Abstract
A software update is a critical but complicated part of software security. Its delay poses risks due to vulnerabilities and defects of software. Despite the high demand to shorten the update lag and keep the software up-to-date, software updates involve factors such as human behavior, program configurations, and system policies, adding variety in the updates of software. Investigating these factors in a real environment poses significant challenges such as the knowledge of software release schedules from the software vendors and the deployment times of programs in each user’s machine. Obtaining software release plans requires information from vendors which is not typically available to public. On the users’ side, tracking each software’s exact update installation is required to determine the accurate update delay. Currently, a scalable and systematic approach is missing to analyze these two sides’ views of a comprehensive set of software. We performed a long term system-wide study of update behavior for all software running in an enterprise by translating the operating system logs from enterprise machines into graphs of binary executable updates showing their complex, and individualized updates in the environment. Our comparative analysis locates risky machines and software with belated or dormant updates falling behind others within an enterprise without relying on any third-party or domain knowledge, providing new observations and opportunities for improvement of software updates. Our evaluation analyzes real data from 113,675 unique programs used by 774 computers over 3 years.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
FMS is an acronym of Find My Sloths, which refer to enterprise applications showing undesirable delayed update behavior.
- 2.
This version number 64.0 is presented only for an illustration purpose. A lineage graph is constructed using binary hashes and their appearance orders without using the software’s specific version numbers, which may not always available or accurate.
References
APT (Advanced Package Tool). https://ubuntu.com/server/docs/package-management. Accessed 14 May 2021
Homebrew. https://brew.sh/. Accessed 14 May 2021
Linux Audit. https://people.redhat.com/sgrubb/audit/. Accessed 14 May 2021
National Software Reference Library. https://www.nist.gov/software-quality-group/national-software-reference-library-nsrl. Accessed 14 May 2021
Top 50 Vendors by Total Number of “Distinct” Vulnerabilities. https://www.cvedetails.com/top-50-vendors.php. Accessed 14 May 2021
What Are Security Patches and Why Are They Important? https://www.idtheftcenter.org/Cybersecurity/what-are-security -patches-and-why-are-they-important.html. Accessed 20 May 2018
Why Software Updates Are So Important. https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/software-updates-important/. Accessed 14 May 2021
Yum. http://yum.baseurl.org/. Accessed 14 May 2021
Abu Odeh, M., Adkins, C., Setayeshfar, O., Doshi, P., Lee, K.H.: A novel AI-based methodology for identifying cyber attacks in honey pots. In: IAAI (2021)
Aditya, K., Grzonkowski, S., Le-Khac, N.A.: Riskwriter: predicting cyber risk of an enterprise. In: ICISSP (2018)
Ahmad, A., Saad, M., Bassiouni, M., Mohaisen, A.: Towards blockchain-driven, secure and transparent audit logs. CoRR (2018)
Apple: iTunes store. https://itunes.apple.com/us/. Accessed 14 Nov 2018
Bilge, L., Han, Y., Dell’Amico, M.: Riskteller: predicting the risk of cyber incidents. In: CCS (2017)
Corley, C.S., Kraft, N.A., Etzkorn, L.H., Lukins, S.K.: Recovering traceability links between source code and fixed bugs via patch analysis. In: TEFSE (2011)
Corporation, T.M.: Common vulnerabilities and exposures (cve®). https://cve.mitre.org/. Accessed 13 June 2019
Du, M., Li, F., Zheng, G., Srikumar, V.: DeepLog: anomaly detection and diagnosis from system logs through deep learning. In: CCS (2017)
Duebendorfer, T., Frei, S.: Web browser security update effectiveness. In: CRITIS (2009)
Duebendorfer, T., Frei, S.: Why silent updates boost security. TIK (2009)
Gentoo Foundation, I.: Portage. https://wiki.gentoo.org/wiki/Handbook:X86/Working/Portage. Accessed 14 May 2021
Gkantsidis, C., Karagiannis, T., VojnoviC, M.: Planet scale software updates. In: CCR (2006)
Han, X., et al.: SIGL: securing software installations through deep graph learning. arXiv (2020)
Kang, C., Park, N., Prakash, B.A., Serra, E., Subrahmanian, V.: Ensemble models for data-driven prediction of malware infections. In: WSDM (2016)
Kotzias, P., Bilge, L., Vervier, P.A., Caballero, J.: Mind your own business: a longitudinal study of threats and vulnerabilities in enterprises (2019)
Lee, K.H., Zhang, X., Xu, D.: High accuracy attack provenance via binary-based execution partition. In: NDSS (2013)
Li, F., Paxson, V.: A large-scale empirical study of security patches. In: CCS (2017)
Liu, Y., et al.: Cloudy with a chance of breach: forecasting cyber security incidents. In: USENIX Security (2015)
Mathur, A., Engel, J., Sobti, S., Chang, V., Chetty, M.: “They keep coming back like zombies”: improving software updating interfaces. In: SOUPS (2016)
Meneely, A., Srinivasan, H., Musa, A., Tejeda, A.R., Mokary, M., Spates, B.: When a patch goes bad: exploring the properties of vulnerability-contributing commits. In: ESEM (2013)
Microsoft: About Event Tracing. https://docs.microsoft.com/en-us/windows/win32/etw/about-event-tracing. Accessed 14 May 2021
Microsoft: Assemblies in .NET. https://docs.microsoft.com/en-us/dotnet/standard/assembly/#assembly-manifest. Accessed 14 May 2021
Microsoft: Assembly Manifest. https://docs.microsoft.com/en-us/dotnet/standard/assembly/manifest. Accessed 14 May 2021
Microsoft: Microsoft Store. https://www.microsoft.com/en-us/store/b/home. Accessed 14 May 2021
Nappa, A., Johnson, R., Bilge, L., Caballero, J., Dumitras, T.: The attack of the clones: a study of the impact of shared code on vulnerability patching. In: S&P (2015)
Okutan, A., Yang, S.J.: ASSERT: attack synthesis and separation with entropy redistribution towards predictive cyber defense. Cybersecurity 2, 1–8 (2019)
Ovelgönne, M., Dumitraş, T., Prakash, B.A., Subrahmanian, V., Wang, B.: Understanding the relationship between human behavior and susceptibility to cyber attacks: a data-driven approach. TIST 8, 1–25 (2017)
Perl, H., et al.: VCCfinder: finding potential vulnerabilities in open-source projects to assist code audits. In: CCS (2015)
Redmiles, E.M., Mazurek, M.L., Dickerson, J.P.: Dancing pigs or externalities?: measuring the rationality of security decisions. In: EC (2018)
RPM: RPM package manager. https://rpm.org/. Accessed 14 May 2021
Sharif, M., Urakawa, J., Christin, N., Kubota, A., Yamada, A.: Predicting impending exposure to malicious content from user behavior. In: CCS (2018)
Shen, Y., Mariconti, E., Vervier, P.A., Stringhini, G.: Tiresias: predicting security events through deep learning. In: CCS (2018)
Shrivastava, G., Kumar, P.: SensDroid: analysis for malicious activity risk of android application. MTA 78(24), 35713–35731 (2019)
SUSE: Zypper. https://en.opensuse.org/Portal:Zypper. Accessed 14 May 2021
Symantec: Internet security threat report 2017. https://www.symantec.com/content/dam/symantec/docs/reports/gistr22-government-report.pdf
Team, P.D.: Pacman. https://www.archlinux.org/pacman/. Accessed 14 May 2021
Verizon: 2015 data breach investigations report. https://iapp.org/media/pdf/resource_center/Verizon_data-breach-investigation-report-2015.pdf. Accessed 14 May 2021
Verizon: 2017 data breach investigations report. https://www.ictsecuritymagazine.com/wp-content/uploads/2017-Data-Breach-Investigations-Report.pdf. Accessed 14 May 2021
VirusTotal. https://www.virustotal.com. Accessed 14 May 2021
Wash, R., Rader, E., Vaniea, K., Rizor, M.: Out of the loop: how automated software updates cause unintended security consequences. In: SOUPS (2014)
Xiao, C., Sarabi, A., Liu, Y., Li, B., Liu, M., Dumitras, T.: From patching delays to infection symptoms: using risk profiles for an early discovery of vulnerabilities exploited in the wild. In: USENIX Security (2018)
Xiao, J., Chen, S., He, Q., Feng, Z., Xue, X.: An android application risk evaluation framework based on minimum permission set identification. JSS 163, 110533 (2020)
Acknowledgment
We thank the anonymous reviewers and our shepherd, Juan Caballero, for their helpful feedback. This material is supported, in part, by the National Science Foundation, under grant No. OAC-1909856 and SaTC-1909856. Any opinions, findings, and conclusions, or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of the NSF.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Setayeshfar, O., Rhee, J.“., Kim, C.H., Lee, K.H. (2021). Find My Sloths: Automated Comparative Analysis of How Real Enterprise Computers Keep Up with the Software Update Races. In: Bilge, L., Cavallaro, L., Pellegrino, G., Neves, N. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2021. Lecture Notes in Computer Science(), vol 12756. Springer, Cham. https://doi.org/10.1007/978-3-030-80825-9_11
Download citation
DOI: https://doi.org/10.1007/978-3-030-80825-9_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-80824-2
Online ISBN: 978-3-030-80825-9
eBook Packages: Computer ScienceComputer Science (R0)