The last years have seen a major trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many past researches focused on vulnerability discovery models. The common method is to rely upon either a public vulnerability database (CVE, NVD), or vendor vulnerability database. Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. How good we are at sampling? Or, with respect to the research objectives of current papers on empirical study in security, are we sampling the right data?

Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox / Massacci, Fabio; Nguyen, Viet Hung. - ELETTRONICO. - (2010), pp. 1-10.

Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox

Massacci, Fabio;Nguyen, Viet Hung
2010-01-01

Abstract

The last years have seen a major trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many past researches focused on vulnerability discovery models. The common method is to rely upon either a public vulnerability database (CVE, NVD), or vendor vulnerability database. Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. How good we are at sampling? Or, with respect to the research objectives of current papers on empirical study in security, are we sampling the right data?
2010
Trento
University of Trento - Dipartimento di Ingegneria e Scienza dell'Informazione
Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox / Massacci, Fabio; Nguyen, Viet Hung. - ELETTRONICO. - (2010), pp. 1-10.
Massacci, Fabio; Nguyen, Viet Hung
File in questo prodotto:
File Dimensione Formato  
esem10.pdf

accesso aperto

Tipologia: Versione editoriale (Publisher’s layout)
Licenza: Tutti i diritti riservati (All rights reserved)
Dimensione 555.13 kB
Formato Adobe PDF
555.13 kB Adobe PDF Visualizza/Apri

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11572/358588
 Attenzione

Attenzione! I dati visualizzati non sono stati sottoposti a validazione da parte dell'ateneo

Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact