. Software vulnerability analysis. Purdue University, West Lafayette, IN.

Ozment, J. A. 2007. Vulnerability discovery & software security, Doctoral dissertation, University of Cambridge.

Anderson, R. 2002. Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England.

Rescorla, E. 2005. Is finding security holes a good idea?, IEEE Security & Privacy, 3(1), 14–19.

Alhazmi, O.H., Malaiya, Y.K. and Ray, I., 2007. Measuring, analyzing and predicting security vulnerabilities in software systems. Computers & Security, 26(3), 219–228.

Anand, A. and Bhatt, N. 2016. Vulnerability discovery modeling and weighted criteria based ranking. Journal of the Indian Society for Probability and Statistics, 17(1), 1–10.

Anand, A., Das, S., Aggrawal, D. and Klochkov, Y. 2017. Vulnerability discovery modelling for software with multi-versions. In Advances in reliability and system engineering. Mangey Ram and J. Paulo Davim, eds. Springer, Cham. pp. 255–265.

Bhatt, N., Anand, A., Yadavalli, V.S.S. and Kumar, V. 2017. Modeling and characterizing software vulnerabilities. International Journal of Mathematical, Engineering and Management Sciences, 2(4), 288–299.

Bhatt, N., Anand, A., Aggrawal, D. and Alhazmi, O.H. 2018. Categorization of Vulnerabilities in a Software. System Reliability Management: Solutions and Technologies, Adarsh Anand and Mangey Ram, eds. CRC Press, Boca Raton, FL, pp. 121–135.

Bhatt, N., Anand, A. and Aggrawal, D. 2019. Improving system reliability by optimal allocation of resources for discovering software vulnerabilities. International Journal of Quality & Reliability Management. 37(6/7), 1113–1124.

Anand, A., Bhatt, N. and Alhazmi, O.H., 2020. Modeling Software Vulnerability Discovery Process Inculcating the Impact of Reporters. Information Systems Frontiers, doi: 10.1007/s10796-020-10004-9

Liu, Q. and Xing, L., 2021. Survivability and Vulnerability Analysis of Cloud RAID Systems under Disk Faults and Attacks. International Journal of Mathematical, Engineering and Management Sciences, 6(1), 15–29.

Anjum, M., Kapur, P.K., Agarwal, V. and Khatri, S.K., 2020. Assessment of software vulnerabilities using best-worst method and two-way analysis. International Journal of Mathematical, Engineering and Management Sciences, 5(2), 328–342.

Bozorgi, M., Saul, L.K., Savage, S. and Voelker, G.M., 2010, July. Beyond heuristics: learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data mining. pp. 105–114.

Edkrantz, M. and Said, A., 2015. Predicting cyber vulnerability exploits with machine learning. In Thirteenth Scandinavian Conference on Artificial Intelligence, pp. 48–57.

Allodi, L. and Massacci, F., 2014. Comparing vulnerability severity and exploits using case-control studies. ACM Transactions on Information and System Security (TISSEC), 17(1), 1–20.

Sabottke, C., Suciu, O. and Dumitraş, T., 2015. Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In 24th {

USENIX} Security Symposium ({USENIX}

Security 15). pp. 1041–1056.

Almukaynizi, M., Nunes, E., Dharaiya, K., Senguttuvan, M., Shakarian, J. and Shakarian, P., 2019. Patch before exploited: An approach to identify targeted software vulnerabilities. In AI in Cybersecurity. Leslie F. Sikos, ed. Springer, Cham. pp. 81–113.

Bhatt, N., Anand, A. and Yadavalli, V.S.S., 2020. Exploitability prediction of software vulnerabilities. Quality and Reliability Engineering International, 37(2): 648–663. doi: 10.1002/qre.2754

Diamond Jr, A.M., 2005. Measurement, incentives and constraintsin Stigler’s economics of science. The European Journal of the History of Economic Thought, 12(4): 635–661.

Cushing, J.M., 1975. An operator equation and bounded solutions of integro-differential systems. SIAM Journal on Mathematical Analysis, 6(3): 433–445.

Aggarwal, R., Singh, O., Anand, A. and Kapur, P.K., 2019. Modeling innovation adoption incorporating time lag between awareness and adoption process. International Journal of System Assurance Engineering and Management, 10(1): 83–90.

Anand, A., Kapur, P. K., Agarwal, M., and Aggrawal, D., 2014. Generalized innovation diffusion modeling & weighted criteria based ranking. In Proceedings of 3rd International Conference on Reliability, Infocom Technologies and Optimization (pp. 1–6). IEEE.

Downloads

Published

2021-06-15

Issue

Section

Emerging Trends in Cyber Security and Cryptography