Measuring and Enhancing Prediction Capabilities of Vulnerability Discovery Models for Apache and IIS HTTP Servers

The prediction of the number of vulnerabilities in an HTTP server can allow us to evaluate the security risk associated with its use. Vulnerability discovery models have recently been proposed which can be used to estimate the future number of vulnerabilities expected to be discovered. A detailed analysis of the prediction capabilities of two models termed AML and LVD for the vulnerabilities in the two major HTTP servers is presented. Four complete data sets for Apache and US are used, representing an open source and a commercial Web server respectively. Both long term predictions involving several years and short term predictions for the following year are considered. Potential methods for enhancing the prediction accuracy are considered. The results show good predictive capabilities of the AML model when constraints are used for estimating the model parameters. The LVD model works well in some special cases when saturation has not yet set in. The results can be used by both developers to plan the test and maintenance effort needed and by users to assess the potential security risks associated with a specific server