Title :
Vulnerability analysis for a quantitative security evaluation
Author :
Vache, Géraldine
Author_Institution :
LAAS, Univ. de Toulouse 7, Toulouse, France
Abstract :
This paper presents the quantitative characterization of vulnerability life cycle and of exploit creation by probability distributions. This work aims at helping the production of quantitative measures of information system security considering system environment. In this paper, we focus on two environmental factors: the vulnerability life cycle; and the attacker behaviour. We look for the probability distributions and their parameters that could model quantatively these environmental factor events. Thus, to obtain precise measures, it is needed to characterize these events using real data. For that purpose, we first selected an appropriate vulnerability database by comparing the existing and available ones. We choose the open source vulnerability database. After having brought back the data we need, we evaluate quantitatively the model parameters related to the vulnerability life cycle and the attacker behaviour. In doing so, we look for specificities of vulnerability categories to define the parameterization of our quantitative security evaluation modelling more precisely.
Keywords :
information systems; security of data; attacker behaviour; information system security; open source vulnerability database; probability distribution; quantitative security evaluation modelling; system environment; vulnerability database; vulnerability life cycle quantitative characterization; Data security; Databases; Environmental factors; ISO standards; Information security; Information systems; Measurement standards; Probability distribution; Software engineering; Software measurement;
Conference_Titel :
Empirical Software Engineering and Measurement, 2009. ESEM 2009. 3rd International Symposium on
Conference_Location :
Lake Buena Vista, FL
Print_ISBN :
978-1-4244-4842-5
Electronic_ISBN :
1938-6451
DOI :
10.1109/ESEM.2009.5315969
