Abstract
Periodicity in key processes related to software vulnerabilities need to be taken into account for assessing security at a given time. Here, we examine the actual multi-year field datasets for some of the most used software systems (operating systems and Web-related software) for potential annual variations in vulnerability discovery processes. We also examine weekly periodicity in the patching and exploitation of the vulnerabilities. Accurate projections of the vulnerability discovery process are required to optimally allocate the effort needed to develop patches for handling discovered vulnerabilities. A time series analysis that combines the periodic pattern and longer-term trends allows the developers to predict future needs more accurately. We analyze eighteen datasets of software systems for annual seasonality in their vulnerability discovery processes. This analysis shows that there are indeed repetitive annual patterns. Next, some of the datasets from a large number of major organizations that record the result of daily scans are examined for potential weekly periodicity and its statistical significance. The results show a 7-day periodicity in the presence of unpatched vulnerabilities, as well as in the exploitation pattern. The seasonal index approach is used to examine the statistical significance of the observed periodicity. The autocorrelation function is used to identify the exact periodicity. The results show that periodicity needs to be considered for optimal resource allocations and for evaluation of security risks.
Similar content being viewed by others
References
Alhazmi, O.H., Malaiya, Y.K.: Application of vulnerability discovery models to major operating systems. IEEE Trans. Reliab. 57(1), 14–22 (2008)
Anbalagan, P., Vouk, M.: “Days of the week” effect in predicting the time taken to fix defects. In: DEFECTS’09: Proceedings of the 2nd International Workshop on Defects in Large Software Systems, pp. 29–30, New York, NY, USA. ACM (2009)
Anderson, R: Security in open versus closed systems—the dance of boltzmann, coase and moore. In: Conference on Open Source Software, Economics, Law and Policy, pp. 1–15 (2002)
Arora, A., Telang, R.: Economics of software vulnerability disclosure. IEEE Secur. Priv. 3(1), 20–25 (2005)
Bowerman, B.L., O’connell, R.T.: Time Series Forecsting: Unified Concepts and Computer Implementation, 2nd edn. Duxbury Press, Boston (1987)
Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, KDD’10, pp. 105–114, New York, NY, USA. ACM (2010)
Carrion-Baralt, J.R., Smith, C.J., Rossy-Fullana, E., Lewis-Femandez, R., Davis, K.L., Silverman, J.M.: Seasonality effects on schizophrenic births in multiplex families in a tropical island. Psychiatry Res. 142(1), 93–97 (2006)
Chen, K., Feng, D.-G., Su, P.-R., Nie, C.-J., Zhang, X.-F.: Multi-cycle vulnerability discovery model for prediction. J. Softw. 21(9), 2367–2375 (2010)
Condon, E., He, A., Cukier, M.: Analysis of computer security incident data using time series models. In: ISSRE’08: Proceedings of the 2008 19th International Symposium on Software Reliability Engineering, pp. 77–86, Washington, DC, USA. IEEE Computer Society (2008)
Eick, S.G., Graves, T.L., Karr, A.F., Marron, J.S., Mockus, A.: Does code decay? Assessing the evidence from change management data. IEEE Trans. Softw. Eng. 27(1), 1–12 (2001)
Goonatilake, R., Herath, A., Herath, S., Herath, S., Herath, J.: Intrusion detection using the chi-square goodness-of-fit test for information assurance, network, forensics and software security. J. Comput. Small Coll. 23, 255–263 (2007)
Heston, S.L., Sadka, R.: Seasonality in the cross-section of stock returns. J. Financ. Econ. 87(2), 418–445 (2008)
Jaquith, A.: Security Metrics: Replacing Fear, Uncertainty and Doubt. Addison-Wesley Professional, Boston (2007)
Jegadeesh, N.: Evidence of predictable behavior of security returns. J. Finance 45(3), 881-98 (1990)
Joh, H., Chaichana, S., Malaiya, Y.K.: Short-term periodicity in security vulnerability activity. In: International Symposium on Software Reliability Engineering, pp. 408–409 (2010)
Joh, H., Malaiya, Y. K.: Seasonal variation in the vulnerability discovery process. In: ICST’09: International Conference on Software Testing, Verification, and Validation, pp. 191–200, Los Alamitos, CA, USA. IEEE Computer Society (2009)
Joh, H., Malaiya, Y.K.: Modeling skewness in vulnerability discovery. Qual. Reliab. Eng. Int. 30(8), 1445–1459 (2014). doi:10.1002/qre.1567
Kim, J., Malaiya, Y.K., Ray, I.: Vulnerability discovery in multi-version software systems. In: HASE’07: Proceedings of the 10th IEEE High Assurance Systems Engineering Symposium, pp. 141–148, Washington, DC, USA. IEEE Computer Society (2007)
Koc, E., Altinay, G.: An analysis of seasonality in monthly per person tourist spending in Turkish inbound tourism from a market segmentation perspective. Tour. Manag. 28(1), 227–237 (2007)
Kozina, M., Golub, M., Groš, S.: A method for identifying web applications. Int. J. Inf. Secur. 8(6), 455–467 (2009)
Maes, J., Van Damme, S., Meire, P., Ollevier, F.: Statistical modeling of seasonal and environmental influences on the population dynamics of an estuarine fish community. Mar. Biol. 145, 1033–1042 (2004)
Massacci, F., Nguyen, V.H.: Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox. Technical report. University of Trento, Italy (2010)
Ott, R.L., Longnecker, M.T.: An Introduction to Statistical Methods and Data Analysis, 5th edn. Duxbury press, North Scituate (2000)
Ozment, A.: Improving vulnerability discovery models. In: QoP’07: Proceedings of the 2007 ACM Workshop on Quality of Protection, pp. 6–11, New York, NY, USA. ACM (2007)
Ozment, A., Schechter, S.E.: Milk or wine: does software security improve with age? In: USENIX-SS’06: Proceedings of the 15th Conference on USENIX Security Symposium, Berkeley, CA, USA. USENIX Association (2006)
Pfleeger, C.P., Pfleeger, S.L.: Security in Computing, 3rd edn. Prentice Hall PTR, Upper Saddle River (2003)
Qualys, I.: The laws of vulnerabilities 2.0. In Black Hat 2009, Presented by Wolfgang Kandek (CTO) (July 28, 2009)
Rescorla, E.: Security holes. who cares? In: SSYM’03: Proceedings of the 12th Conference on USENIX Security Symposium, pp. 75–90, Berkeley, CA, USA. USENIX Association (2003)
Rescorla, E.: Is finding security holes a good idea? IEEE Secur. Priv. 3, 14–19 (2005)
Rios, M., Garcia, J.M., Sanchez, J.A., Perez, D.: A statistical analysis of the seasonality in pulmonary tuberculosis. Eur. J. Epidemiol. 16(5), 483-8 (2000)
Romanov, A., Tsubaki, H., Okamoto, E.: An approach to perform quantitative information security risk assessment in it landscapes. JIP 18, 213–226 (2010)
Salehian, A.: Arima time series modeling for forecasting thermal rating of transmission lines. In: Transmission and Distribution Conference and Exposition, 2003 IEEE PES, vol. 3, pp. 875–879 (2003)
Symantec. Symantec global internet security threat report: trends for 2009, vol. XV (2010)
Tran, N., Reed, D.: Automatic arima time series modeling for adaptive i/o prefetching. IEEE Trans. Parallel Distrib. Syst. 15(4), 362–377 (2004)
Zhang, Z., Zheng, X., Zeng, D., Cui, K., Luo, C., He, S., Leischow, S.: Discovering seasonal patterns of smoking behavior using online search information. In: Intelligence and Security Informatics (ISI), 2013 IEEE International Conference on, pp. 371–373 (2013)
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Joh, H., Malaiya, Y.K. Periodicity in software vulnerability discovery, patching and exploitation. Int. J. Inf. Secur. 16, 673–690 (2017). https://doi.org/10.1007/s10207-016-0345-x
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10207-016-0345-x