JIS  Vol.8 No.2 , April 2017
Cyber Security: Nonlinear Stochastic Models for Predicting the Exploitability
Abstract: Obtaining complete information regarding discovered vulnerabilities looks extremely difficult. Yet, developing statistical models requires a great deal of such complete information about the vulnerabilities. In our previous studies, we introduced a new concept of “Risk Factor” of vulnerability which was calculated as a function of time. We introduced the use of Markovian approach to estimate the probability of a particular vulnerability being at a particular “state” of the vulnerability life cycle. In this study, we further develop our models, use available data sources in a probabilistic foundation to enhance the reliability and also introduce some useful new modeling strategies for vulnerability risk estimation. Finally, we present a new set of Non-Linear Statistical Models that can be used in estimating the probability of being exploited as a function of time. Our study is based on the typical security system and vulnerability data that are available. However, our methodology and system structure can be applied to a specific security system by any software engineer and using their own vulnerabilities to obtain their probability of being exploited as a function of time. This information is very important to a company’s security system in its strategic plan to monitor and improve its process for not being exploited.
Cite this paper: Rajasooriya, S. , Tsokos, C. and Kaluarachchi, P. (2017) Cyber Security: Nonlinear Stochastic Models for Predicting the Exploitability. Journal of Information Security, 8, 125-140. doi: 10.4236/jis.2017.82009.

[1]   Kaluarachchi, P.K., Tsokos, C.P. and Rajasooriya, S.M. (2016) Cybersecurity: A Statistical Predictive Model for the Expected Path Length. Journal of Information Security, 7, 112-128.

[2]   Rajasooriya, S.M., Tsokos, C.P. and Kaluarachchi, P.K. (2016) Stochastic Modelling of Vulnerability Life Cycle and Security Risk Evaluation. Journal of information Security, 7, 269-279.

[3]   NVD. National Vulnerability Database.

[4]   Frei, S. (2009) Security Econometrics: The Dynamics of (IN) Security. PhD Dissertation, ETH, Zurich.

[5]   Joh, H. and Malaiya, Y.K. (2010) A Framework for Software Security Risk Evaluation Using the Vulnerability Lifecycle and CVSS Metrics. Proceedings of the International Workshop on Risk and Trust in Extended Enterprises, November 2010, 430-434.

[6]   Kijsanayothin, P. (2010) Network Security Modeling with Intelligent and Complexity Analysis. PhD Dissertation, Texas Tech University, Lubbock, TX.

[7]   Alhazmi, O.H., Malaiya, Y.K. and Ray, I. (2007) Measuring, Analyzing and Predicting Security Vulnerabilities in Software Systems. Computers & Security, 26, 219-228.

[8]   Schiffman, M. Common Vulnerability Scoring System (CVSS).

[9]   CVE Details.

[10]   Secunia Vulnerability Review 2015: Key Figures and Facts from a Global Information Security Perspective. March 2015.

[11]   Alhazmi, O.H. and Malaiya, Y.K. (2008) Application of Vulnerability Discovery Models to Major Operating Systems. IEEE Transactions on Reliability, 57, 14-22.

[12]   Alhazmi, O.H. and Malaiya, Y.K. (2005) Modeling the Vulnerability Discovery Process. Proceedings of 16th International Symposium on Software Reliability Engineering, Chicago, 8-11 November 2005, 129-138.

[13]   Noel, S., Jacobs, M., Kalapa, P. and Jajodia, S. (2005) Multiple Coordinated Views for Network Attack Graphs. VIZSEC’05: Proceedings of the IEEE Workshops on Visualization for Computer Security, Minneapolis, MN, 26 October 2005, 99-106.

[14]   Mehta, V., Bartzis, C., Zhu, H., Clarke, E.M. and Wing, J.M. (2006) Ranking Attack Graphs. In: Zamboni, D. and Krügel, C., Eds., Recent Advances in Intrusion Detection, Vol. 4219 of Lecture Notes in Computer Science, Springer, Berlin, 127-144.

[15]   Lawler, G.F. (2006) Introduction to Stochastic Processes. 2nd Edition, Chapman and Hall/CRC, Taylor and Francis Group, London, New York.

[16]   Abraham, S. and Nair, S. (2014) Cyber Security Analytics: A Stochastic Model for Security Quantification Using Absorbing Markov Chains. Journal of Communications, 9, 899-907.

[17]   Jajodia, S. and Noel, S. (2005) Advanced Cyber Attack Modeling, Analysis, and Visualization. 14th USENIX Security Symposium, Technical Report 2010, George Mason University, Fairfax, VA.

[18]   Wang, L., Singhal, A. and Jajodia, S. (2007) Measuring Overall Security of Network Configurations Using Attack Graphs. In: Barker, S. and Ahn, G.J., Eds., Data and Applications Security XXI. DBSec 2007. Lecture Notes in Computer Science, Vol. 4602, Springer, Berlin, Heidelberg, 98-112.

[19]   Wang, L., Islam, T., Long, T., Singhal, A. and Jajodia, S. (2008) An Attack Graph-Based Probabilistic Security Metric. DAS 2008, LNCS 5094, 283-296.