Large-scale vulnerability analysis

Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense, LSAD'06

Volumn 2006, Issue , 2006, Pages 131-138

  Frei, Stefan ^a   May, Martin ^a   Fiedler, Ulrich ^a   Plattner, Bernhard ^a  

^a ETH ZURICH   (Switzerland)

Author keywords

Business risk management; Disclosure date; Exploit; Intrusion detection; Patch; Security dynamics; Security exposure; Vulnerability lifecycle

Indexed keywords

COMPUTER PRIVACY; DISTRIBUTED COMPUTER SYSTEMS; LARGE SCALE SYSTEMS; RISK MANAGEMENT; SOFTWARE RELIABILITY;

BUSINESS RISK MANAGEMENT; DISCLOSURE DATES; SECURITY DYNAMICS; SECURITY EXPOSURE; VULNERABILITY LIFECYCLES;

INTRUSION DETECTION;

EID: 34248370608     PISSN: None     EISSN: None     Source Type: Conference Proceeding    
DOI: 10.1145/1162666.1162671     Document Type: Conference Paper

References (30)

1. NVD, "National vulnerability database," http://nvd.nist.gov/.
2. OSVDB, "The open source vulnerability database," http://www.osvdb.org/.
3. CERT, "Computer emergency response team coordination center," http://www.cert.org/.
4. SF, "Securityfocus," http://www.securityfocus.com/.
5. ISS, "Internet security systems," http://www.iss.net/.
6. Secunia, "Vulnerability and virus information," http://secunia.com/.
7. FrSirt, "French security incident response team," http://www.frsirt.com/.
8. R. Anderson, "Why information security is hard-an economic perspective," In Proceedings of 17th Annual Computer Security Applications Conference (ACSAC), 2001.
9. B. Schneier, "Cryptograin September 2000 - full disclosure and the window of exposure," http://www.schneier.com/crypto-gram-0009.html, 2000.
10. Organization for Internet Safety, "Guidelines for security vulnerability reporting and response - 2004," http://www.oisafety.org/ guidelines/, 2004.
11. W. A. Arbaugh, W. L. Fithen, and J. McHugh, "Windows of vulnerability: A case study analysis," IEEE Computer, vol. 33, 2000.
12. Ashish Arora, Ramayya Krishnan, Anand Nandkumar, Rahul Telang, and Yubao Yang, "Impact of vulnerability disclosure and patch availability - empirical analysis," in Proceedings of the Third Annual Workshop on Economics and Information Security (WEIS04), 2004.
13. Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang, "An empirical analysis of vendor response to disclosure policy," Tech. Rep., Carnegie Mellon University, March 2005.
14. Ashish Arora, Ramayya Krishnan, Rahul Telang, and Yubao Yang, "Empirical analysis of software vendors patching behavior, impact of vulnerability disclosure," Tech. Rep., Carnegie Mellon University, Jan 2006.
15. Qualys Research Report, 2005, "Laws of vulnerabilities," http://www.qualys.com/docs/Laws-Report.pdf, 2005.
16. B. Krebs, "Securityfix i, ii, iii," http://blog.washingtonpost. com/securityflx/, 2006.
17. Hasan Cavusoglu, Huseyin Cavusoglu, and S. Raghunathan, "Emerging issues in responsible vulnerability disclosure," in In the proceedings of WITS 2004, 2004.
18. Karthik Kannan and Rahul Telang, "An economic analysis of market for software vulnerabilities," http://www.dtc.umn.edu/weis2004/kannan-telang. pdf, 2004.
19. Full Disclosure, "Full disclosure mailing list," http://lists.grok.org.uk/full-disclosure-charter.html.
20. Bruce Schneier, "The nonsecurity of secrecy," in Communications of the ACM v. 47, 2004, p. 120, ? 2004.
21. CVE, "Common vulnerabilities and exposures list (eve)," http://cve.mitre.org/cve/.
22. CVSS, "Common vulnerability scoring system (cvss)," http://www.first.org/cvss/.
23. NGS, "Ngs software," http://www.ngssoftware.com/advisory.htm.
24. eEye, "eeye digital security," http://www.eeye.com/html/ research/advisories/index.html.
25. iDefense, "idefense," http://www.idefense.com/intelligence/ vulnerabilities/.
26. milw0rm, "Milw0rm exploit archive," http://www.milw0rm.com.
27. PacketStorm, "Packetstorm security," http://www. packetstormsecurity.org/assess/exploits/.
28. Metasploit, "Metasploit project," http://www.metasploit.com.
29. B. Krishnamurthy and J. Rexford, Continuous Univariante Distributions, vol. 1, Wiley Series in Probability and Mathematical Statistics, 2 edition, 1994.
30. Stefan Frei, "The speed of (in)security web site," http://www.techzoom.net/risk/.