Time Series Analysis Related to Software Vulnerabilities in Internet-Exposed Devices
Abstract
This article explores the relationship between the exposure of devices to the Internet and their susceptibility to software vulnerabilities exploitation. Highlighting the complexity of this phenomenon, we emphasize the importance of a rigorous approach to establish a clear relationship between exposure and exploitability. We then propose a perspective that considers three interconnected elements: the occurrence of real-world exploitation, the exposure of vulnerable devices, and the existence of weapons exploiting vulnerabilities. Despite the intuitive correlation between exposure and exploitability, we acknowledge the challenges in establishing a definitive relationship. To address these challenges, we gather public historical data from websites such as Shodan, EPSS, and inthewild.io, and present preliminary analyses on the relationship between such time series.References
Allodi, L., Massacci, F., and Williams, J. (2022). The work-averse cyberattacker model: Theory and evidence from two million attack signatures. Risk Analysis.
Bada, M. and Pete, I. (2020). An exploration of the cybercrime ecosystem around Shodan. In Int. conference on internet of things: Systems, management and security, pages 1–8.
Gao, J., Li, L., Kong, P., Bissyandé, T. F., and Klein, J. (2019). Understanding the evolution of Android app vulnerabilities. IEEE Transactions on Reliability, 70(1):212–230.
Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., and Roytman, M. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3):1–17.
Martins, M., Bicudo, M. A., Menasché, D., and de Aguiar, L. P. (2019). Análise temporal de risco de sistemas computacionais via modelagem de séries de eventos associados a vulnerabilidades. In WPerformance. SBC.
Matherly, J. (2024). Shodan. [link]. Accessed: April 2, 2024.
Mazuera-Rozo, A., Bautista-Mora, J., Linares-Vásquez, M., Rueda, S., and Bavota, G. (2019). The Android OS stack and its vulnerabilities: an empirical study. Empirical Software Engineering, 24:2056–2101.
Pastrana, S., Hutchings, A., Caines, A., and Buttery, P. (2018). Characterizing eve: Analysing cybercrime actors in a large underground forum. In RAID, pages 207–227.
Ponce, L. M. S., Gimpel, M., Fazzion, E., Cunha, Í., Hoepers, C., Steding-Jessen, K., Chaves, M. H., Guedes, D., and Meira Jr, W. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. SBRC.
Wita, R., Jiamnapanon, N., and Teng-Amnuay, Y. (2010). An ontology for vulnerability lifecycle. In 2010 Third International Symposium on Intelligent Information Technology and Security Informatics, pages 553–557. IEEE.
Zaidi, N., Kaushik, H., Bablani, D., Bansal, R., and Kumar, P. (2018). A study of exposure of iot devices in India: Using Shodan search engine. In Information Systems Design and Intelligent Applications, pages 1044–1053. Springer.
Bada, M. and Pete, I. (2020). An exploration of the cybercrime ecosystem around Shodan. In Int. conference on internet of things: Systems, management and security, pages 1–8.
Gao, J., Li, L., Kong, P., Bissyandé, T. F., and Klein, J. (2019). Understanding the evolution of Android app vulnerabilities. IEEE Transactions on Reliability, 70(1):212–230.
Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., and Roytman, M. (2021). Exploit prediction scoring system (EPSS). Digital Threats: Research and Practice, 2(3):1–17.
Martins, M., Bicudo, M. A., Menasché, D., and de Aguiar, L. P. (2019). Análise temporal de risco de sistemas computacionais via modelagem de séries de eventos associados a vulnerabilidades. In WPerformance. SBC.
Matherly, J. (2024). Shodan. [link]. Accessed: April 2, 2024.
Mazuera-Rozo, A., Bautista-Mora, J., Linares-Vásquez, M., Rueda, S., and Bavota, G. (2019). The Android OS stack and its vulnerabilities: an empirical study. Empirical Software Engineering, 24:2056–2101.
Pastrana, S., Hutchings, A., Caines, A., and Buttery, P. (2018). Characterizing eve: Analysing cybercrime actors in a large underground forum. In RAID, pages 207–227.
Ponce, L. M. S., Gimpel, M., Fazzion, E., Cunha, Í., Hoepers, C., Steding-Jessen, K., Chaves, M. H., Guedes, D., and Meira Jr, W. (2022). Caracterização escalável de vulnerabilidades de segurança: um estudo de caso na internet brasileira. SBRC.
Wita, R., Jiamnapanon, N., and Teng-Amnuay, Y. (2010). An ontology for vulnerability lifecycle. In 2010 Third International Symposium on Intelligent Information Technology and Security Informatics, pages 553–557. IEEE.
Zaidi, N., Kaushik, H., Bablani, D., Bansal, R., and Kumar, P. (2018). A study of exposure of iot devices in India: Using Shodan search engine. In Information Systems Design and Intelligent Applications, pages 1044–1053. Springer.
Published
2024-05-20
How to Cite
BANJAR, Carlos Eduardo de Schuller; PEREIRA, Cainã Figueiredo; MENASCHÉ, Daniel S..
Time Series Analysis Related to Software Vulnerabilities in Internet-Exposed Devices. In: WORKSHOP ON SCIENTIFIC INITIATION AND GRADUATION - BRAZILIAN SYMPOSIUM ON COMPUTER NETWORKS AND DISTRIBUTED SYSTEMS (SBRC), 42. , 2024, Niterói/RJ.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2024
.
p. 201-208.
ISSN 2177-9384.
DOI: https://doi.org/10.5753/sbrc_estendido.2024.3114.
