The last years have seen a major trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many past researches focused on vulnerability discovery models. The common method is to rely upon either a public vulnerability database (CVE, NVD), or vendor vulnerability database. Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. How good we are at sampling? Or, with respect to the research objectives of current papers on empirical study in security, are we sampling the right data?
Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox / Massacci, Fabio; Nguyen, Viet Hung. - ELETTRONICO. - (2010), pp. 1-10.
Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox
Massacci, Fabio;Nguyen, Viet Hung
2010-01-01
Abstract
The last years have seen a major trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many past researches focused on vulnerability discovery models. The common method is to rely upon either a public vulnerability database (CVE, NVD), or vendor vulnerability database. Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. How good we are at sampling? Or, with respect to the research objectives of current papers on empirical study in security, are we sampling the right data?| File | Dimensione | Formato | |
|---|---|---|---|
|
esem10.pdf
accesso aperto
Tipologia:
Versione editoriale (Publisher’s layout)
Licenza:
Tutti i diritti riservati (All rights reserved)
Dimensione
555.13 kB
Formato
Adobe PDF
|
555.13 kB | Adobe PDF | Visualizza/Apri |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione
