The Experts below are selected from a list of 1095 Experts worldwide ranked by ideXlab platform
Lefteris Angelis - One of the best experts on this subject based on the ideXlab platform.
-
a multi target approach to estimate software Vulnerability characteristics and severity scores
Journal of Systems and Software, 2018Co-Authors: Georgios Spanos, Lefteris AngelisAbstract:Abstract Software vulnerabilities constitute a great risk for the IT community. The specification of the Vulnerability characteristics is a crucial procedure, since the characteristics are used as input for a plethora of Vulnerability scoring systems. Currently, the determination of the specific characteristics -that represent each Vulnerability- is a process that is performed manually by the IT security experts. However, the Vulnerability description can be very informative and useful to predict Vulnerability characteristics. The primary goal of this research is the enhancement, the acceleration and the support of the manual procedure of the Vulnerability characteristic assignment. To achieve this goal, a model, which combines texts analysis and multi-target classification techniques was developed. This model estimates the Vulnerability characteristics and subsequently, calculates the Vulnerability severity scores from the predicted characteristics. To perform the present research, a dataset that contains 99,091 records from a large -publicly available- Vulnerability Database was used. The results are encouraging, since they show accuracy in the prediction of the Vulnerability characteristics and scores.
Georgios Spanos - One of the best experts on this subject based on the ideXlab platform.
-
a multi target approach to estimate software Vulnerability characteristics and severity scores
Journal of Systems and Software, 2018Co-Authors: Georgios Spanos, Lefteris AngelisAbstract:Abstract Software vulnerabilities constitute a great risk for the IT community. The specification of the Vulnerability characteristics is a crucial procedure, since the characteristics are used as input for a plethora of Vulnerability scoring systems. Currently, the determination of the specific characteristics -that represent each Vulnerability- is a process that is performed manually by the IT security experts. However, the Vulnerability description can be very informative and useful to predict Vulnerability characteristics. The primary goal of this research is the enhancement, the acceleration and the support of the manual procedure of the Vulnerability characteristic assignment. To achieve this goal, a model, which combines texts analysis and multi-target classification techniques was developed. This model estimates the Vulnerability characteristics and subsequently, calculates the Vulnerability severity scores from the predicted characteristics. To perform the present research, a dataset that contains 99,091 records from a large -publicly available- Vulnerability Database was used. The results are encouraging, since they show accuracy in the prediction of the Vulnerability characteristics and scores.
Paul E. Black - One of the best experts on this subject based on the ideXlab platform.
-
effect of static analysis tools on software security preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection, 2007Co-Authors: Vadim Okun, William F Guthrie, Romain Gaucher, Paul E. BlackAbstract:Static analysis tools can handle large-scale software and find thousands of defects. But do they improve software security? We evaluate the effect of static analysis tool use on software security in open source projects. We measure security by Vulnerability reports in the National Vulnerability Database.
-
QoP - Effect of static analysis tools on software security: preliminary investigation
Proceedings of the 2007 ACM workshop on Quality of protection - QoP '07, 2007Co-Authors: Vadim Okun, William F Guthrie, Romain Gaucher, Paul E. BlackAbstract:Static analysis tools can handle large-scale software and find thousands of defects. But do they improve software security? We evaluate the effect of static analysis tool use on software security in open source projects. We measure security by Vulnerability reports in the National Vulnerability Database.
Mohamed Kaâniche - One of the best experts on this subject based on the ideXlab platform.
-
CRiSIS - Security-related Vulnerability life cycle analysis
2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), 2012Co-Authors: Géraldine Vache Marconato, Vincent Nicomette, Mohamed KaânicheAbstract:This paper deals with the characterization of security-related vulnerabilities based on public data reported in the Open Source Vulnerability Database. We focus on the analysis of Vulnerability life cycle events corresponding to the Vulnerability discovery, the Vulnerability disclosure, the patch release, and the exploit availability. We study the distribution of the time between these events considering different operating systems (Windows, Unix, Mobile OS), and different attributes such as the Vulnerability impact on confidentiality, integrity or availability, the access vector reflecting how the Vulnerability is exploited, and the complexity of the exploit. The results obtained highlight some interesting trends and behaviours, concerning, e.g. the time between the disclosure of a Vulnerability and the availability of a patch or of the exploit, that are sometimes specific to the considered operating system or the Vulnerability attributes. The results are also aimed at providing useful inputs to security risk assessment and modelling studies.
-
Security-related Vulnerability life cycle analysis
2012 7th International Conference on Risks and Security of Internet and Systems (CRiSIS), 2012Co-Authors: Géraldine Vache Marconato, Vincent Nicomette, Mohamed KaânicheAbstract:This paper deals with the characterization of security-related vulnerabilities based on public data reported in the Open Source Vulnerability Database. We focus on the analysis of Vulnerability life cycle events corresponding to the Vulnerability discovery, the Vulnerability disclosure, the patch release, and the exploit availability. We study the distribution of the time between these events considering different operating systems (Windows, Unix, Mobile OS), and different attributes such as the Vulnerability impact on confidentiality, integrity or availability, the access vector reflecting how the Vulnerability is exploited, and the complexity of the exploit. The results obtained highlight some interesting trends and behaviours, concerning, e.g. the time between the disclosure of a Vulnerability and the availability of a patch or of the exploit, that are sometimes specific to the considered operating system or the Vulnerability attributes. The results are also aimed at providing useful inputs to security risk assessment and modelling studies.
Mehdi Zargham - One of the best experts on this subject based on the ideXlab platform.
-
Vulnerability Scrying Method for Software Vulnerability Discovery Prediction Without a Vulnerability Database
IEEE Transactions on Reliability, 2013Co-Authors: Sanaz Rahimi, Mehdi ZarghamAbstract:Predicting software Vulnerability discovery trends can help improve secure deployment of software applications and facilitate backup provisioning, disaster recovery, diversity planning, and maintenance scheduling. Vulnerability discovery models (VDMs) have been studied in the literature as a means to capture the underlying stochastic process. Based on the VDMs, a few Vulnerability prediction schemes have been proposed. Unfortunately, all these schemes suffer from the same weaknesses: they require a large amount of historical Vulnerability data from a Database (hence they are not applicable to a newly released software application), their precision depends on the amount of training data, and they have significant amount of error in their estimates. In this work, we propose Vulnerability scrying, a new paradigm for Vulnerability discovery prediction based on code properties. Using compiler-based static analysis of a codebase, we extract code properties such as code complexity (cyclomatic complexity), and more importantly code quality (compliance with secure coding rules), from the source code of a software application. Then we propose a stochastic model which uses code properties as its parameters to predict Vulnerability discovery. We have studied the impact of code properties on the Vulnerability discovery trends by performing static analysis on the source code of four real-world software applications. We have used our scheme to predict Vulnerability discovery in three other software applications. The results show that even though we use no historical data in our prediction, Vulnerability scrying can predict Vulnerability discovery with better precision and less divergence over time.