A queueing solution to reduce delay in processing of disclosed vulnerabilities

Abstract

The rate of discovery of vulnerabilities keeps increasing, creating a problem for first responders who need to triage vulnerabilities quickly to decide where to focus their defensive efforts. One of the bottlenecks in this triaging process is the assessment of severity of vulnerabilities and the assignment of the Common Vulnerability Scoring System (CVSS) scores. In this work we study the statistical properties of the vulnerability disclosure process and make two important observations. First, we find that the time series of the number of vulnerability disclosures exhibits a long range dependence, meaning that strong correlations persist over long time periods. Such time series have high variation, high burstiness and slow convergence towards conventional estimators, such as the mean. Our second observation is that the burstiness of the vulnerability disclosure process causes delays in the analysis of vulnerabilities and as a result triaging over 40% of the vulnerabilities takes longer than the median exploit time. Hence, by the time they are analysed and assigned a CVSS score, many vulnerabilities are already being exploited. We propose techniques for modelling and analysing the vulnerability disclosure time series. We further propose reversing the order of triaging vulnerabilities and show, via simulation, that this significantly increases timely triaging of vulnerabilities, reducing the percentage of delayed assessments to 4%.