Computer Vulnerability Analysis: Thesis Proposal

Computer security professionals and researchers do not have a history of sharing and analyzing computer vulnerability information. Scientists and engineers from older or more established fields have long understood that publicizing, analyzing, and learning from other people's mistakes is essential to the stepwise refinement of complex systems. Computer scientists, however, have not followed suit. Programmers reinvent classical programming mistakcs, contributing to the reappearance of known vulnerabilities. In the recent past, complltcr systems have come to be a part of critical systems that have a direct effect on the safety and well-being of human beings and hence we must have lower tolerance for software failures. In the dissedation I will attempt to show that computer vulnerability information presents important regularities and these can be detected, and possibly visualized, providing important insight about the reason of their prevalence and existence. The information derived from these observations could be used to improve on all phases of the development of software systems, as could be in the design, development, debugging, testing and maintenance of complex computer systems that must implement a set of policies defined by security analysis. A significant portion of the work that must be performed will concentrate on the development of clilSSifications and taxonomies that will permit the visualization and analysis of computer vulnerability information. I hope that these classifications and taxonomies applied to a collection of vulnerabilities will provide a set of features whose analysis will show that there arc clear statistical clustering:; and patterns caused because developers and programmers are not learning from each others mistakes. Tlti.s analysis may be performed by applying statistical analysis and knowledge discovery tools.