Share Email Print
cover

Proceedings Paper

A preliminary analysis of quantifying computer security vulnerability data in "the wild"
Author(s): Katheryn A. Farris; Sean R. McNamara; Adam Goldstein; George Cybenko
Format Member Price Non-Member Price
PDF $14.40 $18.00

Paper Abstract

A system of computers, networks and software has some level of vulnerability exposure that puts it at risk to criminal hackers. Presently, most vulnerability research uses data from software vendors, and the National Vulnerability Database (NVD). We propose an alternative path forward through grounding our analysis in data from the operational information security community, i.e. vulnerability data from "the wild". In this paper, we propose a vulnerability data parsing algorithm and an in-depth univariate and multivariate analysis of the vulnerability arrival and deletion process (also referred to as the vulnerability birth-death process). We find that vulnerability arrivals are best characterized by the log-normal distribution and vulnerability deletions are best characterized by the exponential distribution. These distributions can serve as prior probabilities for future Bayesian analysis. We also find that over 22% of the deleted vulnerability data have a rate of zero, and that the arrival vulnerability data is always greater than zero. Finally, we quantify and visualize the dependencies between vulnerability arrivals and deletions through a bivariate scatterplot and statistical observations.

Paper Details

Date Published: 12 May 2016
PDF: 17 pages
Proc. SPIE 9825, Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security, Defense, and Law Enforcement Applications XV, 98250T (12 May 2016); doi: 10.1117/12.2230589
Show Author Affiliations
Katheryn A. Farris, Thayer School of Engineering at Dartmouth (United States)
Sean R. McNamara, Dartmouth College (United States)
Adam Goldstein, Dartmouth College (United States)
George Cybenko, Thayer School of Engineering at Dartmouth (United States)


Published in SPIE Proceedings Vol. 9825:
Sensors, and Command, Control, Communications, and Intelligence (C3I) Technologies for Homeland Security, Defense, and Law Enforcement Applications XV
Edward M. Carapezza, Editor(s)

© SPIE. Terms of Use
Back to Top