An Analytical Approach to Assess and Compare the Vulnerability Risk of Operating Systems

Full Text (PDF, 614KB), PP.1-10

Views: 0 Downloads: 0

Author(s)

Pubudu K. Hitigala Kaluarachchilage 1,* Champike Attanayake 1 Sasith Rajasooriya 2 Chris P. Tsokos 3

1. Department of Mathematical and Physical Sciences, Miami University, Ohio, USA

2. Independent Researche

3. Department of Mathematics and Statistics, University of South Florida, Florida, USA

* Corresponding author.

DOI: https://doi.org/10.5815/ijcnis.2020.02.01

Received: 30 Dec. 2019 / Revised: 9 Jan. 2020 / Accepted: 23 Jan. 2020 / Published: 8 Apr. 2020

Index Terms

Markov chain, cybersecurity, vulnerability, operating system, risk analysis, non-parametric analysis

Abstract

Operating system (OS) security is a key component of computer security. Assessing and improving OSs strength to resist against vulnerabilities and attacks is a mandatory requirement given the rate of new vulnerabilities discovered and attacks occur. Frequency and the number of different kinds of vulnerabilities found in an OS can be considered an index of its information security level. In the present study we assess five mostly used OSs, Microsoft Windows (windows 7, windows 8 and windows 10), Apple’s Mac and Linux for their discovered vulnerabilities and the risk associated in each. Each discovered and reported vulnerability has an Exploitability score assigned in CVSS [27] of the national vulnerability data base. We compare the risk from vulnerabilities in each of the five Operating Systems. The Risk Indexes used are developed based on the Markov model to evaluate the risk of each vulnerability [11, 21, 22]. Statistical methodology and underlying mathematical approach is described. The analysis includes all the reported vulnerabilities in the National Vulnerability Database [19] up to October 30, 2018. Initially, parametric procedures are conducted and measured. There are however violations of some assumptions observed. Therefore, authors recognized the need for non-parametric approaches. 6838 vulnerabilities recorded were considered in the analysis.
According to the risk associated with all the vulnerabilities considered, it was found that there is a statistically significant difference among average risk level for some operating systems. This indicates that according to our method some operating systems have been more risk vulnerable than others given the assumptions and limitations. Relevant Test results revealing a statistically significant difference in the Risk levels of different OSs are presented.

Cite This Paper

Pubudu K. Hitigala Kaluarachchilage, Champike Attanayake, Sasith Rajasooriya, Chris P. Tsokos, "An Analytical Approach to Assess and Compare the Vulnerability Risk of Operating Systems", International Journal of Computer Network and Information Security(IJCNIS), Vol.12, No.2, pp.1-10, 2020. DOI: 10.5815/ijcnis.2020.02.01

Reference

[1] S. Abraham, S. Nair, Cyber Security Analytics: A stochastic model for Security Quantification using Absorbing Markov Chains, Journal of Communications Vol. 9, 2014, 899-907.
[2] O. H. Alhazmi, Y. K. Malaiya and I. Ray, Measuring, analyzing and predicting security vulnerabilities in software systems, Computers and Security Journal, vol. 26, no. 3, (2007), pp. 219–228.
[3] O. H. Alhazmi, Y. K. Malaiya, Application of Vulnerability Discovery Models to Major Operating Systems, IEEE Transactions on Reliability, Vol. 57, No. 1, 2008, pp. 14-22.
[4] O. H. Alhazmi, Y. K. Malaiya, Modeling the Vulnerability Discovery Process, Proceedings of 16th International Symposium on Software Reliability Engineering, Chicago, 8-11 November 2005, 129-138.
[5] G. W. Corder, D. I. Foreman, Nonparametric Statistics: A Step-by-Step Approach. Wiley, 2014.
[6] CVE details. Available at http://www.cvedetails.com/
[7] S. Frei, Security Econometrics: The Dynamics of (IN) Security, Ph.D. dissertation at ETH Zurich, 2009.
[8] G. Gamst, L. Meyers & A. Guarino, ANOVA ASSUMPTIONS. In Analysis of Variance Designs: A Conceptual and Computational Approach with SPSS and SAS (pp. 49-84). Cambridge: Cambridge University Press. doi:10.1017/CBO9780511801648.006, 2008.
[9] J.D Gibbons, Chakraborti, Subhabrata, Nonparametric Statistical Inference, 4th Ed. CRC Press, 2003.
[10] S. Jajodia, S Noel, Advanced Cyber Attack Modeling, Analysis, and Visualization, 14th USENIX Security Symposium, Technical Report 2010, George Mason University, Fairfax, VA. (2005).
[11] H. Joh, Y.K. Malaiya, A framework for Software Security Risk Evaluation using the Vulnerability Lifecycle and CVSS Metrics, Proc. International Workshop on Risk and Trust in Extended Enterprises, November 2010, (2010), pp.430-434.
[12] P.K. Kaluarachchi, C.P. Tsokos and S.M. Rajasooriya, Cybersecurity: A Statistical Predictive Model for the Expected Path Length, Journal of information Security, 7, (2016), pp.112-128. Available at http://dx.doi.org/10.4236/jis.2016.73008
[13] P.K. Kaluarachchi, C.P. Tsokos and S.M. Rajasooriya, Non-Homogeneous Stochastic Model for Cyber Security Predictions, Journal of Information Security, 9, (2018) ,pp.12-24. Available at https://doi.org/10.4236/jis.2018.91002
[14] P. Kijsanayothin, Network Security Modeling with Intelligent and Complexity Analysis, Ph.D. Dissertation, Texas Tech University, 2010.
[15] G. F. Lawler, Introduction to Stochastic processes, 2nd Edition, Chapman and Hall /CRC Taylor and Francis Group, London, New York, 2006.
[16] P.E McKight, J. Najab, Kruskal–Wallis test, In the Corsini Encyclopedia of Psychology. John Wiley & Sons, Inc, 2010.
[17] V.Mehta, C. Bartzis, H. Zhu, E.M. Clarke, and J.M. Wing, Ranking attack graphs, In D. Zamboni and C. Kr ¨ugel (Eds.), Recent Advances in Intrusion Detection, Volume 4219 of Lecture Notes in Computer Science, (2006), pp. 127–144. Springer.
[18] S. Noel, M. Jacobs, P. Kalapa and S. Jajodia, Multiple Coordinated Views for Network Attack Graphs, In VIZSEC'05: Proc. of the IEEE Workshops on Visualization for Computer Security, Minneapolis, MN, October, 2005, pages 99–106.
[19] NVD, National vulnerability database, Available at https://nvd.nist.gov/vuln
[20] P. Johnson, D. Gorton, R. Lagerström, M. Ekstedt, Time between vulnerability disclosures: a measure of software product vulnerability, Comput. Secur., 62 (2016), pp. 278-295
[21] S.M. Rajasooriya, C.P. Tsokos and P.K. Kaluarachchi, Stochastic Modelling of Vulnerability Life Cycle and Security Risk Evaluation, Journal of information Security, 7,(2016), pp.269-279. Available at http://dx.doi.org/10.4236/jis.2016.74022
[22] S.M. Rajasooriya, C.P. Tsokos and P.K. Kaluarachchi, Cybersecurity: Nonlinear Stochastic models for Predicting the Exploitability, Journal of information Security, 8, (2017), pp.125-140. Available at http://dx.doi.org/10.4236/jis.2017.82009
[23] J. Ruohone, S. Hyrynsalmi & V. Leppänen, The sigmoidal growth of operating system security vulnerabilities: an empirical revisit, Computers & Security, 55, (2015), pp.1–20.
[24] Y. Roumani, J. K. Nwankpa, & Y. F. Rouman, Time series modeling of vulnerabilities, Computers & Security, 51, 32–40, 2015
[25] Symantec Internet security threat report 2016-Volume 21, Available at https://www.symantec.com/content/dam/symantec/docs/reports/istr-21-2016-en.pdf
[26] R. Sawilla and X. Ou. Googling Attack Graphs. Technical Report TM-2007-205, Defence Research and Development Canada, September 2007, Available at http://cradpdf.drdc-rddc.gc.ca/PDFS/unc65/p528199.pdf
[27] M. Schiffman, Common Vulnerability Scoring System (CVSS), Available at http://www.first.org/cvss/.
[28] E.E. Schultz Jr, D.S. Brown and T.A. M. Longstaff, Responding to computer security incidents: Guidelines for incident handling, United States: N. p., 1990. Web.
[29] 2016 U.S Government Cybersecurity report, Available at https://cdn2.hubspot.net/hubfs/533449/SecurityScorecard_2016_Govt_Cybersecurity_Report.
[30] H. S. Venter and H. P. Eloff Jan, Vulnerability forecasting - a conceptual model, Computers & Security 23 (2004), 489-497.
[31] S. Zhang, D. Caragea and X. Ou, An empirical study on using the national vulnerability database to predict software vulnerabilities, In: Hameurlain A., Laddle S. W., Schewe K.-D., Zhou X. (eds.), Database and Expert Systems Applications, DEXA 2011. Lecture Notes in Computer Science, Vol. 6860. Springer, Berlin, Heidelberg.