Peter Mell, Irena Bojanova, Carlos Eduardo Galhardo
{"title":"衡量野生动物对弱点的利用情况","authors":"Peter Mell, Irena Bojanova, Carlos Eduardo Galhardo","doi":"10.1109/mitp.2024.3399485","DOIUrl":null,"url":null,"abstract":"Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92% of the weaknesses are not being constantly exploited.","PeriodicalId":49045,"journal":{"name":"IT Professional","volume":"31 1","pages":""},"PeriodicalIF":2.2000,"publicationDate":"2024-06-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Measuring the Exploitation of Weaknesses in the Wild\",\"authors\":\"Peter Mell, Irena Bojanova, Carlos Eduardo Galhardo\",\"doi\":\"10.1109/mitp.2024.3399485\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92% of the weaknesses are not being constantly exploited.\",\"PeriodicalId\":49045,\"journal\":{\"name\":\"IT Professional\",\"volume\":\"31 1\",\"pages\":\"\"},\"PeriodicalIF\":2.2000,\"publicationDate\":\"2024-06-26\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"IT Professional\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://doi.org/10.1109/mitp.2024.3399485\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"IT Professional","FirstCategoryId":"94","ListUrlMain":"https://doi.org/10.1109/mitp.2024.3399485","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
Measuring the Exploitation of Weaknesses in the Wild
Identifying the software weaknesses exploited by attacks supports efforts to reduce developer introduction of vulnerabilities and to guide security code review efforts. A weakness is a bug or fault type that can be exploited through an operation that results in a security-relevant error. Ideally, the security community would measure the prevalence of the software weaknesses used in actual exploitation. This work advances that goal by introducing a simple metric that utilizes public data feeds to determine the probability of a weakness being exploited in the wild for any 30-day window. The metric is evaluated on a set of 130 weaknesses that were commonly found in vulnerabilities between April 2021 and March 2024. Our analysis reveals that 92% of the weaknesses are not being constantly exploited.
IT ProfessionalCOMPUTER SCIENCE, INFORMATION SYSTEMS-COMPUTER SCIENCE, SOFTWARE ENGINEERING
CiteScore
5.00
自引率
0.00%
发文量
111
审稿时长
>12 weeks
期刊介绍:
IT Professional is a technical magazine of the IEEE Computer Society. It publishes peer-reviewed articles, columns and departments written for and by IT practitioners and researchers covering:
practical aspects of emerging and leading-edge digital technologies,
original ideas and guidance for IT applications, and
novel IT solutions for the enterprise.
IT Professional’s goal is to inform the broad spectrum of IT executives, IT project managers, IT researchers, and IT application developers from industry, government, and academia.