Vulnerability Research
At the 1998 Security and Privacy conference, a panel session discussed the advances in computer security technology over the last 25 years. One dramatic conclusion of the session was that the current state of the art in computer security was ``penetrate and patch''. While disappointing that the ``state of the art'' is still only ``penetrate and patch'', patching known vulnerabilities in a timely manner can provide a reasonable level of security. However, as most security professionals know, patches are are usually not applied in a timely manner. To better understand this phenomenon, we devised a model for the life cycle of vulnerabilities. And, we apply this model to several well known vulnerabilities by analyzing historical information from the CERT/CC database. A primary goal of this research is to identify new areas for the research community to focus in hopes of improving the "state of the art" beyond "penetrate and patch".

I've co-authored a paper entitled "Windows of Vulnerability: A Case Study Analysis" along with John McHugh and Bill Fithen both from CERT/CC.  The paper will be published in the December issue of IEEE Computer, and I'll provide a link at that time.  In the mean time, the short story is that we developed a model for the life cycle of vulnerabilities. We then applied the model to three different vulnerabilities and discovered several interesting facts. First, the scripting, or automation, of a vulnerability appears as the driving force behind intrusions- not the disclosure of the vulnerability.  Second, we found that patches for flaws were available long before a significant number of intrusions occurred. 

While reviewing the data sets collected for the paper above, we noticed that there were similarities in the rate of intrusions for each vulnerability. As a result, we performed a regression analysis on the three data sets and found a common mathematical model for predicting the severity of intrusions over time.  The technical report describing our results can be found here:  A Trend Analysis of Exploitations .