TY - GEN
T1 - Which is the right source for vulnerability studies? An empirical analysis on Mozilla Firefox
AU - Massacci, F.
AU - Nguyen, V.H.
PY - 2010
Y1 - 2010
N2 - Recent years have seen a trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many papers focused on vulnerability discovery models based upon either a public vulnerability databases (e.g., CVE, NVD), or vendor ones (e.g., MFSA). Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. We provide an analytical comparison of different security metric papers and the relative data sources. We also show, based on experimental data for Mozilla Firefox, how using different data sources might lead to completely different results. © 2010 ACM.
AB - Recent years have seen a trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many papers focused on vulnerability discovery models based upon either a public vulnerability databases (e.g., CVE, NVD), or vendor ones (e.g., MFSA). Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. We provide an analytical comparison of different security metric papers and the relative data sources. We also show, based on experimental data for Mozilla Firefox, how using different data sources might lead to completely different results. © 2010 ACM.
U2 - 10.1145/1853919.1853925
DO - 10.1145/1853919.1853925
M3 - Conference contribution
SN - 9781450303408
T3 - 6th International Workshop on Security Measurements and Metrics, MetriSec 2010
BT - 6th International Workshop on Security Measurements and Metrics, MetriSec 2010
T2 - 6th International Workshop on Security Measurements and Metrics, MetriSec 2010
Y2 - 15 September 2010 through 15 September 2010
ER -