Massacci, Fabio and Nguyen, Viet Hung (2010) Which is the Right Source for Vulnerability Studies? An Empirical Analysis on Mozilla Firefox. UNSPECIFIED. (Unpublished)
![[img]](http://eprints.biblio.unitn.it/style/images/fileicons/application_pdf.png)
| PDF Download (555Kb) | Preview |
Abstract
The last years have seen a major trend towards the notion of quantitative security assessment and the use of empirical methods to analyze or predict vulnerable components. Many past researches focused on vulnerability discovery models. The common method is to rely upon either a public vulnerability database (CVE, NVD), or vendor vulnerability database. Some combine these databases. Most of these works address a knowledge problem: can we understand the empirical causes of vulnerabilities? Can we predict them? Still, if the data sources do not completely capture the phenomenon we are interested in predicting, then our predictor might be optimal with respect to the data we have but unsatisfactory in practice. In our work, we focus on a more fundamental question: the quality of vulnerability database. How good we are at sampling? Or, with respect to the research objectives of current papers on empirical study in security, are we sampling the right data?
| Item Type: | Departmental Technical Report |
|---|---|
| Department or Research center: | Information Engineering and Computer Science |
| Subjects: | Q Science > QA Mathematics > QA075 Electronic computers. Computer science Q Science > QA Mathematics > QA299.6 Analysis |
| Uncontrolled Keywords: | Computer Security, Vulnerability Analysis |
| Report Number: | DISI-10-037 |
| Repository staff approval on: | 24 May 2010 |
Actions (login required)
| View Item |
