TY - GEN
T1 - The CVE Wayback Machine
T2 - 23rd ACM Internet Measurement Conference, IMC 2023
AU - Pauley, Eric
AU - Barford, Paul
AU - McDaniel, Patrick
N1 - Publisher Copyright:
© 2023 ACM.
PY - 2023/10/24
Y1 - 2023/10/24
N2 - Software security depends on coordinated vulnerability disclosure (CVD) from researchers, a process that the community has continually sought to measure and improve. Yet, CVD practices are only as effective as the data that informs them. In this paper, we use DScope, a cloud-based interactive Internet telescope, to build statistical models of vulnerability lifecycles, bridging the data gap in over 20 years of CVD research. By analyzing application-layer Internet scanning traffic over two years, we identify real-world exploitation timelines for 63 threats. We bring this data together with six additional datasets to build a complete birth-to-death model of these vulnerabilities, the most complete analysis of vulnerability lifecycles to date. Our analysis reaches three key recommendations: (1) CVD across diverse vendors shows lower effectiveness than previously thought, (2) intrusion detection systems are underutilized to provide protection for critical vulnerabilities, and (3) existing data sources of CVD can be augmented by novel approaches to Internet measurement. In this way, our vantage point offers new opportunities to improve the CVD process, achieving a safer software ecosystem in practice.
AB - Software security depends on coordinated vulnerability disclosure (CVD) from researchers, a process that the community has continually sought to measure and improve. Yet, CVD practices are only as effective as the data that informs them. In this paper, we use DScope, a cloud-based interactive Internet telescope, to build statistical models of vulnerability lifecycles, bridging the data gap in over 20 years of CVD research. By analyzing application-layer Internet scanning traffic over two years, we identify real-world exploitation timelines for 63 threats. We bring this data together with six additional datasets to build a complete birth-to-death model of these vulnerabilities, the most complete analysis of vulnerability lifecycles to date. Our analysis reaches three key recommendations: (1) CVD across diverse vendors shows lower effectiveness than previously thought, (2) intrusion detection systems are underutilized to provide protection for critical vulnerabilities, and (3) existing data sources of CVD can be augmented by novel approaches to Internet measurement. In this way, our vantage point offers new opportunities to improve the CVD process, achieving a safer software ecosystem in practice.
UR - https://www.scopus.com/pages/publications/85177615596
UR - https://www.scopus.com/inward/citedby.url?scp=85177615596&partnerID=8YFLogxK
U2 - 10.1145/3618257.3624810
DO - 10.1145/3618257.3624810
M3 - Conference contribution
AN - SCOPUS:85177615596
T3 - Proceedings of the ACM SIGCOMM Internet Measurement Conference, IMC
SP - 236
EP - 252
BT - IMC 2023 - Proceedings of the 2023 ACM on Internet Measurement Conference
PB - Association for Computing Machinery
Y2 - 24 October 2023 through 26 October 2023
ER -