Empirical Models for Vulnerability Exploits - UMD - January 2015

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Tudor Dumitras
Researchers: Octavian Suciu, Michael Hicks, Jonathan Katz, Joseph JaJa

HARD PROBLEM(S) ADDRESSED
This refers to Hard Problems, released November 2012.

Security-Metrics-Driven Evaluation, Design, Development, and Deployment

Project synopsis
The security of deployed and actively used systems is a moving target, influenced by factors not captured in the existing security metrics. For example, the count and severity of vulnerabilities in source code, as well as the corresponding attack surface, are commonly used as measures of a software product's security. For example, simply estimating the number of vulnerabilities in source code does not account for the fact that some vulnerabilities are never exploited by attackers, perhaps due to reduced attack surfaces or because of other technologies that render exploits less likely to succeed. Conversely, vulnerabilities that have been "patched" can continue to impact security in the real world because some users do not deploy the corresponding software patches. Overall, we currently do not know how to assess the security of real-world systems. In this task, we will conduct empirical studies of security in the real world. Our goals are to derive empirical models of vulnerabilities and attack surfaces exercised in cyber attacks and to understand the deployment-specific factors that influence the security of systems in active use.

PUBLICATIONS
Papers published in this quarter as a result of this research. Include title, author(s), venue published/presented, and a short description or abstract. Identify which hard problem(s) the publication addressed. Papers that have not yet been published should be reported in region 2 below.

1. Evangelos E. Papalexakis, Tudor Dumitras, Duen Horng Chau, B. Aditya Prakash, Christos Faloutsos. SharkFin: Spatio-temporal mining of software adoption and penetration. Social Network Analysis and Mining, Nov 2014, 4:240. http://cps-vo.org/node/17110

ACCOMPLISHMENT HIGHLIGHTS

This quarter we published one paper: 

• A journal version of our paper on modeling the dissemination of popular files across the Internet. In this paper, we proposed a parametrized analytical model, called SharkFin, which is derived from key patterns observed in the empirical data. More information is available at http://www.umiacs.umd.edu/~tdumitra/blog/old/models-of-software-dissemination/