Vulnerability Discovery Modelling for Software with Multi-versions

  • Adarsh AnandEmail author
  • Subhrata Das
  • Deepti Aggrawal
  • Yury Klochkov
Part of the Management and Industrial Engineering book series (MINEN)


Security vulnerabilities have been of huge concern as an un-patched vulnerability can potentially permit a security breach. Vulnerability Discovery Modelling (VDM) has been a methodical approach that has helped the developers to effectively plan for resource allocation required to develop patches for problematic software releases; and thus improving the security aspect of the software. Many researchers have proposed discovery modelling pertaining to a specific version of software and talked about time window between the discovery (of vulnerability) and release of the patch as its remedy. In today’s cut throat and neck to neck competitive market scenario, when every firm comes up with the successive version of its previous release; fixing of associated susceptibilities in the software becomes a more cumbersome task. Based on the fundamental of shared code among multi-version software system, in this chapter of the book, we propose a systematic approach for quantification of number of vulnerabilities discovered. With the aim of predicting and scrutinising the loopholes the applicability of the approach has been examined using various versions of Windows and Windows Server Operating Systems.


Multi-version software Patch Vulnerability discovery model (VDM) 


\(\Omega _{i} (t)\)

Expected number of vulnerabilities discovered by time t(\(i = 1,{\kern 1pt} 2,{\kern 1pt} 3 \ldots n\))

\(F_{i} (t)\)

Probability distributions function for vulnerability discovery process (\(i = 1,{\kern 1pt} 2,3 \ldots n\))


Total number of vulnerabilities in the software (\(i = 1,{\kern 1pt} 2,3 \ldots n\))


Vulnerability detection rate function of software (\(i = 1,{\kern 1pt} 2,3 \ldots n\))


Learning parameter for vulnerability discovery process (\(i = 1,{\kern 1pt} 2,3 \ldots n\))


  1. 1.
    Vulnerability Examples,, July 10, 2016.
  2. 2.
  3. 3.
    Schneier B., “Full Disclosure and the Window of Vulnerability”, Crypto-Gram http: //, September 15, 2000.
  4. 4.
    Schultz E. E., Brown Jr., D. S. and Longstaffs T. A., “Responding to Computer Security Incidents”, Lawrence Livermore National Laboratory, 165 , July 23, 1990.Google Scholar
  5. 5.
    Pfleeger C. P. and Pfleeger S. L., “Security in Computing”, 3rd ed. Prentice Hall PTR, 2003.Google Scholar
  6. 6.
    Browne H. K., Arbaugh W. A., McHugh J., and Fithen W. L., “A Trend Analysis of Exploitations”, University of Maryland and CMU Technical Reports, 2000.Google Scholar
  7. 7.
    Rescorla E., “Is finding security holes a good idea?” IEEE Security and Privacy, 3(1):14–19, 2005.Google Scholar
  8. 8.
    Anand A., and Bhatt N., “Vulnerability Discovery Modeling and Weighted Criteria Based Ranking”, Journal of Indian Society for Probability and Statistic, Springer, 17, pp. 1–10, 2016.Google Scholar
  9. 9.
    Chou, A., Yang, J., Chelf, B., Hallem, S., and Engler, D., “An Empirical Study of Operating Systems Errors”, Symposium on Operating Systems Principles, 2001.Google Scholar
  10. 10.
    Anderson R. J., “Security in Opens versus Closed Systems-The Dance of Boltzmann, Coase and Moore” Open Source Software: Economics, Law and Policy, Toulouse, France, June 20-21, 2002.Google Scholar
  11. 11.
    Rescorla E., “Security holes…Who Cares?”, USENIX Security, 2003.Google Scholar
  12. 12.
    Alhazmi O. H. and Malaiya Y. K., “Modeling the vulnerability discovery process”, In Proceedings of 16th IEEE International Symposium on Software Reliability Engineering (ISSRE’05), pp. 129–138, 2005.Google Scholar
  13. 13.
    Alhazmi O. H. and Malaiya Y. K., “Quantitative Vulnerability Assessment of Systems Software,” in Proc. Annual Reliability and Maintainability Symposium, pp. 615–620, January 2005.Google Scholar
  14. 14.
    Miller K.W., Morell L.J., Noonan R.E., Park S.K., Nicol D.M., Murrill B.W., and M. Voas. “Estimating the Probability of Failure when Testing Reveals no Failures”, IEEE Transactions on Software Engineering, 18(1):33–43, January 1992.Google Scholar
  15. 15.
    Yin J., Tang C., Zhang X., and McIntosh M., “On Estimating the Security Risks of Composite Software Services” In Proc. PASSWORD Workshop, June 2006.Google Scholar
  16. 16.
    Tofts C. and Monahan B., “Towards an Analytic Model of Security Flaws” Technical Report 2004-224, HP Trusted Systems Laboratory, Bristol, UK, December 2004.Google Scholar
  17. 17.
    Ozment A., “Improving Vulnerability Discovery Models: Problems with Definitions and Assumptions”, ACM, Alexandria, Virginia, USA, 2007.Google Scholar
  18. 18.
    Arora A., Telang R., and Xu H., “Optimal Policy for Software Vulnerability Disclosure”, Management Science, 54(4), pp. 642-656, 2008.Google Scholar
  19. 19.
    Kapur P. K., Sachdeva N. and Khatri S. K., “Vulnerability Discovery Modeling”, International Conference on Quality, Reliability, Infocom Technology and Industrial Technology Management, pp. 34-54, ISBN 978-93-84588-57-1, 2012.Google Scholar
  20. 20.
    Kim J., Malaiya Y. K., and Ray I., “Vulnerability Discovery in Multi-version Software Systems”, In 10th IEEE High Assurance Systems Engineering Symposium, pp. 141–148, 2007.Google Scholar
  21. 21.
    Windows, “Vulnerability Statistics”, Accessed 20 Feb 2016.
  22. 22.
    Windows Server, “Vulnerability Statistics”, Accessed 20 Feb 2016.
  23. 23.
    SAS Institute Inc., “SAS/ETS user’s guide version 9.1”, Cary, NC: SAS Institute Inc., 2004.Google Scholar

Copyright information

© Springer International Publishing AG 2017

Authors and Affiliations

  • Adarsh Anand
    • 1
    Email author
  • Subhrata Das
    • 1
  • Deepti Aggrawal
    • 2
  • Yury Klochkov
    • 3
  1. 1.Department of Operational ResearchUniversity of DelhiNew DelhiIndia
  2. 2.Keshav MahavidyalayaUniversity of DelhiNew DelhiIndia
  3. 3.St. Petersburg Polytechnic UniversitySt. PetersburgRussia

Personalised recommendations