Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery. (March 2019)
- Record Type:
- Journal Article
- Title:
- Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery. (March 2019)
- Main Title:
- Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery
- Authors:
- Johnston, Reuben
Sarkani, Shahryar
Mazzuchi, Thomas
Holzer, Thomas
Eveleigh, Timothy - Abstract:
- Highlights: Describes vulnerability discovery phenomenon in the software security lifecycle. Presents 46 software release (SR) and security assessment profile (SAP) variables. Elicits dataset using Cooke's method; gathers empirical web-browser datasets. Details Bayesian analysis of vulnerability discovery modeling (VDM) techniques. Demonstrates new, non-parametric and Bayesian model average (BMA) VDM techniques. ABSTRACT: Most software vulnerabilities are preventabl e, but they continue to be present in software releases. When Blackhats, or malicious researchers, discover vulnerabilities, they often release corresponding exploit software and malware. Therefore, customer confidence could be reduced if vulnerabilities—or discoveries of them—are not prevented, mitigated, or addressed. In addressing this, managers must choose which alternatives will provide maximal impact and could use vulnerability discovery modeling techniques to support their decision-making process. Applications of these techniques have used traditional approaches to analysis and, despite the dearth of data, have not included information from experts. This article takes an alternative approach, applying Bayesian methods to modeling the vulnerability-discovery phenomenon. Relevant data was obtained from security experts in structured workshops and from public databases. The open-source framework, MCMCBayes, was developed to automate performing Bayesian model averaging via power-posteriors. It combinesHighlights: Describes vulnerability discovery phenomenon in the software security lifecycle. Presents 46 software release (SR) and security assessment profile (SAP) variables. Elicits dataset using Cooke's method; gathers empirical web-browser datasets. Details Bayesian analysis of vulnerability discovery modeling (VDM) techniques. Demonstrates new, non-parametric and Bayesian model average (BMA) VDM techniques. ABSTRACT: Most software vulnerabilities are preventabl e, but they continue to be present in software releases. When Blackhats, or malicious researchers, discover vulnerabilities, they often release corresponding exploit software and malware. Therefore, customer confidence could be reduced if vulnerabilities—or discoveries of them—are not prevented, mitigated, or addressed. In addressing this, managers must choose which alternatives will provide maximal impact and could use vulnerability discovery modeling techniques to support their decision-making process. Applications of these techniques have used traditional approaches to analysis and, despite the dearth of data, have not included information from experts. This article takes an alternative approach, applying Bayesian methods to modeling the vulnerability-discovery phenomenon. Relevant data was obtained from security experts in structured workshops and from public databases. The open-source framework, MCMCBayes, was developed to automate performing Bayesian model averaging via power-posteriors. It combines predictions of interval-grouped discoveries by performance-weighting results from six variants of the non-homogeneous Poisson process (NHPP), two regression models, and two growth-curve models. The methodology is applicable to software-makers and persons interested in applications of expert-judgment elicitation or in using Bayesian analysis techniques with phenomena having non-decreasing counts over time. Graphical abstract: … (more)
- Is Part Of:
- Reliability engineering & system safety. Volume 183(2019)
- Journal:
- Reliability engineering & system safety
- Issue:
- Volume 183(2019)
- Issue Display:
- Volume 183, Issue 2019 (2019)
- Year:
- 2019
- Volume:
- 183
- Issue:
- 2019
- Issue Sort Value:
- 2019-0183-2019-0000
- Page Start:
- 341
- Page End:
- 359
- Publication Date:
- 2019-03
- Subjects:
- Regression -- Growth curve -- Poisson process -- Gamma process -- Cooke's method
Reliability (Engineering) -- Periodicals
System safety -- Periodicals
Industrial safety -- Periodicals
Fiabilité -- Périodiques
Sécurité des systèmes -- Périodiques
Sécurité du travail -- Périodiques
620.00452 - Journal URLs:
- http://www.sciencedirect.com/science/journal/09518320 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.ress.2018.11.030 ↗
- Languages:
- English
- ISSNs:
- 0951-8320
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 7356.422700
British Library DSC - BLDSS-3PM
British Library HMNTS - ELD Digital store - Ingest File:
- 9274.xml