Repository logo
 

Quantitative analyses of software vulnerabilities

dc.contributor.authorJoh, HyunChul, author
dc.contributor.authorMalaiya, Yashwant K., advisor
dc.contributor.authorRay, Indrajit, committee member
dc.contributor.authorRay, Indrakshi, committee member
dc.contributor.authorJayasumana, Anura P., committee member
dc.date.accessioned2007-01-03T08:20:38Z
dc.date.available2007-01-03T08:20:38Z
dc.date.issued2011
dc.description.abstractThere have been numerous studies addressing computer security and software vulnerability management. Most of the time, they have taken a qualitative perspective. In many other disciplines, quantitative analyses have been indispensable for performance assessment, metric measurement, functional evaluation, or statistical modeling. Quantitative approaches can also help to improve software risk management by providing guidelines obtained by using actual data-driven analyses for optimal allocations of resources for security testing, scheduling, and development of security patches. Quantitative methods allow objective and more accurate estimates of future trends than qualitative manners only because a quantitative approach uses real datasets with statistical methods which have proven to be a very powerful prediction approach in several research fields. A quantitative methodology makes it possible for end-users to assess the risks posed by vulnerabilities in software systems, and potential breaches without getting burdened by details of every individual vulnerability. At the moment, quantitative risk analysis in information security systems is still in its infancy stage. However, recently, researchers have started to explore various software vulnerability related attributes quantitatively as the vulnerability datasets have now become large enough for statistical analyses. In this dissertation, quantitative analysis is presented dealing with i) modeling vulnerability discovery processes in major Web servers and browsers, ii) relationship between the performance of S-shaped vulnerability discovery models and the skew in vulnerability datasets examined, iii) linear vulnerability discovery trends in multi-version software systems, iv) periodic behavior in weekly exploitation and patching of vulnerabilities as well as long term vulnerability discovery process, and v) software security risk evaluation with respect to the vulnerability lifecycle and CVSS. Results show good superior vulnerability discovery model fittings and reasonable prediction capabilities for both time-based and effort-based models for datasets from Web servers and browsers. Results also show that AML and Gamma distribution based models perform better than other S-shaped models with skewed left and right datasets respectively. We find that code sharing among the successive versions cause a linear discovery pattern. We establish that there are indeed long and short term periodic patterns in software vulnerability related activities which have been only vaguely recognized by the security researchers. Lastly, a framework for software security risk assessment is proposed which can allow a comparison of software systems in terms of the risk and potential approaches for optimization of remediation.
dc.format.mediumborn digital
dc.format.mediumdoctoral dissertations
dc.identifierJoh_colostate_0053A_10768.pdf
dc.identifierETDF2011400249COMS
dc.identifier.urihttp://hdl.handle.net/10217/70444
dc.languageEnglish
dc.language.isoeng
dc.publisherColorado State University. Libraries
dc.relation.ispartof2000-2019
dc.rightsCopyright and other restrictions may apply. User is responsible for compliance with all applicable laws. For information about copyright law, please see https://libguides.colostate.edu/copyright.
dc.subjectmodeling
dc.subjectquantitative analysis
dc.subjectrisk
dc.subjectsecurity
dc.subjectsoftware
dc.subjectvulnerability discovery process
dc.titleQuantitative analyses of software vulnerabilities
dc.typeText
dcterms.rights.dplaThis Item is protected by copyright and/or related rights (https://rightsstatements.org/vocab/InC/1.0/). You are free to use this Item in any way that is permitted by the copyright and related rights legislation that applies to your use. For other uses you need to obtain permission from the rights-holder(s).
thesis.degree.disciplineComputer Science
thesis.degree.grantorColorado State University
thesis.degree.levelDoctoral
thesis.degree.nameDoctor of Philosophy (Ph.D.)

Files

Original bundle
Now showing 1 - 1 of 1
Loading...
Thumbnail Image
Name:
Joh_colostate_0053A_10768.pdf
Size:
4.81 MB
Format:
Adobe Portable Document Format
Description: