International Journal of Mathematical, Engineering and Management Sciences

ISSN: 2455-7749

Modeling and Characterizing Software Vulnerabilities

Modeling and Characterizing Software Vulnerabilities

Navneet Bhatt
Department of Operational Research, University of Delhi, Delhi-110007, India.

Adarsh Anand
Department of Operational Research, University of Delhi, Delhi-110007, India.

V. S. S. Yadavalli
Department of Industrial and Systems Engineering, University of Pretoria, Republic of South Africa.

Vijay Kumar
Amity University, Noida, Uttar Pradesh, India.

DOI https://dx.doi.org/10.33889/IJMEMS.2017.2.4-022

Received on December 13, 2016
Accepted on March 24, 2017


With the association of software security assurance in the development of code based systems; software developers are relying on the Vulnerability discovery models to mitigate the breaches by estimating the total number of vulnerabilities, before they’re exploited by the intruders. Vulnerability Discovery Models (VDMs) provide the quantitative classification of the flaws that exists in a software that will be discovered after a software is released. In this paper, we develop a vulnerability discovery model that accumulate the vulnerabilities due to the influence of previously discovered vulnerabilities. We further evaluate the proportion of previously discovered vulnerabilities along with the fraction additional vulnerabilities detected. The quantification methodology presented in this article has been accompanied with an empirical illustration on popular operating systems’ vulnerability data.

Keywords- Vulnerability discovery modeling, Software security, Vulnerability categorization.


Bhatt, N., Anand, A., Yadavalli, V. S. S., & Kumar, V. (2017). Modeling and Characterizing Software Vulnerabilities. International Journal of Mathematical, Engineering and Management Sciences, 2(4), 288-299. https://dx.doi.org/10.33889/IJMEMS.2017.2.4-022.

Conflict of Interest



Alhazmi, O. H., & Malaiya, Y. K. (2005, November). Modeling the vulnerability discovery process. In 16th IEEE International Symposium on Software Reliability Engineering (ISSRE'05) (pp. 1-10). IEEE.

Anand, A., & Bhatt, N. (2016). Vulnerability discovery modeling and weighted criteria based ranking. Journal of the Indian Society for Probability and Statistics, 17(1), 1-10.

Anand, A., Das, S., Aggrawal, D., & Klochkov, Y. (2017). Vulnerability discovery modelling for software with multi-versions. In Advances in Reliability and System Engineering (pp. 255-265). Springer International Publishing.

Anderson, R. (2002). Security in open versus closed systems—the dance of Boltzmann, Coase and Moore. Technical report, Cambridge University, England.

Brady, R. M., Anderson, R., & Ball, R. C. (1999). Murphy's law, the fitness of evolving species, and the limits of software reliability (No. 471). University of Cambridge, Computer Laboratory.

Joh, H., Kim, J., & Malaiya, Y. K. (2008, November). Vulnerability discovery modeling using Weibull distribution. In 2008 19th International Symposium on Software Reliability Engineering (ISSRE) (pp. 299-300). IEEE.

Kapur, P. K., & Garg, R. B. (1992). A software reliability growth model for an error-removal phenomenon. Software Engineering Journal, 7(4), 291-294.

Kapur, P. K, Sachdeva, N, Khatri, S. K. (2015). Vulnerability discovery modeling. International Conference on Quality, Reliability, Infocom Technology and Industrial Technology Management, 34-54.

Kim, J., Malaiya, Y. K., & Ray, I. (2007, November). Vulnerability discovery in multi-version software systems. In High Assurance Systems Engineering Symposium, 2007. HASE'07. 10th IEEE (pp. 141-148). IEEE.

Krsul, I. V. (1998). Software vulnerability analysis (Doctoral dissertation, Purdue University).

Mac Os X Server. (2016). Vulnerability Statistics. http://www.cvedetails.com/product/2274/Apple-Mac-Os-X-Server.html?vendor_id=49. Accessed 6 February, 2016.

Mac Os X. (2016). Vulnerability statistics. http://www.cvedetails.com/product/156/Apple-Mac-Os-X.html?vendor_id=49. Accessed 6 February, 2016.

Massacci, F., & Nguyen, V. H. (2014). An empirical methodology to evaluate vulnerability discovery models. IEEE Transactions on Software Engineering, 40(12), 1147-1162.

Needham, R. (2002). Security and open source. In open source software economics. Available at http://idei.fr/doc/conf/sic/papers 2002/needham.pdf.

Rescorla, E. (2005). Is finding security holes a good idea?. IEEE Security & Privacy, 3(1), 14-19.

Windows Xp. (2016). Vulnerability statistics. http://www.cvedetails.com/product/739/Microsoft-Windows-Xp.html?vendor_id=26. Accessed 6 February, 2016.

Windows 7 (2016). Vulnerability statistics. https://www.cvedetails.com/product/17153/Microsoft-Windows-7.html?vendor_id=26. Accessed 28 December, 2016.

Windows Server 2008. (2016). Vulnerability statistics. https://www.cvedetails.com/product/11366/Microsoft-Windows-Server-2008.html?vendor_id=26. Accessed 20 February, 2016.

Younis, A., Joh, H., & Malaiya, Y. (2011). Modeling learningless vulnerability discovery using a folded distribution. In Proc. of SAM (Vol. 11, pp. 617-623).