摘要
Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two soft- ware -- OpenSSL and Xpdf, and the experimental result shows a good performance of our model.
Software vulnerability is always an enormous threat to software security. Quantitative analysis of software vulnerabilities is necessary to the evaluation and improvement of software security. Current vulnerability prediction models mainly focus on predicting the number of vulnerabilities regardless of the seriousness of vulnerabilities, therefore these models are unable to reflect the security level of software accurately. Starting from this, we propose a vulnerability prediction model based on probit regression in this paper. Unlike traditional ones, we measure the seriousness of vulnerability by the loss it causes and aim at predicting the accumulative vulnerability loss rather than the number of vulnerabilities. To validate our model, experiment is carried out on two soft- ware -- OpenSSL and Xpdf, and the experimental result shows a good performance of our model.
基金
Supported by the Nuclear High Base Major Special(2012zx01039-004-46)
the National Development and Reform Commission Information Security Special(2012-1424)
