Int J Performability Eng ›› 2020, Vol. 16 ›› Issue (7): 1008-1018.doi: 10.23940/ijpe.20.07.p3.10081018

Previous Articles     Next Articles

Empirical Characterization of the Likelihood of Vulnerability Discovery

Carl Wilhjelma, Taslima Kotadiyaa, and Awad A. Younisb,*   

  1. aGeorgia State University, Atlanta, GA 30303, United States;
    bNorthern Kentucky University, Highland Heights, KY 41099, United States
  • Submitted on ; Revised on ; Accepted on
  • Contact: * E-mail address: mussaa1@nku.edu

Abstract: Assessing the risk of the likelihood of a vulnerability discovery is very important for decision-makers to prioritize which vulnerability should be investigated and fixed first. Currently, the likelihood of vulnerability discovery is being assessed based on expert opinion which could potentially hinder its accuracy. In this study, we propose using Time to Vulnerability Disclosure (TTVD) as a proxy for assessing the likelihood of vulnerability discovery. We will then empirically explore characterizing TTVD using intrinsic vulnerability attributes including CVSS Base metrics and vulnerabilities types. We examine 799 reported vulnerabilities of Chrome and 156 vulnerabilities of the Apache HTTP server. The results show that TTVD correlated at a statistically significant level to some of the intrinsic attributes, namely, access complexity metric, confidentiality, and integrity metrics, and the vulnerabilities' types. Our results from machine learning analysis also show ranges of TTVD values are associated with specific combined values of the metrics under consideration.

Key words: likelihood of vulnerability discovery, CWSS, OWASP, software vulnerability, CVSS base score, vulnerability lifecycle, machine learning