In this work, the authors discuss the simultaneous handling of identified vulnerabilities and their removal through patches. The conceptual analogy is borrowed from the well-established SIR epidemiological modelling framework. This analogy enables the creation of models that can simulate the spread of vulnerabilities, evaluate the effectiveness of patching, and assess the impact of different patch management strategies. At the time of software release, the system is susceptible (S), representing software systems vulnerable to a specific patchable vulnerability. With the continuous efforts of the debugging team, these vulnerabilities are identified, representing the state when the system has been marked as vulnerable but has not yet been patched (I). Since this is an ongoing process, one cannot wait for the discovery process to be completed before beginning the fixing process. The debugging team provides simultaneous patching services to remove and eliminate these security issues; this represents the state when systems have been patched and are no longer vulnerable to the specific flaw (R). The modelling framework created has been validated using a well-documented approximation method, the fourth-order Runge–Kutta (RK-4) method. Numerical illustrations are provided using real-life patch datasets. The results obtained are highly encouraging, and the outcomes of these datasets demonstrate the practical applicability of the proposed mathematical modelling approach.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Modelling Software Vulnerability Management Using the Epidemiological SIR Framework

  • Hitesh Kumar,
  • Adarsh Anand,
  • Mohini Agarwal

摘要

In this work, the authors discuss the simultaneous handling of identified vulnerabilities and their removal through patches. The conceptual analogy is borrowed from the well-established SIR epidemiological modelling framework. This analogy enables the creation of models that can simulate the spread of vulnerabilities, evaluate the effectiveness of patching, and assess the impact of different patch management strategies. At the time of software release, the system is susceptible (S), representing software systems vulnerable to a specific patchable vulnerability. With the continuous efforts of the debugging team, these vulnerabilities are identified, representing the state when the system has been marked as vulnerable but has not yet been patched (I). Since this is an ongoing process, one cannot wait for the discovery process to be completed before beginning the fixing process. The debugging team provides simultaneous patching services to remove and eliminate these security issues; this represents the state when systems have been patched and are no longer vulnerable to the specific flaw (R). The modelling framework created has been validated using a well-documented approximation method, the fourth-order Runge–Kutta (RK-4) method. Numerical illustrations are provided using real-life patch datasets. The results obtained are highly encouraging, and the outcomes of these datasets demonstrate the practical applicability of the proposed mathematical modelling approach.