The Measurement of Popularity and Prevalence of Software Vulnerability

Authors

  • Yuliia Tatarinova
  • Olha Sinelnikova

DOI:

https://doi.org/10.47839/ijc.20.4.2446

Keywords:

trend analysis, CVE, vulnerability assessment, impact evaluation

Abstract

Prioritizing bug fixes becomes a daunting task due to the increasing number of vulnerability disclosure programs.  When making a decision, not only the Common Vulnerability Scoring System (CVSS) but also the probability of exploitation, the trend of particular security issues should be taken into account. This paper aims to discuss the sources and approaches for measuring degree of interest in a specific vulnerability at a particular point in real-time. This research presents а new metric and estimation model which is based on vulnerability assessment. We compared several techniques to determine the most suitable approach and relevant sources for improving vulnerability management and prioritization problems. We chose the Google Trend analytics tool to gather trend data, distinguish main features and build data set. The result of this study is the regression equation which helps efficiently prioritize vulnerabilities considering the public interest in the particular security issue. The proposed method provides the popularity estimation of Common Vulnerabilities and Exposures (CVE) using public resources.

References

Yu. Tatarinova, “AVIA: Automatic vulnerability impact assessment on the target system,” Proceedings of the 2018 IEEE Second International Conference on Data Stream Mining & Processing (DSMP), 2018, pp. 364-368. https://doi.org/10.1109/DSMP.2018.8478519.

Yu. Tatarinova, and O. Sinelnikova, “Extended vulnerability feature extraction based on public resources,” Theoretical and Applied Cybersecurity, vol. 1, no. 1, pp. 59-67, 2019. https://doi.org/10.20535/tacs.2664-29132019.1.169085.

J. Jacobs, S. Romanosky, B. Edwards, M. Roytman, & I. Adjerid, “Exploit Prediction Scoring System (EPSS),” 2019. arXiv preprint arXiv:1908.04856.

FIRST project, Common Vulnerability Scoring System SIG, [Online]. Available at: https://www.first.org/cvss/

Skybox Research Lab: vulnerability report, [Online]. Available at: https://lp.skyboxsecurity.com/rs/440-MPQ-510/images/Skybox_Report_Vulnerability_and_Threat_Trends_2019.pdf

Security trails: Top CVEs exploited in the wild, [Online]. Available at: https://securitytrails.com/blog/top-cves-exploited-in-the-wild

OWASP Top Ten Project, [Online]. Available at: https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf

OWASP Internet of Things Project, [Online]. Available at: https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

SecurityTrails, blog, [Online]. Available at: https://securitytrails.com/blog/top-cves-exploited-in-the-wild

Securityweek, [Online]. Available at: https://www.securityweek.com/top-vulnerabilities-exploited-cybercriminals

D. R. Kuhn, M. S. Raunak, & R. Kacker, “An analysis of vulnerability trends, 2008-2016,” Proceedings of the 2017 IEEE International Conference on Software Quality, Reliability and Security Companion (QRS-C), July 2017, pp. 587-588. https://doi.org/10.1109/QRS-C.2017.106.

R. Kuhn, M. Raunak, and R. Kacker, “It doesn’t have to be like this: Cybersecurity vulnerability trends,” Professional, vol. 19, issue 6, pp. 66-70, 2017. https://doi.org/10.1109/MITP.2017.4241462.

J. Ruohonen, and L. Allodi, “A bug bounty perspective on the disclosure of web vulnerabilities,” 2018. arXiv preprint arXiv:1805.09850.

National Vulnerability Database, [Online]. Available at: https://nvd.nist.gov/

Wayback Machine, [Online]. Available at: https://archive.org/

Google trends, [Online]. Available at: https://trends.google.com/trends

J. Ginsberg, et al., “Detecting influenza epidemics using search engine query data,” Nature, vol. 457, no. 7232, pp. 1012-1014, 2009.

Vulmon, [Online]. Available at: https://vulmon.com/

J. Kacprzyk, A. Wilbik, S. Zadrozny, “Linguistic summarization of trends: A fuzzy logic based approach,” Proceedings of the 11th International Conference Information Processing and Management of Uncertainty in Knowledge-based Systems, July 2006, pp. 2166-2172.

L. van der Maaten, and G. Hinton, “Visualizing data using t-SNE,” Journal of Machine Learning Research, vol. 9, pp. 2579-2605, 2008.

J. Ruohonen, S. Hyrynsalmi, and V. Leppanen, “Modeling the delivery of security advisories and CVEs,” Computer Science and Information Systems, vol. 14, issue 2, pp. 537–555, 2017. https://doi.org/10.2298/CSIS161010010R.

Downloads

Published

2021-12-31

How to Cite

Tatarinova, Y., & Sinelnikova, O. (2021). The Measurement of Popularity and Prevalence of Software Vulnerability. International Journal of Computing, 20(4), 575-580. https://doi.org/10.47839/ijc.20.4.2446

Issue

2021, Volume 20, Issue 4

Section

Articles

License

International Journal of Computing is an open access journal. Authors who publish with this journal agree to the following terms:
•    Authors retain copyright and grant the journal right of first publication with the work simultaneously licensed under a Creative Commons Attribution License that allows others to share the work with an acknowledgement of the work's authorship and initial publication in this journal.
•    Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal.
•    Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work.