An approach to predicting the properties of software vulnerabilities

Sergey A. Budnikov; Mikhail A. Tarelkin; Yuri K. Yazov

doi:10.26583/bit.2024.4.01

Безопасность информационных технологий (Nov 2024)

An approach to predicting the properties of software vulnerabilities

Sergey A. Budnikov,
Mikhail A. Tarelkin,
Yuri K. Yazov

Affiliations

Sergey A. Budnikov: Federal autonomous institution «State Science and Research Experimental Institute of Technical information protection problems of Federal Service for Technical and Export Control»
Mikhail A. Tarelkin: Federal autonomous institution «State Science and Research Experimental Institute of Technical information protection problems of Federal Service for Technical and Export Control»
Yuri K. Yazov: Federal autonomous institution «State Science and Research Experimental Institute of Technical information protection problems of Federal Service for Technical and Export Control»

DOI: https://doi.org/10.26583/bit.2024.4.01
Journal volume & issue: Vol. 31, no. 4
pp. 31 – 43

Abstract

Read online

A probabilistic approach to predicting the properties of identified software vulnerabilities has been developed. The approach is based on representing the process of changing the values of the basic metrics of detected software vulnerabilities CVSS v3.0 as a random Markov process with discrete states and continuous time. When constructing systems of Kolmogorov equations, the dynamics of changes in the average intensity of changes in the values of basic metrics, depending on the current time, was taken into account. Analytical linear functions were obtained that approximate the average values of the instantaneous intensity of changes in the values of basic metrics within a quarter of the year, starting from January 1, 2017. In the interests of short-term forecasting, a probabilistic modeling of the emergence of vulnerabilities in the Astra Linux Special Edition operating system with specified properties in the form of values of basic CVSS v3.0 metrics was carried out depending on the day from the moment the last software vulnerability was discovered. The initial modeling conditions are set to the values of the basic metrics of the latest published software vulnerability. The possibility of calculating the values of stationary probabilities of occurrence of given values of the basic metrics of CVSS v3.0 vulnerabilities for long-term forecasting throughout the year is shown. Coincidence of statistical data for the fourth quarter of 2023. and the results of modeling the process of emergence of vulnerabilities with these properties confirmed the adequacy of the models and the reliability of the prediction results. The scope of application of the developed approach can be the sphere of software development and information security tools, as well as the created and operated systems for ensuring information security of significant objects of critical information infrastructure.

critical information infrastructure, linear regression, markov random process, vulnerability assessment, forecasting, kolmogorov equations.

Published in Безопасность информационных технологий

ISSN: 2074-7128 (Print); 2074-7136 (Online)
Publisher: Joint Stock Company "Experimental Scientific and Production Association SPELS
Country of publisher: Russian Federation
LCC subjects: Technology: Technology (General): Industrial engineering. Management engineering: Information technology; Science: Science (General): Cybernetics: Information theory
Website: https://bit.spels.ru

About the journal

Abstract

Keywords