Exploiting Vulnerability Disclosures: Statistical Framework and Case Study
作者: MingJian Tang , Mamoun Alazab , Yuxiu Luo
DOI: 10.1109/CCC.2016.10
关键词: Risk management 、 Conditional variance 、 Engineering 、 Time series 、 Risk analysis (engineering) 、 Vulnerability management 、 Econometrics 、 Predictive modelling 、 Empirical research 、 Vulnerability 、 Data modeling
摘要: With an ever-increasing trend of cybercrimes and incidents due to software vulnerabilities exposures, effective proactive vulnerability management becomes imperative in modern organisations regardless large or small. Forecasting models leveraging rich historical disclosure data undoubtedly provide important insights inform the cyber community with anticipated risks. In this paper, we proposed a novel framework for statistically analysing long-term time series between January 1999 2016. By utilising sound framework, initiated study on not only testing but also modelling persistent volatilities data. sharp contrast existing models, consider capturing both mean conditional variance latent series. Through extensive empirical studies, composite model is shown effectively capture sporadic nature addition, paper paves way further stochastic perspective proliferation towards more accurate prediction better risk management.
cdu.edu.au
sci-hub.se 参考文章(24)
Su Zhang, Doina Caragea, Xinming Ou, An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities Lecture Notes in Computer Science. pp. 217- 231 ,(2011) , 10.1007/978-3-642-23088-2_15
Anand Nandkumar, Ashish Arora, Rahul Telang, Ramayya Krishnan, H. John Heinz, Yubao Yang, Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis ,(2004)
Denis Kwiatkowski, Peter C.B. Phillips, Peter Schmidt, Yongcheol Shin, Testing the null hypothesis of stationarity against the alternative of a unit root: How sure are we that economic time series have a unit root? Journal of Econometrics. ,vol. 54, pp. 159- 178 ,(1992) , 10.1016/0304-4076(92)90104-Y
Tudor Dumitras, Carl Sabottke, Octavian Suciu, Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits usenix security symposium. pp. 1041- 1056 ,(2015)
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Robert F. Engle, Autoregressive conditional heteroscedasticity with estimates of the variance of United Kingdom inflation Econometrica. ,vol. 50, pp. 987- 1007 ,(1982) , 10.2307/1912773
Tim Bollerslev, Generalized autoregressive conditional heteroskedasticity Journal of Econometrics. ,vol. 31, pp. 307- 327 ,(1986) , 10.1016/0304-4076(86)90063-1
Zhenxin Zhan, Maochao Xu, Shouhuai Xu, Predicting Cyber Attack Rates With Extreme Values IEEE Transactions on Information Forensics and Security. ,vol. 10, pp. 1666- 1677 ,(2015) , 10.1109/TIFS.2015.2422261
Lawrence A. Gordon, Martin P. Loeb, Tashfeen Sohail, A framework for using insurance for cyber-risk management Communications of The ACM. ,vol. 46, pp. 81- 85 ,(2003) , 10.1145/636772.636774
Zhenxin Zhan, Maochao Xu, Shouhuai Xu, Characterizing Honeypot-Captured Cyber Attacks: Statistical Framework and Case Study IEEE Transactions on Information Forensics and Security. ,vol. 8, pp. 1775- 1789 ,(2013) , 10.1109/TIFS.2013.2279800