Vulnerability Discovery Modeling Using Weibull Distribution

Joh, HyunChul; Kim, Jinyoo; Malaiya, Yashwant K.

doi:10.1109/issre.2008.32

Cited by 31 publications

(22 citation statements)

References 2 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Many VDMs assume that the total number of vulnerabilities in a vulnerable entity (i.e., software) is a time independent constant (e.g., [2], [18], [53]). Considering the combination of all releases as a single entity would severely violate this assumption since software keeps evolving to introduce new functionality, and thus keeps introducing new vulnerabilities over time.…”

Section: Vulnerability Count Methodsmentioning

confidence: 99%

“…Joh et al [18] proposed JW model, and compared it to AML on WinXP, Win2K3 and Linux (RedHat and RedHat Enterprise). The goodness-of-fit of JW was slightly worse than AML.…”

Section: Srgms and Defect Prediction Modelsmentioning

confidence: 99%

“…This work focuses on time-based VDMs, which were also the major concern of most VDM papers in the literature. Apart from the simplest linear model [4], and logarithmic Poisson (LP) model, time-based VDMs (at the time of writing this paper) include Anderson's thermodynamic model [8], Rescorla's quadratic (RQ) and Rescorla's exponential (RE) models [39], Alhazmi & Malaiya's logistic (AML) model [2], AML for multi-version (MVDM) model [19], Weibull model (JW) [18], and folded model (YF) [53]. Hereafter, we shortly refer to time-based VDM as VDM.…”

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

An Empirical Methodology to Evaluate Vulnerability Discovery Models

Massacci

Nguyễn

2014

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

Vulnerability discovery models (VDMs) operate on known vulnerability data to estimate the total number of vulnerabilities that will be reported after a software is released. VDMs have been proposed by industry and academia, but there has been no systematic independent evaluation by researchers who are not model proponents. Moreover, the traditional evaluation methodology has some issues that biased previous studies in the field. In this work we propose an empirical methodology that systematically evaluates the performance of VDMs along two dimensions (quality and predictability) and addresses all identified issues of the traditional methodology. We conduct an experiment to evaluate most existing VDMs on popular web browsers' vulnerability data. Our comparison shows that the results obtained by the proposed methodology are more informative than those by the traditional methodology. Among evaluated VDMs, the simplest linear model is the most appropriate choice in terms of both quality and predictability for the first 6-12 months since a release date. Otherwise, logistics-based models are better choices.

show abstract

Section: Vulnerability Count Methodsmentioning

confidence: 99%

“…Joh et al [18] proposed JW model, and compared it to AML on WinXP, Win2K3 and Linux (RedHat and RedHat Enterprise). The goodness-of-fit of JW was slightly worse than AML.…”

Section: Srgms and Defect Prediction Modelsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

An Empirical Methodology to Evaluate Vulnerability Discovery Models

Massacci

Nguyễn

2014

IIEEE Trans. Software Eng.

View full text Add to dashboard Cite

show abstract

“…Yamada et al [11] developed a software-reliability growth model incorporating the amount of test effort expended during the software testing phase. Joh et al [12] proposed a new Weibull distribution based on vulnerability discovery model. Sagar et al [13] presented best software reliability growth model with including feature of both Weibull distribution and inflection S-shaped SRGM to estimate the defects of software system, and provide help to researchers and software industries to develop highly reliable software products.…”

Section: Introductionmentioning

confidence: 99%

A Software Reliability Model with a Weibull Fault Detection Rate Function Subject to Operating Environments

2017

View full text Add to dashboard Cite

Featured Application: This study introduces a new software reliability model with the Weibull fault detection rate function that takes into account the uncertainty of operating environments.Abstract: When software systems are introduced, these systems are used in field environments that are the same as or close to those used in the development-testing environments; however, they may also be used in many different locations that may differ from the environment in which they were developed and tested. As such, it is difficult to improve software reliability for a variety of reasons, such as a given environment, or a bug location in code. In this paper, we propose a new software reliability model that takes into account the uncertainty of operating environments. The explicit mean value function solution for the proposed model is presented. Examples are presented to illustrate the goodness of fit of the proposed model and several existing non-homogeneous Poisson process (NHPP) models and confidence intervals of all models based on two sets of failure data collected from software applications. The results show that the proposed model fits the data more closely than other existing NHPP models to a significant extent.

show abstract

“…Omar and Malaiya have compared several VDMs by fitting the data for major operating systems data, and have shown that the AML models fits better than other models in most cases [15]. However since AML is symmetrical model, it might be not perform well for asymmetric behavior discovery rate, so in [16], the authors examined Weibull distribution which can model asymmetrical behaviors too. Woo et al [17,18] have examined the vulnerability discovery trends for sets of web browsers and HTTP servers using AML model.…”

Section: Introductionmentioning

confidence: 99%