Periodicity in software vulnerability discovery, patching and exploitation.
Saved in:
| Title: | Periodicity in software vulnerability discovery, patching and exploitation. |
|---|---|
| Authors: | Joh, HyunChul1, Malaiya, Yashwant2 |
| Source: | International Journal of Information Security. Nov2017, Vol. 16 Issue 6, p673-690. 18p. |
| Subjects: | Computer security laws, Computer security vulnerabilities, Economic seasonal variations, Cycles, Computer operating systems |
| Abstract: | Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also examine weekly periodicity in the patching and exploitation of the vulnerabilities. Accurate projections of the vulnerability discovery process are required to optimally allocate the effort needed to develop patches for handling discovered vulnerabilities. A time series analysis that combines the periodic pattern and longer-term trends allows the developers to predict future needs more accurately. We analyze eighteen datasets of software systems for annual seasonality in their vulnerability discovery processes. This analysis shows that there are indeed repetitive annual patterns. Next, some of the datasets from a large number of major organizations that record the result of daily scans are examined for potential weekly periodicity and its statistical significance. The results show a 7-day periodicity in the presence of unpatched vulnerabilities, as well as in the exploitation pattern. The seasonal index approach is used to examine the statistical significance of the observed periodicity. The autocorrelation function is used to identify the exact periodicity. The results show that periodicity needs to be considered for optimal resource allocations and for evaluation of security risks. [ABSTRACT FROM AUTHOR] |
| Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract. (Copyright applies to all Abstracts.) | |
| Database: | Engineering Source |
| FullText | Links: – Type: pdflink Text: Availability: 0 |
|---|---|
| Header | DbId: egs DbLabel: Engineering Source An: 125085391 AccessLevel: 6 PubType: Academic Journal PubTypeId: academicJournal PreciseRelevancyScore: 0 |
| IllustrationInfo | |
| Items | – Name: Title Label: Title Group: Ti Data: Periodicity in software vulnerability discovery, patching and exploitation. – Name: Author Label: Authors Group: Au Data: <searchLink fieldCode="AR" term="%22Joh%2C+HyunChul%22">Joh, HyunChul</searchLink><relatesTo>1</relatesTo><br /><searchLink fieldCode="AR" term="%22Malaiya%2C+Yashwant%22">Malaiya, Yashwant</searchLink><relatesTo>2</relatesTo> – Name: TitleSource Label: Source Group: Src Data: <searchLink fieldCode="JN" term="%22International+Journal+of+Information+Security%22">International Journal of Information Security</searchLink>. Nov2017, Vol. 16 Issue 6, p673-690. 18p. – Name: Subject Label: Subjects Group: Su Data: <searchLink fieldCode="DE" term="%22Computer+security+laws%22">Computer security laws</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+security+vulnerabilities%22">Computer security vulnerabilities</searchLink><br /><searchLink fieldCode="DE" term="%22Economic+seasonal+variations%22">Economic seasonal variations</searchLink><br /><searchLink fieldCode="DE" term="%22Cycles%22">Cycles</searchLink><br /><searchLink fieldCode="DE" term="%22Computer+operating+systems%22">Computer operating systems</searchLink> – Name: Abstract Label: Abstract Group: Ab Data: Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also examine weekly periodicity in the patching and exploitation of the vulnerabilities. Accurate projections of the vulnerability discovery process are required to optimally allocate the effort needed to develop patches for handling discovered vulnerabilities. A time series analysis that combines the periodic pattern and longer-term trends allows the developers to predict future needs more accurately. We analyze eighteen datasets of software systems for annual seasonality in their vulnerability discovery processes. This analysis shows that there are indeed repetitive annual patterns. Next, some of the datasets from a large number of major organizations that record the result of daily scans are examined for potential weekly periodicity and its statistical significance. The results show a 7-day periodicity in the presence of unpatched vulnerabilities, as well as in the exploitation pattern. The seasonal index approach is used to examine the statistical significance of the observed periodicity. The autocorrelation function is used to identify the exact periodicity. The results show that periodicity needs to be considered for optimal resource allocations and for evaluation of security risks. [ABSTRACT FROM AUTHOR] – Name: AbstractSuppliedCopyright Label: Group: Ab Data: <i>Copyright of International Journal of Information Security is the property of Springer Nature and its content may not be copied or emailed to multiple sites without the copyright holder's express written permission. Additionally, content may not be used with any artificial intelligence tools or machine learning technologies. However, users may print, download, or email articles for individual use. This abstract may be abridged. No warranty is given about the accuracy of the copy. Users should refer to the original published version of the material for the full abstract.</i> (Copyright applies to all Abstracts.) |
| PLink | https://search.ebscohost.com/login.aspx?direct=true&site=eds-live&db=egs&AN=125085391 |
| RecordInfo | BibRecord: BibEntity: Identifiers: – Type: doi Value: 10.1007/s10207-016-0345-x Languages: – Code: eng Text: English PhysicalDescription: Pagination: PageCount: 18 StartPage: 673 Subjects: – SubjectFull: Computer security laws Type: general – SubjectFull: Computer security vulnerabilities Type: general – SubjectFull: Economic seasonal variations Type: general – SubjectFull: Cycles Type: general – SubjectFull: Computer operating systems Type: general Titles: – TitleFull: Periodicity in software vulnerability discovery, patching and exploitation. Type: main BibRelationships: HasContributorRelationships: – PersonEntity: Name: NameFull: Joh, HyunChul – PersonEntity: Name: NameFull: Malaiya, Yashwant IsPartOfRelationships: – BibEntity: Dates: – D: 01 M: 11 Text: Nov2017 Type: published Y: 2017 Identifiers: – Type: issn-print Value: 16155262 Numbering: – Type: volume Value: 16 – Type: issue Value: 6 Titles: – TitleFull: International Journal of Information Security Type: main |
| ResultId | 1 |