Vulnerability Analysis for a Quantitative Security Evaluation

This paper presents the quantitative characterization of vulnerability life cycle and of exploit creation by probability distributions. This work aims at helping the production of quantitative measures of information system security considering system environment. In this paper, we focus on two environmental factors: 1) the vulnerability life cycle and 2) the attacker behaviour. We look for the probability distributions and their parameters that could model quantatively these environmental factor events. Thus, to obtain precise measures, it is needed to characterize these events using real data. For that purpose, we first selected an appropriate vulnerability database by comparing the existing and available ones. We choose the Open Source Vulnerability DataBase. After having brought back the data we need, we evaluate quantitatively the model parameters related to the vulnerability life cycle and the attacker behaviour. In doing so, we look for specificities of vulnerability categories to define the parameterization of our quantitative security evaluation modelling more precisely.