Trust and risk assessment model of popular software based on known vulnerabilities

Marek Bogusław Janiszewski, Anna Felkner, Jakub Olszak


This paper presents a new concept of an approach to risk assessment which can be done on the basis of publicly available information about vulnerabilities. The presented approach uses also the notion of trust and implements many concepts used in so called trust and reputation management systems (which are widely used in WSN, MANET or P2P networks, but also in e-commerce platforms). The article shows first outcomes obtained from the presented model. The outcomes demonstrate that the model can be implemented in real system to make software management more quantified and objective process, which can have real and beneficial impact on institutional security. In article, however the emphasis was set not on the model itself (which can be easily changed) but on the possibility of finding useful information about vulnerabilities.

Full Text:



S. Zhang, X. Ou, and D. Caragea, "Predicting Cyber Risks through National Vulnerability Database," emph{Information Security Journal: A Global Perspective}, vol.24, 2015, pp. 194-206, DOI: 10.1080/19393555.2015.1111961

S. Zhang, D. Caragea, and X. Ou, "An Emperical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities," emph{LNCS 6860}, 2011, pp. 217-231, DOI: 10.1007/978-3-642-23088-2_15

K. Ingols, M. Chu, R. Lippmann, S. Webster, S. Boyer, "Modeling modern network attacks and countermeasures using attack graphs," emph{Annual Computer Security Conference}, ACSAC, 2009, DOI: 10.1109/ACSAC.2009.21

M. McQueen, T. McQueen, W. Boyer, M. Chaffin, "Empirical estimates and observations of 0day vulnerabilities," emph{42nd Hawaii International Conference on System Sciences}, 2009, pp. 1-12

A. Ozment, Vulnerability Discovery & Software Security, emph{PhD thesis}, University of Cambridge, 2007

A. Felkner, "Review and analysis of sources of information about vulnerabilities," emph{Przegląd telekomunikacyjny i wiadomości telekomunikacyjne}, vol. 8-9/2016, 2016, pp. 929-933, DOI: 10.15199/59.2016.8-9.37

Symantec - access date: 02.05.2017

Common Vulnerabilities and Exposures (CVE) access date: 02.05.2017

Dragonsoft vulnerability database - access date: 02.05.2016, currently not accessible

National Vulnerability Database access date: 02.05.2017

SecurityFocus - access date: 02.05.2017

Security Tracker - access date: 02.05.2017

US-CERT vulnerability notes database - access date: 02.05.2017

The Computer Incident Response Center Luxembourg - access date: 02.05.2017

CVEdetails - access date: 02.05.2017

Fulldisclosure - access date: 02.05.2017

Exploit-db - access date: 02.05.2017

Intelligent Exploit - access date: 02.05.2016, currently not accessible

Metasploit (Rapid7) - access date: 02.05.2017

Sans - access date:02.05.2017

Vulnerability-lab - access date:02.05.2017 - access date:02.05.2017

Vfeed - access date:02.05.2017

CPE dcitionary: - access date:02.05.2017


  • There are currently no refbacks.

International Journal of Electronics and Telecommunications
is a periodical of Electronics and Telecommunications Committee
of Polish Academy of Sciences

eISSN: 2300-1933