Change Point Problem in Security Vulnerability Discovery Model

Abstract

In the past, numerous vulnerability discovery models (VDMs) have been proposed to estimate and forecast the security vulnerabilities present in software systems. These models can be used to assess and mitigate the security risk posed by vulnerabilities and to estimate the resources required to handle the potential security breaches. However, these models have some shortcomings that make it difficult to forecast the vulnerabilities present in a software system precisely. Consideration of the change point problem in modeling the vulnerability discovery process can be one of the possible ways to enhance the forecasting capability of the VDMs. In real situations, the vulnerability discovery rate can be influenced by different factors, such as software age, code size, operational effort, popularity, OS and platform type, known vulnerabilities and their types, and so on. Due to the change in these factors, changes are possible in the vulnerability discovery rate. The time point where such changes occur is known as change point. In this paper, the change point problem is considered in exponential VDM to express the factual vulnerability behavior and to accelerate the forecasting capability. The proposed model is validated using real vulnerability data set reported by the National Vulnerability Database (NVD). Experimental results show that goodness of fit and forecasting ability of the exponential VDM with change point is better in comparison to exponential VDM without change point.