Vulnerability discovery modelling: a general framework

Abstract

Due to the rising popularity of software-based systems, software engineers are required to continuously monitor the software to have deep insights about the loopholes and keep a close check on the vulnerability discovery process. Over time of each module of the software is tested and identified for loopholes using various vulnerability discovery models (VDMs) that exist. In this paper, based on hazard rate function approach, we have developed a unified framework to capture the behaviour of various vulnerability trends during the discovery process. The utility of the proposed approach helps in identifying and studying different discovery scenarios (various distribution functions) under one canopy. Furthermore, we also discuss a method called normalised criteria distance, which compares different sets of VDMs using a set of comparison criteria in order to rank and select the best model from among VDMs. The proposal has been supplemented with validation done on real life vulnerability discovery data sets.