Exploring the clustering of software vulnerability disclosure notifications across software vendors

Jukka Ruohonen; Johannes Holvitie; Sami Hyrynsalmi; Ville Leppänen

doi:10.1109/AICCSA.2016.7945696

Exploring the clustering of software vulnerability disclosure notifications across software vendors

Jukka Ruohonen
, Johannes Holvitie
, Sami Hyrynsalmi
, Ville Leppänen

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

6 Citations (Scopus)

Abstract

This exploratory empirical paper investigates annual time delays between vulnerability disclosure notiﬁcations and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reﬂecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efﬁciency of vulnerability disclosure could be improved.

Original language	English
Title of host publication	2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA)
Subtitle of host publication	Agadir, Morocco. Nov. 29 - Dec. 2.2016
Publisher	IEEE
Pages	1-8
Number of pages	8
ISBN (Electronic)	978-1-5090-4320-0
DOIs	https://doi.org/10.1109/AICCSA.2016.7945696
Publication status	Published - 12 Jun 2017
Publication type	A4 Article in conference proceedings
Event	ACS/IEEE International Conference of Computer Systems and Applications - Duration: 28 Aug 2017 → …

Publication series

Name	ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS
ISSN (Electronic)	2161-5330

Conference

Conference	ACS/IEEE International Conference of Computer Systems and Applications
Period	28/08/17 → …

Publication forum classification

Publication forum level 1

Access to Document

10.1109/AICCSA.2016.7945696

Cite this

Ruohonen, J., Holvitie, J., Hyrynsalmi, S., & Leppänen, V. (2017). Exploring the clustering of software vulnerability disclosure notifications across software vendors. In 2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA): Agadir, Morocco. Nov. 29 - Dec. 2.2016 (pp. 1-8). (ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS). IEEE. https://doi.org/10.1109/AICCSA.2016.7945696

Ruohonen, Jukka ; Holvitie, Johannes ; Hyrynsalmi, Sami et al. / Exploring the clustering of software vulnerability disclosure notifications across software vendors. 2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA): Agadir, Morocco. Nov. 29 - Dec. 2.2016. IEEE, 2017. pp. 1-8 (ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS).

@inproceedings{0c1be08a3ef144e6894828aa332f64c6,

title = "Exploring the clustering of software vulnerability disclosure notifications across software vendors",

abstract = "This exploratory empirical paper investigates annual time delays between vulnerability disclosure notiﬁcations and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reﬂecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efﬁciency of vulnerability disclosure could be improved.",

author = "Jukka Ruohonen and Johannes Holvitie and Sami Hyrynsalmi and Ville Lepp{\"a}nen",

year = "2017",

month = jun,

day = "12",

doi = "10.1109/AICCSA.2016.7945696",

language = "English",

series = "ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS",

publisher = "IEEE",

pages = "1--8",

booktitle = "2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA)",

address = "United States",

note = "ACS/IEEE International Conference of Computer Systems and Applications ; Conference date: 28-08-2017",

}

Ruohonen, J, Holvitie, J, Hyrynsalmi, S & Leppänen, V 2017, Exploring the clustering of software vulnerability disclosure notifications across software vendors. in 2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA): Agadir, Morocco. Nov. 29 - Dec. 2.2016. ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS, IEEE, pp. 1-8, ACS/IEEE International Conference of Computer Systems and Applications, 28/08/17. https://doi.org/10.1109/AICCSA.2016.7945696

Exploring the clustering of software vulnerability disclosure notifications across software vendors. / Ruohonen, Jukka; Holvitie, Johannes; Hyrynsalmi, Sami et al.
2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA): Agadir, Morocco. Nov. 29 - Dec. 2.2016. IEEE, 2017. p. 1-8 (ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Exploring the clustering of software vulnerability disclosure notifications across software vendors

AU - Ruohonen, Jukka

AU - Holvitie, Johannes

AU - Hyrynsalmi, Sami

AU - Leppänen, Ville

PY - 2017/6/12

Y1 - 2017/6/12

N2 - This exploratory empirical paper investigates annual time delays between vulnerability disclosure notiﬁcations and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reﬂecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efﬁciency of vulnerability disclosure could be improved.

AB - This exploratory empirical paper investigates annual time delays between vulnerability disclosure notiﬁcations and acknowledgments by means of network analysis. These delays are approached through a potential clustering effect of vulnerabilities across software vendors. The analysis is based on a projection from bipartite vendor-vulnerability structures to one-mode vendor-vendor networks, while the hypothesized clustering effect is approached with a conventional community detection algorithm. According to the results, (a) vulnerabilities cluster across vendors, (b) which also explains a portion of the time delays, although (c) the clustering is not stable annually. The computed network (d) clusters can be also interpreted by reﬂecting these against common software security attack surfaces. The results can be used to contemplate (e) practical means with which the efﬁciency of vulnerability disclosure could be improved.

U2 - 10.1109/AICCSA.2016.7945696

DO - 10.1109/AICCSA.2016.7945696

M3 - Conference contribution

T3 - ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS

SP - 1

EP - 8

BT - 2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA)

PB - IEEE

T2 - ACS/IEEE International Conference of Computer Systems and Applications

Y2 - 28 August 2017

ER -

Ruohonen J, Holvitie J, Hyrynsalmi S, Leppänen V. Exploring the clustering of software vulnerability disclosure notifications across software vendors. In 2016 IEEE/ACS 13th International Conference on Computer Systems and Applications (AICCSA): Agadir, Morocco. Nov. 29 - Dec. 2.2016. IEEE. 2017. p. 1-8. (ACS/IEEE INTERNATIONAL CONFERENCE ON COMPUTER SYSTEMS AND APPLICATIONS). doi: 10.1109/AICCSA.2016.7945696

Exploring the clustering of software vulnerability disclosure notifications across software vendors

Abstract

Publication series

Conference

Publication forum classification

Access to Document

Fingerprint

Cite this