Computer Science – Cryptography and Security
Scientific paper
2012-03-26
Computer Science
Cryptography and Security
This paper is to appear in ASIACCS'12
Scientific paper
Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software security. Thus far, several models have been proposed with some evidence supporting their goodness-of-fit. In this work we describe an independent validation of the applicability of six existing VDMs in seventeen releases of the three popular browsers Firefox, Google Chrome and Internet Explorer. We have collected five different kinds of data sets based on different definitions of a vulnerability. We introduce two quantitative metrics, goodness-of-fit entropy and goodness-of-fit quality, to analyze the impact of vulnerability data sets to the stability as well as quality of VDMs in the software life cycles. The experiment result shows that the "confirmed-by-vendors' advisories" data sets apparently yields more stable and better results for VDMs. And the performance of the s-shape logistic model (AML) seems to be superior performance in overall. Meanwhile, Anderson thermodynamic model (AT) is indeed not suitable for modeling the vulnerability discovery process. This means that the discovery process of vulnerabilities and normal bugs are different because the interests of people in finding security vulnerabilities are more than finding normal programming bugs.
Massacci Fabio
Nguyen Viet Hung
No associations
LandOfFree
An Independent Validation of Vulnerability Discovery Models does not yet have a rating. At this time, there are no reviews or comments for this scientific paper.
If you have personal experience with An Independent Validation of Vulnerability Discovery Models, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and An Independent Validation of Vulnerability Discovery Models will most certainly appreciate the feedback.
Profile ID: LFWR-SCP-O-638697