Vulnerability severity prediction and risk metric modeling for software

摘要

As more users suffer serious security threats from software vulnerabilities, software security becomes increasingly important. Vulnerability prediction and risk evaluation are two of the most concerning issues in software security management. In this paper, we propose a prediction model for software vulnerability in which the probability and severity of vulnerability occurrence are determined by the logistic function and binomial distribution, respectively. Using the parameters obtained by prediction, we developed a new risk metric model. We provided some metrics, including mean time to vulnerability, local risk rate, mean risk rate, and overall risk value, from the viewpoint of time and probability. Experiments were conducted on real software vulnerability datasets. The results show that the prediction is effective and the evaluation is easy to operate. Our work has several features: (1) users can predict the vulnerability state in the future, in particular, vulnerability severity; (2) unlike traditional evaluation methods with expert scoring, our evaluation model is based on prediction and uses historical vulnerability data; and (3) the risk metric value can be used in risk assessment, security rating, and patch management.