Android Güvenlik Açıklarının Modellenmesi: İstatistiksel Dağılımlardan Analizler

Yıl 2024, Cilt: 8 Sayı: 2, 110 - 126

Kerem Gencer , Fatih Basciftci

https://doi.org/10.33461/uybisbbd.1524207

Öz

Android işletim sistemi, multimedya özelliklerini destekleyen bir mobil işletim sistemidir. Android, ses, video, resim ve diğer multimedya içeriklerini oynatmak, kaydetmek, düzenlemek ve paylaşmak için çok çeşitli uygulamalar ve entegre özellikler sunar. Çoğu Android cihazda kamera, hoparlör, mikrofon ve diğer multimedya bileşenleri bulunur. Yazılım güvenliğinde, güvenlik açıkları genellikle yazılım geliştirme sırasında ortaya çıkan kritik endişelerdir. Bu güvenlik açıklarını sürümden sonra tahmin etmek, risk değerlendirmesi ve azaltma için önemlidir. Çeşitli modeller araştırılmış olsa da Android işletim sistemi nispeten keşfedilmemiş durumdadır. Bu çalışma, yaygın olarak kullanılan Alhazmi-Malaiya Lojistik (AML) modeline uygunluklarını karşılaştırarak, farklı istatistiksel dağılımlar kullanarak Android güvenlik açıklarını modellemeyi araştırmaktadır. 2016'dan 2018'e kadar uzanan Ulusal Güvenlik Açığı Veritabanı'ndan (NVD) alınan veriler ve Ortak Güvenlik Açığı Puanlama Sistemi (CVSS) puanları analiz edilmiştir. Çalışma, aylık güvenlik açığı sayıları ve ortalama aylık etki değerleri için Lojistik, Weibull, Nakagami, Gamma ve Log-lojistik dahil olmak üzere çeşitli dağıtım modellerini değerlendirir. Model sağlamlığı değerlendirmesi için uyum iyiliği testleri ve bilgi kriterleri uygulandı. Bulgular, araştırmacılar ve Android yazılım geliştiricileri için değerli içgörüler sunarak tahmin, risk değerlendirmesi, kaynak tahsisi ve araştırma yönüne yardımcı olur. Ortalama aylık etki değerleri ve aylık güvenlik açığı sayıları için sırasıyla lojistik ve Nakagami dağılımları en uygun modeller olarak ortaya çıkmıştır. Son olarak, istatistiksel yöntemler, anlaşılabilirlik, veri miktarı, hesaplama ihtiyacı ve veri bağımsızlığı gibi esnek özellikleri nedeniyle küçük veri kümeleri veya daha net tanımlanmış veriler için bilinen yapay zekâ yöntemlerine karşı daha iyi performans gösterir.

Anahtar Kelimeler

İstatistiksel dağılımlar, Android güvenlik açıkları, Yazılım güvenliği, Güvenlik açığı keşif modeli

Modeling Android Security Vulnerabilities: Insights from Statistical Distributions

Öz

Android operating system is a mobile operating system that supports multimedia features. Android offers a wide range of applications and integrated features for playing, recording, editing and sharing audio, video, images and other multimedia content. Most Android devices include cameras, speakers, microphones, and other multimedia components. In software security, vulnerabilities are critical concerns that often emerge during software development. Predicting these vulnerabilities post-release is essential for risk assessment and mitigation. While various models have been explored, the Android operating system remains relatively uncharted. This study delves into modeling Android security vulnerabilities using different statistical distributions, comparing their suitability to the widely-used Alhazmi-Malaiya Logistic (AML) model. Data from the National Vulnerability Database (NVD) spanning 2016 to 2018, along with Common Vulnerability Scoring System (CVSS) scores, was analyzed. The study evaluates several distribution models, including Logistic, Weibull, Nakagami, Gamma, and Log-logistic, for monthly vulnerability counts and average monthly impact values. Goodness-of-fit tests and information criteria were applied for model robustness assessment. The findings offer valuable insights for researchers and Android software developers, aiding prediction, risk assessment, resource allocation, and research direction. Logistic and Nakagami distributions emerged as the best-fit models for average monthly impact values and monthly vulnerability counts, respectively. Finally, statistical methods perform better against known artificial intelligence methods for small data sets or more clearly defined data due to their flexible features such as comprehensibility, amount of data, need for calculation, and data independence.

Anahtar Kelimeler

Statistical distributions, Android vulnerabilities, Software security, Vulnerability discovery model

Kaynakça

• Ahmad, M. I., Sinclair, C. D. and Werritty, A., 1988, Log-Logistic Flood Frequency Analysis, Journal Of Hydrology, 98 (3), 205-224.
• Akaike, H., 1974, A New Look At The Statistical Model Identification, Ieee Transactions On Automatic Control, 19 (6), 716-723.
• Alhazmi, O., Malaiya, Y. Ve Ray, I., 2005, Security Vulnerabilities In Software Systems: A Quantitative Perspective, Data And Applications Security Xix, Berlin, Heidelberg, 281-294.
• Alhazmi, O. H. and Malaiya, Y. K., 2005a, Modeling The Vulnerability Discovery Process, 16th Ieee International Symposium On Software Reliability Engineering (Issre'05), Ten Pp.-138.
• Alhazmi, O. H. and Malaiya, Y. K., 2005b, Quantitative Vulnerability Assessment Of Systems Software, Annual Reliability And Maintainability Symposium, 2005. Proceedings, 615-620.
• Alhazmi, O. H. and Malaiya, Y. K., 2006a, Measuring And Enhancing Prediction Capabilities Of Vulnerability Discovery Models For Apache And Iis Http Servers, 17th International Symposium On Software Reliability Engineering, 343-352.
• Alhazmi, O. H. and Malaiya, Y. K., 2006b, Prediction Capabilities Of Vulnerability Discovery Models, Rams '06. Annual Reliability And Maintainability Symposium, 2006., 86-91.
• Alhazmi, O. H., Malaiya, Y. K. and Ray, I., 2007, Measuring, Analyzing And Predicting Security Vulnerabilities In Software Systems, Computers & Security, 26 (3), 219-228.
• Alhazmi, O. H. and Malaiya, Y. K., 2008, Application Of Vulnerability Discovery Models To Major Operating Systems, Ieee Transactions On Reliability, 57 (1), 14-22.
• Anand, A. and Bhatt, N., 2016, Vulnerability Discovery Modeling And Weighted Criteria Based Ranking, Journal Of The Indian Society For Probability And Statistics, 17 (1), 1-10.
• Anand, A., Das, S., Agrawal, D. Ve Klochkov, Y., 2017, Vulnerability Discovery Modelling For Software With Multi-Versions, In: Advances In Reliability And System Engineering, Eds: Ram, M. Ve Davim, J. P., Cham: Springer International Publishing, P. 255-265.
• Anderson, R., 2002, Security In Open Versus Closed Systems -The Dance Of Boltzmann, Coase And Moore, Open Source Software Economics, 127-142.
• Anderson, T. W. and Darling, D. A., 1954, A Test Of Goodness Of Fit, Journal Of The American Statistical Association, 49 (268), 765-769.
• Bhatt, N., Anand, A., Yadavalli, V. S. S. and Kumar, V., 2017, Modeling And Characterizing Software Vulnerabilities, International Journal Of Mathematical, Engineering And Management Sciences, 2 (4), 288-299.
• Boland, P. J., 2007, Statistical And Probabilistic Methods In Actuarial Science, Usa, Taylor & Francis Inc, P. 43.
• Casella, G. and Berger, R. L., 2001, Statistical Inference Usa, Duxbury, P. 102.
• Cavanaugh, J. E., 1997, Unifying The Derivations For The Akaike And Corrected Akaike Information Criteria, Statistics & Probability Letters, 33 (2), 201-208.
• Chen, K., Feng, D.-G., Su, P.-R., Nie, C.-J. and Zhang, X.-F., 2010, Multi-Cycle Vulnerability Discovery Model For Prediction, Journal Of Software, 21 (9), 2367-2375.
• Cramér, H., 1928, On The Composition Of Elementary Errors, Scandinavian Actuarial Journal, 1928 (1), 141-180.
• Cvedetails, 2019, https://www.cvedetails.com/browse-by-date.php, [Accessed Date: 10 June 2024].
• Decani, J. S. and Stine, R. A., 1986, A Note On Deriving The Information Matrix For A Logistic Distribution, The American Statistician, 40 (3), 220-222.
• Gencer, K. and Başçiftçi, F. 2021, Time series forecast modeling of vulnerabilities in the android operating system using ARIMA and deep learning methods. Sustainable Computing: Informatics and Systems, 30, 100515.
• Gencer, K. and Başçiftçi, F. 2021, The fuzzy common vulnerability scoring system (F-CVSS) based on a least squares approach with fuzzy logistic regression. Egyptian Informatics Journal, 22(2), 145-153.
• Hogg, R. V. and Craig, A. T., 1978, Introduction To Mathematical Statistics Newyork, Macmillan, P. 109.
• Hurvich, C. M. and Tsai, C.-L., 1989, Regression And Time Series Model Selection In Small Samples, Biometrika, 76 (2), 297-307.
• Joh, H., Kim, J. and Malaiya, Y. K., 2008, Vulnerability Discovery Modeling Using Weibull Distribution, 2008 19th International Symposium On Software Reliability Engineering (Issre), 299-300.
• Johnston, R., 2018, A Multivariate Bayesian Approach To Modeling Vulnerability Discovery In The Software Security Lifecycle, Ph.D, George Washington University, Washington, Dc, Usa, 55-65.
• Johnston, R., Sarkani, S., Mazzuchi, T., Holzer, T. and Eveleigh, T., 2018, Multivariate Models Using Mcmcbayes For Web-Browser Vulnerability Discovery, Reliability Engineering & System Safety, 176, 52-61.
• Kansal, Y., Kapur, P. K., Kumar, U. and Kumar, D., 2017, User-Dependent Vulnerability Discovery Model And Its Interdisciplinary Nature, Life Cycle Reliability And Safety Engineering, 6 (1), 23-29.
• Kansal, Y., Kapur, P. K. and Kumar, U., 2018, Coverage-Based Vulnerability Discovery Modeling To Optimize Disclosure Time Using Multiattribute Approach, Quality And Reliability Enginering International, 35 (1), 62-73.
• Kantam, R. R. L., Rosaiah, K. and Rao, G. S., 2001, Acceptance Sampling Based On Life Tests: Log-Logistic Model, Journal Of Applied Statistics, 28 (1), 121-128.
• Kim, J., Malaiya, Y. K. and Ray, I., 2007, Vulnerability Discovery In Multi-Version Software Systems, 10th Ieee High Assurance Systems Engineering Symposium (Hase'07), 141-148.
• Kim, K. and Latchman, H. A., 2009, Statistical Traffic Modeling Of Mpeg Frame Size: Experiments And Analysis. Journal Of Systemics, Cybernetics And Informatics, 7 (6), 54-59.
• Klein, J. P. and Moeschberger, M. L., 1997, Survival Analysis Techniques For Censored And Truncated Data, Newyork, Springer, P. 277.
• Kleinbaum, D. G. and Klein, M., 2005, Survival Analysis: A Self-Learning Text, Usa, Springer, P. 590.
• Kolmogorov, A. N., 1933, Sulla Determinazone Empirica Di Une Legge Di Distribuzione, G. İst. Attuari, 83-91.
• Lawless, J. F., 2003, Statistics Models And Methods For Lifetime Data, New Jersey, John Wiley & Sons, P. 630.
• Lee, E. T. and Wenyu, J. W., 2003, Statistical Methods For Survival Data Analysis, Newyork, John Wiley &Sons, P. 513.
• Machin, D., Cheung, Y. B. and Parmar, M., 2006, Survival Analysis: A Practical Approach, England, John Wiley & Sons, P. 266.
• Massacci, F. and Nguyen, V. H., 2014, An Empirical Methodology To Evaluate Vulnerability Discovery Models, Ieee Transactions On Software Engineering, 40 (12), 1147-1162.
• Mclachlan, G. and Peel, D., 2001, Finite Mixture Model, Newyork, Wiley, P. 419.
• Movahedi, Y., Cukier, M. and Gashi, I., 2019, Vulnerability Prediction Capability: A Comparison Between Vulnerability Discovery Models And Neural Network Models, Computers & Security, 87, 1-10.
• Nakagami, M., 1960, The M-Distribution—A General Formula Of Intensity Distribution Of Rapid Fading, In: Statistical Methods In Radio Wave Propagation, Eds: Hoffman, W. C.: Pergamon, P. 3-36.
• Nakahara , H. and Carcolé, E., 2010, Maximum-Likelihood Method For Estimating Coda Q And The Nakagami-M Parameter, Bulletin Of The Seismological Society Of America, 100 (6), 3174-3182.
• Nelson, W. B., 1982, Applied Life Data Analysis, Canada, John Wiley & Sons, P. 634. Nvd, 2019,https://nvd.nist.gov/ [Accessed Date: 10 June 2024].
• Ozment, A., 2007, Improving Vulnerability Discovery Models. Proceedings Of The 2007 Acm Workshop On Quality Of Protection. Alexandria, Virginia, Usa, Acm: 6-11.
• Pokhrel, N. R., Rodrigo, H. and Tsokos, C. P., 2017, Cybersecurity: Time Series Predictive Modeling Of Vulnerabilities Of Desktop Operating System Using Linear And Non-Linear Approach, 8 (4), 362-382.
• Rahimi, S. and Zargham, M., 2013, Vulnerability Scrying Method For Software Vulnerability Discovery Prediction Without A Vulnerability Database, Ieee Transactions On Reliability, 62 (2), 395-407.
• Rescorla, E., 2005, Is Finding Security Holes A Good Idea?, Ieee Security & Privacy, 3 (1), 14-19.
• Sarkar, S., Goel, N. K. and Mathur, B. S., 2009, Adequacy Of Nakagami- M Distribution Function To Derive Giuh, Journal Of Hydrologic Engineering, 14 (10), 1070-1079.
• Sarkar, S., Goel, N. K. and Mathur, B. S., 2010, Performance Investigation Of Nakagami- M Distribution To Derive Flood Hydrograph By Genetic Algorithm Optimization Approach, Journal Of Hydrologic Engineering, 15 (8), 658-666.
• Scandariato, R. and Walden, J., 2012, Predicting Vulnerable Classes In An Android Application. Proceedings Of The 4th International Workshop On Security Measurements And Metrics. Lund, Sweden, Acm: 11-16.
• Scandariato, R., Walden, J., Hovsepyan, A. and Joosen, W., 2014, Predicting Vulnerable Software Components Via Text Mining, Ieee Transactions On Software Engineering, 40 (10), 993-1006.
• Shankar, P. M., Piccoli, C. W., Reid, J. M., Forsberg, F. and Goldberg, B. B., 2005, Application Of The Compound Probability Density Function For Characterization Of Breast Masses In Ultrasound B Scans, Physics In Medicine And Biology, 50 (10), 2241-2248.
• Shoukri, M. M., Mian, I. U. H. and Tracy, D. S., 1988, Sampling Properties Of Estimators Of The Log-Logistic Distribution With Application To Canadian Precipitation Data, Canadian Journal Of Statistics, 16 (3), 223-236.
• Smirnov, N., 1939, On The Estimation Of The Discrepancy Between Emprical Curves Of Distribution For Two Independent Samples, Bulletin Mathématique De L′Université De Moscow, 2 (2), 3-11.
• Tsui, P.-H., Huang, C.-C. and Wang, S.-H., 2006, Use Of Nakagami Distribution And Logarithmic Compression In Ultrasonic Tissue Characterization, Journal Of Medical And Biological Engineering, 26 (2), 69.
• Türksen, I. B., Khaniyev, T. and Gokpinar, F., 2015, Investigation Of Fuzzy Inventory Model Of Type (S, S) With Nakagami Distributed Demands, Journal Of Intelligent & Fuzzy Systems, 29 (2), 531-538.
• Ucal, M. Ş., 2006, Ekonometrik Model Seçim Kriterleri Üzerine Kisa Bir İnceleme, C.Ü. İktisadi Ve İdari Bilimler Fakültesi, 7 (2), 41-57.
• Wang, X., Ma, R., Li, B., Tian, D. and Wang, X., 2019, E-Wbm: An Effort-Based Vulnerability Discovery Model, Ieee Access, 7, 44276-44292.
• Woo, S.-W., Alhazmi, O. and Malaiya, Y., 2006a, An Analysis Of The Vulnerability Discovery Process In Web Browsers. Proceeding Of The 10th Iasted International Conferance Software Engineering And Applicaitons. Usa: 172-177.
• Woo, S.-W., Joh, H., Alhazmi, O. H. and Malaiya, Y. K., 2011, Modeling Vulnerability Discovery Process In Apache And Iis Http Servers, Computers & Security, 30 (1), 50-62.
• Woo, S., Alhazmi, O. H. and Malaiya, Y. K., 2006b, Assessing Vulnerabilities In Apache And Iis Http Servers, 2006 2nd Ieee International Symposium On Dependable, Autonomic And Secure Computing, 103-110.
• Younis, A. A., Joh, H. and Malaiya, Y. K., 2011, Modeling Learningless Vulnerability Discovery Using A Folded Distribution, The 2011 International Conference On Security And Management, Usa, 1-10.