E-WBM: An Effort-Based Vulnerability Discovery Model

Abstract

Vulnerability discovery models (VDMs) have recently been proposed to estimate the cumulative number of vulnerabilities that will be disclosed after software is released. A precise VDM would offer an available quantitative insight to assess software security. Even though VDM has demonstrated its effectiveness in multiple software, it remains limited in accuracy, especially with weak versatility. We propose a novel effort-based VDMs, named E-WBM, to improve critical vulnerability discovery rate algorithm using Weibull probability distribution function towards efficient vulnerability discovery models. E-WBM accurately portrays the trend of software security vulnerabilities disclosure. We evaluate E-WBM on eight popular real-world operating systems and show the feasibility of the proposed model. We further compare E-WBM with a state-of-the-art effort-based model AME and time-based model JW on the above eight operating systems. Our comparison also demonstrates that E-WBM consistently outperforms AME and JW both at reducing the deviations and fitting curve trends. In addition to the model fitting, predictive capabilities of two effort-based models E-WBM and AME are also examined. The results show that the E-WBM model yields a more stable prediction with a significantly less error than AME.