Modeling vulnerability discovery process in Apache and IIS HTTP servers

Vulnerability discovery models allow prediction of the number of vulnerabilities that are likely to be discovered in the future. Hence, they allow the vendors and the end users to manage risk by optimizing resource allocation. Most vulnerability discovery models proposed use the time as an independe...

Full description

Saved in:
Bibliographic Details
Published in:Computers & security 2011, Vol.30 (1), p.50-62
Main Authors: Woo, Sung-Whan, Joh, HyunChul, Alhazmi, Omar H., Malaiya, Yashwant K.
Format: Article
Language:English
Subjects:
End users
Network security
Protocol
Quantitative modeling
Risk assessment
Risk evaluation
Security
Servers
Studies
Vulnerability discovery model (VDM)
Web server
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
Description
Summary:Vulnerability discovery models allow prediction of the number of vulnerabilities that are likely to be discovered in the future. Hence, they allow the vendors and the end users to manage risk by optimizing resource allocation. Most vulnerability discovery models proposed use the time as an independent variable. Effort-based modeling has also been proposed, which requires the use of market share data. Here, the feasibility of characterizing the vulnerability discovery process in the two major HTTP servers, Apache and IIS, is quantitatively examined using both time and effort-based vulnerability discovery models, using data spanning more than a decade. The data used incorporates the effect of software evolution for both servers. In addition to aggregate vulnerabilities, different groups of vulnerabilities classified using both the error types and severity levels are also examined. Results show that the selected vulnerability discovery models of both types can fit the data of the two HTTP servers very well. Results also suggest that separate modeling for an individual class of vulnerabilities can be done. In addition to the model fitting, predictive capabilities of the two models are also examined. The results demonstrate the applicability of quantitative methods to widely-used products, which have undergone evolution.
ISSN:0167-4048
1872-6208
DOI:10.1016/j.cose.2010.10.007