Cyber Security : Nonlinear Stochastic Models for Predicting the Exploitability

Obtaining complete information regarding discovered vulnerabilities looks extremely difficult. Yet, developing statistical models requires a great deal of such complete information about the vulnerabilities. In our previous studies, we introduced a new concept of “Risk Factor” of vulnerability which was calculated as a function of time. We introduced the use of Markovian approach to estimate the probability of a particular vulnerability being at a particular “state” of the vulnerability life cycle. In this study, we further develop our models, use available data sources in a probabilistic foundation to enhance the reliability and also introduce some useful new modeling strategies for vulnerability risk estimation. Finally, we present a new set of Non-Linear Statistical Models that can be used in estimating the probability of being exploited as a function of time. Our study is based on the typical security system and vulnerability data that are available. However, our methodology and system structure can be applied to a specific security system by any software engineer and using their own vulnerabilities to obtain their probability of being exploited as a function of time. This information is very important to a company’s security system in its strategic plan to monitor and improve its process for not being exploited.


Introduction
"Risk" is an unavoidable phenomenon in the Cyber world.Information systems ranging from very small and personal level apps to massive corporate and government applications and system platforms are facing the threat from Cyber-attacks [1] in various dimensions.The number of such attacks and the magnitude of the hazards have been heavily increasing throughout recent years.Hackers are getting more active and effective.The risk is getting higher.System administrators and defending professionals are working hard to understand attackers, attacking strategies and effectively defend attacking attempts.To establish successful defending platforms, a proper understanding of the "risk" associated with a given vulnerability [2] [3] is required.If we have effective models that enable the defenders and system administrators to successfully predict the risk of a given vulnerability being exploited as a function of time, it will be helpful to plan and implement security measures, allocate relevant resources and defend the systems accordingly.We, in this study, improve the Markovian approach of Vulnerability Life Cycle Analysis [2] to come up with better modelling techniques to evaluate the "risk factor" using probability and statistical methods.
The objective of this study is to propose and present a rational set of methods to identify the probabilities for each different state in the vulnerability life cycle [2] [4] [5] and use this information to develop three different statistical models to evaluate the "Risk Factor" [2] [5] of a particular vulnerability at time "t".In our recent study "Stochastic Modelling of Vulnerability Life Cycle and Security Risk Evaluation" (Journal of Information Security, 7, 269-279) [2], we introduced the strategy of using Markov processes to obtain the "transition probability matrix" of all the states of a particular vulnerability as a function of time.
We iterated the Markov process and determined that it reached the "steady state" with probabilities of reaching the "absorbing states" [1] [2].The two absorbing states were identified as "exploited" and "patched" states.We proceeded to introduce the "Risk Factor" that could be used as an index of the risk of the vulnerability being exploited [1]- [7].Finally, we presented successful statistical models that could calculate the "Risk Factor" more conveniently without going through the Markovian process [1] [2] [6].
However, in this process, we used a logical and realistic approach to assign initial probabilities for each state of the vulnerability.In this study, we introduce more relevant and sophisticated sets of methods to assign the initial probabilities for each state of Vulnerability Life Cycle based on several logical assumptions.
We use the CVSS score [3] [8] as we did earlier, but here we calculate and introduce initial probabilities taking the entire CVE Data Base (http://www.cvedetails.com/)into consideration.
Finally, using our new methods, we develop three new statistical models for vulnerabilities that differ based on their vulnerability score ranging from 0 to 10 as low risk (0 -3.9), medium risk (4 -6.9) and high risk (7 -10).Using these models the user will be able to estimate the "Risk" of a particular vulnerability being exploited at time "t" and to observe the expected behavior of the vulnerability throughout its life cycle.

Vulnerability Life Cycle Analysis Method
In our previous study [2], we introduced the use of Markov chain process to develop the transition probability matrix including all the important states of Vul-nerability Life Cycle.The Vulnerability Life Cycle Graph that we discussed is presented below by "Figure 1".When we draw a Life Cycle Graph for a given vulnerability, it has several nodes which represent the stages of the Vulnerability Life Cycle.Earlier we assigned logical probabilities for a hacker to reach each state by examining the properties of a specific vulnerability.Life Cycle Graph has two absorbing states [2] [4] [5] [6] that are named "Patched" state [2] [4] [5] [6] [7] and "Exploited" state [1]  We define, i λ to be the probability of transferring from state i to state j.
i j = In actual situations the probability of discovering a vulnerability can be assumed very small.Therefore, for 1 λ we had assigned a small value.Then prob- abilities for 2 3 4 5 , , , λ λ λ λ , were also assigned accordingly.Then we checked sev- eral random values for i λ s and observed the behavior of each different state to be a function of time.
Using these transition probabilities we could derive the absorbing transition probability matrix for a Life Cycle of a particular Vulnerability, which follows the properties defined under Markov Chain Transformation Probability Method [2].
However, in our present study, instead of randomly assigning transition probabilities for each of the state presented in the Life Cycle, we use a new set of methods that are probabilistically more reliable.It is challenging to acquire a complete set of information relevant to Vulnerabilities in a manner that we can calculate the required probabilities conveniently.Therefore, we use available and reliable data resources about Vulnerabilities to develop our methodology that we discuss in the section that follows.

Common Vulnerability Scoring System (CVSS) and Common Vulnerabilities and Exposures (CVE)
It is important to discuss here the usage of Common Vulnerability Scoring System (CVSS) [8] and CVE Details [9], as we gather data from those resources.

Methodology of Assigning Initial Probabilities
Our objective now is focused on assigning initial probabilities for different states in the Life Cycle.In Table 1, below we present these initial probabilities that are required in our present study.Estimating them requires a great deal of data resources.To estimate 1 λ as an example, requires the total number of vulnerabili- ties in each category ranging from 0 to 10 in magnitudes, and information on their discovery with respect to time.Similarly for other states, we need the number of vulnerabilities discovered, exploited before disclosed, exploited after discovery but before patched, patched before the disclosure, patched after the disclosure,  under each CVSS score level.
We start with the CVSS scores available for each vulnerability and categorize them and take the counts for the three different levels of vulnerabilities for possible states.However, it should be noted that, there are no data resources available providing all the data requirements here we have.Therefore, when the CVSS classifications available in the CVE detail website satisfy our requirements, we use those data and when they are not sufficient to make a reliable estimate we use information given by "Stefan Frei" in his thesis [4] and "Secunia Vulnerability information report" [10].
We categorized 75,705 vulnerabilities according to their CVSS score and under each of the three categories to find out number of total vulnerabilities and number of exploitations.We shall use this information to assign probabilities of discovery ( 1 λ ) and exploitability ( 2 λ ) for each CVSS score level.
To assign probabilities for Disclosed but not yet patched or exploited ( 3 Patched before disclosed ( 4 λ ), exploited after disclosed ( 5 λ ) and patched after disclosed ( 6 λ ) we used Secunia vulnerability report information [10] and Frei's results given in his study [4].

Estimating λ1
To calculate an estimate for 1 λ , "the probability of a vulnerability is being dis- covered" [11] [12] for three categories of CVSS score, it is ideal to have an estimate for the population of "total number of (known and unknown) vulnerabilities at a particular time" so that we can get the proportion of discovered vulnerability out of the total.But, at a given time, it is impossible to know the total number of vulnerabilities in the cyber world as the number of vendors, application software, system software and other apps are uncountable, so are the number of vulnerabilities that could be existing.Therefore, to have a logical estimate for the total number of vulnerabilities for each year, we first calculated the cumulative number of vulnerabilities, and then calculated the number of vulnerabilities discovered in a particular year as a proportion of cumulative number of vulnerabilities in the next calendar year.Once we have taken these proportions considering all the years from 1999 till 2015, we took the average of those proportions to be our estimate for 1 λ .

Assumptions Made for λ1
When calculating 1 λ , it was assumed that, the number of unknown vulnerabili- ties in a particular year are discovered in the next year and the accumulated number of vulnerabilities in a particular year is an estimate for the population size of the vulnerabilities in the previous year.

Estimating λ2
Estimate for 2 λ , "the probability of a particular vulnerability being exploited [13] [14] before patched or disclosed" was calculated using the data provided in the CVE Detail website.The entire set of exploited vulnerabilities were calculated for 10 different categories (or CVSS score levels) of interest.
2.5.Estimating λ3, λ4, λ5 and λ6 3 λ , "the probability of a vulnerability being disclosed but not yet patched or ex- ploited" is calculated using the equation, ( ) For 4 λ , "the probability of a vulnerability being patched before disclosed", we used information available in "Secunia Report on Vulnerability".
To estimate 5 λ , "probability of a vulnerability being exploited after disclosed" and 6 λ , "probability of a vulnerability being patched after disclosed" we used in- formation given by "Stefan Frei" in his doctoral thesis [4].Frei, estimates that the probability of a vulnerability being exploited after it is disclosed is greater than the probability of it being patched.He estimates that there is a probability around 0. 0 0 0 0 0 0 0 1 0 0 0 0 0 where, ( ) i P t -Probability that the system is in state i at time t.
For 0 t = we have: ( ) 1 0 1 P = , Probability that the system is in State 1 at the beginning ( 0 t = ).
( ) Therefore, the initial probability can be given as [ ] 1 0 0 0 0 , that is, the probabilities of each state of the Vulnerability Life Cycle initially.It is clear that, the "State 1" (Not Discovered) with probability of one represents that at the initial time (for 0 t = ), where the Vulnerability has not yet been discovered and therefore the probabilities for all others stages are zero.Now, for three different categories of Vulnerabilities, we can iterate the transition probability matrix using Markovian process [15] until the matrix reaches its "steady state".The iteration algorithm is explained below.For 0 t = , we have Using this method, we can now find the probability that is changing with time and is related to each "state" and then proceed to find the statistical model that can fit the vulnerability life cycle.
As an example, for the vulnerabilities in Category one, where 1 0.1777 λ = As we execute this algorithm, for the vulnerabilities of category one, the stationarity (steady state) was reached (considering to 4 decimal digits) at 86 t = , that is, the minimum number of steps so that the vulnerability reaches its absorbing states is 86 and the resulting vector of probabilities for each of the absorbing states is obtained as the output of the calculation process.As shown below, the transition probabilities are completely absorbed into the two absorbing states which gives the "probability of the vulnerability being exploited" and the "probability of the vulnerability will be patched".All other states have reached 0 0 0.1265 0 0.8735 .
That is, it will take the hacker 86 steps and a 12.7% chance to exploit the security system and 87.3% probability to reach the patched state.Thus we are sure that after 86 t = , one of the two states will be reached.
Initially, we defined the 3 rd state as "the state of being exploited" and the 5 th state as "the state of being patched" in the vulnerability life cycle.Based on the current data resources available relevant to the vulnerabilities of category one we can use these results as estimates for the probabilities of being exploited and being patched.The results from this Markovian model [15] for the vulnerability life cycle show that the sum of the resulting probabilities equals to one (0.1265 + 0.8735 = 1).This in other words indicates that our model estimates that one of these results are expected after 86 t = (ex: after 86 days) for a vulnerability in category one.Hence, it is clear that once the "steady state" is achieved, for a vulnerability of category one, estimates of the probability of being exploited is 12.65% and the probability of being patched is 87.35%.
Similarly, for vulnerabilities of categories two and three, the transition probability matrices can be obtained.Transition probability matrices and resulting steady state vectors for those categories are given below.

"Risk Factor"-Calculating the Risk as a Function of Time
Now that we have the steady state vector with the probabilities for patching and getting exploited, we can calculate the risk of a particular vulnerability using the"risk factor".In our previous study [2] we have introduced this risk factor as follows.

( ) ( ) ( )
Risk Pr is in state 3 at time Exploitability score Exploitability score [3] for the vulnerability can be taken from the CVSS score as we mentioned earlier.With our results for three different levels of vulnerabilities, now we have a better index for the risk factor since our initial probabilities were not just chosen randomly, but were estimated using the available and reliable data sources.As an example, let's consider a vulnerability in the lower level with an exploitability score of 2.4.Assume that we need to find the Risk factor of that vulnerability at 50 t = .Then, using the Markov process we can come up with the resulting vector of the vulnerability that gives us the probabilities of being in each different state at that particular time.However, iterating Markov process for each time would not be a very efficient process due to the analytical calculations.Therefore, we proceed to move on to develop three different nonlinear statistical models that make it much more convenient for the designed calculation.
To further explain the usage of the Risk Factor let's take an example.Consider a vulnerability given in Table 4.With the published date and the exploitability score known for that vulnerability, we can now calculate the risk of being exploited at a particular date from the published date.For the first vulnerability V 1 (CVE 2016-0911) which is a low risk vulnerability the risk factor is 0.2474 and for the other two categories of medium and high risk levels, vulnerabilities V 2 (CVE 2016-2832) and V 3 (CVE 2016-3230), risk factors are 0.3667 and 1.17702 respectively.
The risk factor can be graphed as a function of time.The figure below shows the behavior of the risk factor of the middle level vulnerability V 2 (CVE 2016-2832) over a time period of 101 days starting from 6/13/2016.We notice that the risk factor increases rapidly within around first 10 days indicating that once a vulnerability is published, the risk of being exploited rapidly increases.
Even after this rapid increase, the risk does not show a decreasing behavior.This specific behavior is due to our model structure of the vulnerability life cycle.
That is, consisting with two absorbing states (being exploited and being patched), we assume that either one of two outcomes are possible for a given vulnerability.Therefore, considering state of being exploited as an absorbing state the life cycle does not move to any other state beyond being exploited which explains why this graph stay increased without decreasing over the time.The curve shows a rapid increase in the risk factor initially as expectable since the vulnerability immediately create a risk with its discovery and disclosure.
Based on the graph, we can conclude that over the time with a life cycle consisting two absorbing states, the Risk Factor of a given vulnerability increases rapidly and become stable at a higher level of risk without decreasing back.This be-  ( ) havior exemplifies the threat any vulnerability would impose on an information system.As far as a proper patch is released and installed a probable harm from a given vulnerability increases monotonously.However, it should not be misinterpreted in the view point that the risk from a given vulnerability never reduces.
Our Absorbing Markovian Model does not consider some of the interactions that might take place in the real world situations.Our intention here is to show the impact of a vulnerability until it is not patched.Outcomes from the situations where patching attempts and exploit attempts after and before disclose should be explained in much border modeling aspect of the vulnerability life cycle.

Model Building
In the previous section we developed an analytical algorithm that identifies the number of steps (time) that the transition probability matrix of the vulnerability life cycle will reach a steady state.Thus, for a given vulnerability in the categories of Low, Medium and High risk levels, we can include with the probability of being exploited (having hacked) and the probability of being patched as a function of time.However, this process is time consuming and the Markovian iteration process [1] [2] [15] [16] would be quite difficult to perform every time.Using this approach to find the minimum number of steps for each category we obtained t = 86 steps for category one vulnerabilities, t = 80 steps for category two vulnerabilities and t = 84 steps for category three vulnerabilities.Then, we recorded the probability of being exploited at the each step.Thus, we have for each  where, Y is the probability of being exploited, α and β are the vector of coef- ficients or weights, t being the time given in steps and ε is the modelling error.We used the method of maximum Likelihood estimation to obtain the estimates of the coefficients that drives these models.

Model-1
The best nonlinear statistical model that we developed for Low, Medium and High Vulnerability categories are given below along with their R 2 (coefficient of determination),

Model-2
In investigating to see if we can improve the precision of the Model 1, we have found that by implementing another logarithmic filter to our initial model to further homogenizing the variance of our data.We obtained a set of models that gives us better results increasing the accuracy of our prediction approximately by 9% compared to the Model 1. New model equations for each of the categories are given below.
Low (Category one) risk vulnerabilities: where, n is the sample size and, p is the number of risk factors (attributable variables) in our models.The closer the R 2 and 2 adj R to one, the higher the quality of our models.
We also performed residual analysis of all the models to determine if the error factor has significantly contributed to the accuracy of our models.In all cases, the residual error was not significant.Finally we tested all our models with the actual data that we did not include in developing the models and the were exceptional.
As mentioned, we needed a best fitting three Statistical models to calculate the "risk factor" conveniently.In other words, we expected to obtain a best fitting model that can replace the Markovian iteration and hence to avoid the difficulty in estimating of the probabilities for time "t" earlier to the "steady state".With these new models we have achieved our goal.

Conclusion
In this study, we continue to improve the models we build up in our previous study [2].We have improved the calculation methods of initial probabilities and created the Transition Probability Matrix in using of the Markovian process that we introduced in our previous studies.We used CVSS data presented in CVE details website and calculated initial probabilities for discovering and exploiting a vulnerability based on the records on last 17 years data.Finally, we created two sets of three models for predicting the risk of a particular vulnerability being exploited as a function of time.The models we presented are proven to have an excellent fit with the Markovian process probabilities.Therefore, we can replace the Markovian process using these models since these models enable us to get rid of analytical requirement to execute the Markovian iteration process of identifying the steady states of being exploited or being patched for each vulnerability.

Appendix A
Matrix values used for model building under each category.
Low Vulnerability (0 -3.9) Medium Vulnerability (4 -6.9) Submit or recommend next manuscript to SCIRP and we will provide best service for you: Accepting pre-submission inquiries through Email, Facebook, LinkedIn, Twitter, etc.A wide selection of journals (inclusive of 9 subjects, more than 200 journals) Providing 24-hour high-quality service User-friendly online submission system Fair and swift peer-review system Efficient typesetting and proofreading procedure Display of the result of downloads and visits, as well as the number of cited articles Maximum dissemination of your research work Submit your manuscript at: http://papersubmission.scirp.org/Or contact jis@scirp.org [2] [4][5] [6][7].Therefore, this allowed us to model the Life Cycle Graph as an absorbing Markov chain.It should be noted that in the figure below the states three and five are absorbing states of this Life Cycle Graph as there are no out flaws from those states.

Figure 1 .
Figure 1.Markov Model Approach to Vulnerability Life Cycle with Five States.

Figure 2
Figure 2 above illustrates the behavior of the Risk Factor as a function of time.

category a 2 ×Figure 2 .
Figure 2. Behavior of the Risk Factor as a function of time.
As we will discuss R 2 reflects on the quality of the proposed model.
Medium (Category two) risk vulnerabilities:

Table 1 .
States Represented by the Transition Probabilities in the Vulnerability Life Cycle.

Transition Matrix for Vulnerability Life Cycle 2.6.1. Executing the Markov Process to Transition Probability matrix
[19]that we have the Vulnerability Life Cycle Graph with two absorbing states and initial probability estimates for each state, we can write the general form of the transition probability matrix[15][16][19]for vulnerability life cycle as follows.
[19]le2" below presents our results on probabilities for each state with respect to each category/level of vulnerability.Using these transition probabilities for each level we can now derive the absorbing transition probability matrix for a Vulnerability Life Cycle, which follows the properties defined under Markov Chain Transformation Probability Method[15][16][17][18][19].2.6.

Table 2 .
Estimates of Transition Probabilities for each Category of Vulnerabilities.

Table 3 .
Number of iterations (steps) to reach the steady state and Steady State Vector for each category of Vulnerability.

Table 4 .
Three vulnerabilities in each categories with their details and the calculated risk factors.

AGE OF VULNERABILITY (DAYS) Change of Risk Factor over time the
data sets exhibit nonlinear behavior and thus multiple regression is not applicable.After very exhaustive research, we were able to identify two sets of nonlinear statistical models for each category.