IDEAS home Printed from https://ideas.repec.org/a/eee/reensy/v183y2019icp341-359.html
   My bibliography  Save this article

Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery

Author

Listed:
  • Johnston, Reuben
  • Sarkani, Shahryar
  • Mazzuchi, Thomas
  • Holzer, Thomas
  • Eveleigh, Timothy

Abstract

Most software vulnerabilities are preventable, but they continue to be present in software releases. When Blackhats, or malicious researchers, discover vulnerabilities, they often release corresponding exploit software and malware. Therefore, customer confidence could be reduced if vulnerabilities—or discoveries of them—are not prevented, mitigated, or addressed. In addressing this, managers must choose which alternatives will provide maximal impact and could use vulnerability discovery modeling techniques to support their decision-making process. Applications of these techniques have used traditional approaches to analysis and, despite the dearth of data, have not included information from experts. This article takes an alternative approach, applying Bayesian methods to modeling the vulnerability-discovery phenomenon. Relevant data was obtained from security experts in structured workshops and from public databases. The open-source framework, MCMCBayes, was developed to automate performing Bayesian model averaging via power-posteriors. It combines predictions of interval-grouped discoveries by performance-weighting results from six variants of the non-homogeneous Poisson process (NHPP), two regression models, and two growth-curve models. The methodology is applicable to software-makers and persons interested in applications of expert-judgment elicitation or in using Bayesian analysis techniques with phenomena having non-decreasing counts over time.

Suggested Citation

  • Johnston, Reuben & Sarkani, Shahryar & Mazzuchi, Thomas & Holzer, Thomas & Eveleigh, Timothy, 2019. "Bayesian-model averaging using MCMCBayes for web-browser vulnerability discovery," Reliability Engineering and System Safety, Elsevier, vol. 183(C), pages 341-359.
    • Handle: RePEc:eee:reensy:v:183:y:2019:i:c:p:341-359
    DOI: 10.1016/j.ress.2018.11.030
    as

    Download full text from publisher

    File URL: http://www.sciencedirect.com/science/article/pii/S0951832017309341
    Download Restriction: Full text for ScienceDirect subscribers only
    File URL: https://libkey.io/10.1016/j.ress.2018.11.030?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. B. Littlewood & J. L. Verrall, 1973. "A Bayesian Reliability Growth Model for Computer Software," Journal of the Royal Statistical Society Series C, Royal Statistical Society, vol. 22(3), pages 332-346, November.
    2. Johnston, Reuben & Sarkani, Shahryar & Mazzuchi, Thomas & Holzer, Thomas & Eveleigh, Timothy, 2018. "Multivariate models using MCMCBayes for web-browser vulnerability discovery," Reliability Engineering and System Safety, Elsevier, vol. 176(C), pages 52-61.
    3. N. Friel & A. N. Pettitt, 2008. "Marginal likelihood estimation via power posteriors," Journal of the Royal Statistical Society Series B, Royal Statistical Society, vol. 70(3), pages 589-607, July.
    4. Cooke, Roger M. & Goossens, Louis L.H.J., 2008. "TU Delft expert judgment data base," Reliability Engineering and System Safety, Elsevier, vol. 93(5), pages 657-674.
    5. Michel J. G. van Eeten & Johannes M. Bauer, 2008. "Economics of Malware: Security Decisions, Incentives and Externalities," OECD Science, Technology and Industry Working Papers 2008/1, OECD Publishing.
    6. Ioannou, I. & Aspinall, W. & Rush, D. & Bisby, L. & Rossetto, T., 2017. "Expert judgment-based fragility assessment of reinforced concrete buildings exposed to fire," Reliability Engineering and System Safety, Elsevier, vol. 167(C), pages 105-127.
    Full references (including those not matched with items on IDEAS)

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Geovanna Hinojoza-Castro & Montserrat Gómez-Delgado & Wenseslao Plata-Rocha, 2022. "Real Estate Developers as Agents in the Simulation of Urban Sprawl," Sustainability, MDPI, vol. 14(15), pages 1-12, July.
    2. Xing Ju Lee & Christopher C. Drovandi & Anthony N. Pettitt, 2015. "Model choice problems using approximate Bayesian computation with applications to pathogen transmission data sets," Biometrics, The International Biometric Society, vol. 71(1), pages 198-207, March.
    3. Jeong Eun Lee & Christian Robert, 2013. "Imortance Sampling Schemes for Evidence Approximation in Mixture Models," Working Papers 2013-42, Center for Research in Economics and Statistics.
    4. Fei Xiong & Yun Liu & Zhenjiang Zhang, 2011. "Dynamics With Co-Evolution Of Individual Inclination And Opinion," International Journal of Modern Physics C (IJMPC), World Scientific Publishing Co. Pte. Ltd., vol. 22(01), pages 51-62.
    5. Will Penny & Biswa Sengupta, 2016. "Annealed Importance Sampling for Neural Mass Models," PLOS Computational Biology, Public Library of Science, vol. 12(3), pages 1-25, March.
    6. Spezia, L. & Cooksley, S.L. & Brewer, M.J. & Donnelly, D. & Tree, A., 2014. "Modelling species abundance in a river by Negative Binomial hidden Markov models," Computational Statistics & Data Analysis, Elsevier, vol. 71(C), pages 599-614.
    7. Vitoratou, Silia & Ntzoufras, Ioannis & Moustaki, Irini, 2016. "Explaining the behavior of joint and marginal Monte Carlo estimators in latent variable models with independence assumptions," LSE Research Online Documents on Economics 57685, London School of Economics and Political Science, LSE Library.
    8. Karner, Alex & Niemeier, Deb, 2013. "Civil rights guidance and equity analysis methods for regional transportation plans: a critical review of literature and practice," Journal of Transport Geography, Elsevier, vol. 33(C), pages 126-134.
    9. Patrick Afflerbach & Christopher Dun & Henner Gimpel & Dominik Parak & Johannes Seyfried, 2021. "A Simulation-Based Approach to Understanding the Wisdom of Crowds Phenomenon in Aggregating Expert Judgment," Business & Information Systems Engineering: The International Journal of WIRTSCHAFTSINFORMATIK, Springer;Gesellschaft für Informatik e.V. (GI), vol. 63(4), pages 329-348, August.
    10. Hanea, A.M. & McBride, M.F. & Burgman, M.A. & Wintle, B.C. & Fidler, F. & Flander, L. & Twardy, C.R. & Manning, B. & Mascaro, S., 2017. "I nvestigate D iscuss E stimate A ggregate for structured expert judgement," International Journal of Forecasting, Elsevier, vol. 33(1), pages 267-279.
    11. Spezia, Luigi, 2020. "Bayesian variable selection in non-homogeneous hidden Markov models through an evolutionary Monte Carlo method," Computational Statistics & Data Analysis, Elsevier, vol. 143(C).
    12. Laura Diaz Anadon & Erin Baker & Valentina Bosetti & Lara Aleluia Reis, 2016. "Expert views - and disagreements - about the potential of energy technology R&D," Climatic Change, Springer, vol. 136(3), pages 677-691, June.
    13. Hanea, D.M. & Jagtman, H.M. & van Alphen, L.L.M.M. & Ale, B.J.M., 2010. "Quantitative and qualitative analysis of the expert and non-expert opinion in fire risk in buildings," Reliability Engineering and System Safety, Elsevier, vol. 95(7), pages 729-741.
    14. AWLP Thilan & P Menéndez & JM McGree, 2023. "Assessing the ability of adaptive designs to capture trends in hard coral cover," Environmetrics, John Wiley & Sons, Ltd., vol. 34(6), September.
    15. Wang, Fan & Li, Heng & Dong, Chao & Ding, Lieyun, 2019. "Knowledge representation using non-parametric Bayesian networks for tunneling risk analysis," Reliability Engineering and System Safety, Elsevier, vol. 191(C).
    16. Elaine A. Ferguson & Jason Matthiopoulos & Robert H. Insall & Dirk Husmeier, 2017. "Statistical inference of the mechanisms driving collective cell movement," Journal of the Royal Statistical Society Series C, Royal Statistical Society, vol. 66(4), pages 869-890, August.
    17. Martine J. Barons & Lael E. Walsh & Edward E. Salakpi & Linda Nichols, 2024. "A Decision Support System for Sustainable Agriculture and Food Loss Reduction under Uncertain Agricultural Policy Frameworks," Agriculture, MDPI, vol. 14(3), pages 1-21, March.
    18. Wang, Ning & Xu, Yan & Wang, Sutong, 2022. "Interpretable boosting tree ensemble method for multisource building fire loss prediction," Reliability Engineering and System Safety, Elsevier, vol. 225(C).
    19. Colson, Abigail R. & Cooke, Roger M., 2017. "Cross validation for the classical model of structured expert judgment," Reliability Engineering and System Safety, Elsevier, vol. 163(C), pages 109-120.
    20. Nogal, Maria & Morales Nápoles, Oswaldo & O’Connor, Alan, 2019. "Structured expert judgement to understand the intrinsic vulnerability of traffic networks," Transportation Research Part A: Policy and Practice, Elsevier, vol. 127(C), pages 136-152.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:eee:reensy:v:183:y:2019:i:c:p:341-359. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Catherine Liu (email available below). General contact details of provider: https://www.journals.elsevier.com/reliability-engineering-and-system-safety .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.