IDEAS home Printed from https://ideas.repec.org/a/eee/reensy/v183y2019icp341-359.html
   My bibliography  Save this article

Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery

Author

Listed:
  • Johnston, Reuben
  • Sarkani, Shahryar
  • Mazzuchi, Thomas
  • Holzer, Thomas
  • Eveleigh, Timothy

Abstract

Most software vulnerabilities are preventable, but they continue to be present in software releases. When Blackhats, or malicious researchers, discover vulnerabilities, they often release corresponding exploit software and malware. Therefore, customer confidence could be reduced if vulnerabilities—or discoveries of them—are not prevented, mitigated, or addressed. In addressing this, managers must choose which alternatives will provide maximal impact and could use vulnerability discovery modeling techniques to support their decision-making process. Applications of these techniques have used traditional approaches to analysis and, despite the dearth of data, have not included information from experts. This article takes an alternative approach, applying Bayesian methods to modeling the vulnerability-discovery phenomenon. Relevant data was obtained from security experts in structured workshops and from public databases. The open-source framework, MCMCBayes, was developed to automate performing Bayesian model averaging via power-posteriors. It combines predictions of interval-grouped discoveries by performance-weighting results from six variants of the non-homogeneous Poisson process (NHPP), two regression models, and two growth-curve models. The methodology is applicable to software-makers and persons interested in applications of expert-judgment elicitation or in using Bayesian analysis techniques with phenomena having non-decreasing counts over time.

Suggested Citation

  • Johnston, Reuben & Sarkani, Shahryar & Mazzuchi, Thomas & Holzer, Thomas & Eveleigh, Timothy, 2019. "Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery," Reliability Engineering and System Safety, Elsevier, vol. 183(C), pages 341-359.
  • Handle: RePEc:eee:reensy:v:183:y:2019:i:c:p:341-359
    DOI: 10.1016/j.ress.2018.11.030
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0951832017309341
    Download Restriction: Full text for ScienceDirect subscribers only

    File URL: https://libkey.io/10.1016/j.ress.2018.11.030?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. B. Littlewood & J. L. Verrall, 1973. "A Bayesian Reliability Growth Model for Computer Software," Journal of the Royal Statistical Society Series C, Royal Statistical Society, vol. 22(3), pages 332-346, November.
    2. Michel J. G. van Eeten & Johannes M. Bauer, 2008. "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Science, Technology and Industry Working Papers 2008/1, OECD Publishing.
    3. Johnston, Reuben & Sarkani, Shahryar & Mazzuchi, Thomas & Holzer, Thomas & Eveleigh, Timothy, 2018. "Multivariate models using MCMCBayes for web-browser vulnerability discovery," Reliability Engineering and System Safety, Elsevier, vol. 176(C), pages 52-61.
    4. N. Friel & A. N. Pettitt, 2008. "Marginal likelihood estimation via power posteriors," Journal of the Royal Statistical Society Series B, Royal Statistical Society, vol. 70(3), pages 589-607, July.
    5. Cooke, Roger M. & Goossens, Louis L.H.J., 2008. "TU Delft expert judgment data base," Reliability Engineering and System Safety, Elsevier, vol. 93(5), pages 657-674.
    6. Ioannou, I. & Aspinall, W. & Rush, D. & Bisby, L. & Rossetto, T., 2017. "Expert judgment-based fragility assessment of reinforced concrete buildings exposed to fire," Reliability Engineering and System Safety, Elsevier, vol. 167(C), pages 105-127.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Geovanna Hinojoza-Castro & Montserrat Gómez-Delgado & Wenseslao Plata-Rocha, 2022. "Real Estate Developers as Agents in the Simulation of Urban Sprawl," Sustainability, MDPI, vol. 14(15), pages 1-12, July.
    2. Xing Ju Lee & Christopher C. Drovandi & Anthony N. Pettitt, 2015. "Model choice problems using approximate Bayesian computation with applications to pathogen transmission data sets," Biometrics, The International Biometric Society, vol. 71(1), pages 198-207, March.
    3. Jeong Eun Lee & Christian Robert, 2013. "Imortance Sampling Schemes for Evidence Approximation in Mixture Models," Working Papers 2013-42, Center for Research in Economics and Statistics.
    4. Fei Xiong & Yun Liu & Zhenjiang Zhang, 2011. "Dynamics With Co-Evolution Of Individual Inclination And Opinion," International Journal of Modern Physics C (IJMPC), World Scientific Publishing Co. Pte. Ltd., vol. 22(01), pages 51-62.
    5. Will Penny & Biswa Sengupta, 2016. "Annealed Importance Sampling for Neural Mass Models," PLOS Computational Biology, Public Library of Science, vol. 12(3), pages 1-25, March.
    6. Spezia, L. & Cooksley, S.L. & Brewer, M.J. & Donnelly, D. & Tree, A., 2014. "Modelling species abundance in a river by Negative Binomial hidden Markov models," Computational Statistics & Data Analysis, Elsevier, vol. 71(C), pages 599-614.
    7. Vitoratou, Silia & Ntzoufras, Ioannis & Moustaki, Irini, 2016. "Explaining the behavior of joint and marginal Monte Carlo estimators in latent variable models with independence assumptions," LSE Research Online Documents on Economics 57685, London School of Economics and Political Science, LSE Library.
    8. Karner, Alex & Niemeier, Deb, 2013. "Civil rights guidance and equity analysis methods for regional transportation plans: a critical review of literature and practice," Journal of Transport Geography, Elsevier, vol. 33(C), pages 126-134.
    9. Hanea, A.M. & McBride, M.F. & Burgman, M.A. & Wintle, B.C. & Fidler, F. & Flander, L. & Twardy, C.R. & Manning, B. & Mascaro, S., 2017. "I nvestigate D iscuss E stimate A ggregate for structured expert judgement," International Journal of Forecasting, Elsevier, vol. 33(1), pages 267-279.
    10. Laura Diaz Anadon & Erin Baker & Valentina Bosetti & Lara Aleluia Reis, 2016. "Expert views - and disagreements - about the potential of energy technology R&D," Climatic Change, Springer, vol. 136(3), pages 677-691, June.
    11. Hanea, D.M. & Jagtman, H.M. & van Alphen, L.L.M.M. & Ale, B.J.M., 2010. "Quantitative and qualitative analysis of the expert and non-expert opinion in fire risk in buildings," Reliability Engineering and System Safety, Elsevier, vol. 95(7), pages 729-741.
    12. AWLP Thilan & P Menéndez & JM McGree, 2023. "Assessing the ability of adaptive designs to capture trends in hard coral cover," Environmetrics, John Wiley & Sons, Ltd., vol. 34(6), September.
    13. Colson, Abigail R. & Cooke, Roger M., 2017. "Cross validation for the classical model of structured expert judgment," Reliability Engineering and System Safety, Elsevier, vol. 163(C), pages 109-120.
    14. Joshua C. C. Chan & Liana Jacobi & Dan Zhu, 2022. "An automated prior robustness analysis in Bayesian model comparison," Journal of Applied Econometrics, John Wiley & Sons, Ltd., vol. 37(3), pages 583-602, April.
    15. Erin Baker & Olaitan Olaleye, 2013. "Combining Experts: Decomposition and Aggregation Order," Risk Analysis, John Wiley & Sons, vol. 33(6), pages 1116-1127, June.
    16. Anca M. Hanea & Marissa F. McBride & Mark A. Burgman & Bonnie C. Wintle, 2018. "The Value of Performance Weights and Discussion in Aggregated Expert Judgments," Risk Analysis, John Wiley & Sons, vol. 38(9), pages 1781-1794, September.
    17. Schmidt, Andreas, 2012. "At the boundaries of peer production: The organization of Internet security production in the cases of Estonia 2007 and Conficker," Telecommunications Policy, Elsevier, vol. 36(6), pages 451-461.
    18. Elena Verdolini & Laura Díaz Anadón & Erin Baker & Valentina Bosetti & Lara Aleluia Reis, 2018. "Future Prospects for Energy Technologies: Insights from Expert Elicitations," Review of Environmental Economics and Policy, Association of Environmental and Resource Economists, vol. 12(1), pages 133-153.
    19. Gayan Dharmarathne & Gabriela F. Nane & Andrew Robinson & Anca M. Hanea, 2023. "Shrinking the Variance in Experts’ “Classical” Weights Used in Expert Judgment Aggregation," Forecasting, MDPI, vol. 5(3), pages 1-14, August.
    20. repec:dau:papers:123456789/5724 is not listed on IDEAS
    21. Flandoli, F. & Giorgi, E. & Aspinall, W.P. & Neri, A., 2011. "Comparison of a new expert elicitation model with the Classical Model, equal weights and single experts, using a cross-validation technique," Reliability Engineering and System Safety, Elsevier, vol. 96(10), pages 1292-1310.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reensy:v:183:y:2019:i:c:p:341-359. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/reliability-engineering-and-system-safety .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.