Title :
Security-related vulnerability life cycle analysis
Author :
Marconato, Geraldine Vache ; Nicomette, Vincent ; Kaâniche, Mohamed
Author_Institution :
LAAS, Toulouse, France
Abstract :
This paper deals with the characterization of security-related vulnerabilities based on public data reported in the Open Source Vulnerability Database. We focus on the analysis of vulnerability life cycle events corresponding to the vulnerability discovery, the vulnerability disclosure, the patch release, and the exploit availability. We study the distribution of the time between these events considering different operating systems (Windows, Unix, Mobile OS), and different attributes such as the vulnerability impact on confidentiality, integrity or availability, the access vector reflecting how the vulnerability is exploited, and the complexity of the exploit. The results obtained highlight some interesting trends and behaviours, concerning, e.g. the time between the disclosure of a vulnerability and the availability of a patch or of the exploit, that are sometimes specific to the considered operating system or the vulnerability attributes. The results are also aimed at providing useful inputs to security risk assessment and modelling studies.
Keywords :
database management systems; operating systems (computers); security of data; access vector; availability; availability exploitation; confidentiality; integrity; open source vulnerability database; operating systems; patch release; security risk assessment; security-related vulnerability life cycle analysis; vulnerability attributes; vulnerability disclosure; vulnerability discovery; vulnerability life cycle event analysids; Availability; Complexity theory; Databases; Market research; Mobile communication; Operating systems; Security;
Conference_Titel :
Risk and Security of Internet and Systems (CRiSIS), 2012 7th International Conference on
Conference_Location :
Cork
Print_ISBN :
978-1-4673-3087-9
Electronic_ISBN :
978-1-4673-3088-6
DOI :
10.1109/CRISIS.2012.6378954
