Scientific Publications

A Preliminary Analysis of Vulnerability Scores for Attacks in Wild

Luca Allodi
Fabio Massacci, University of Trento, Povo, Trento - Italy.
NVD and Exploit-DB are the de facto standard databases used for research on vulnerabilities, and the CVSS score is the standard measure for risk. On open question is whether such databases and scores are actually representative of attacks found in the wild. To address this question we have constructed a database (EKITS) based on the vulnerabilities currently used in exploit kits from the black market and extracted another database of vulnerabilities from Symantec's Threat Database (SYM).

An Independent Validation of Vulnerability Discovery Models

Viet Hung Nguyen
Fabio Massacci, University of Trento, Italy
Having a precise vulnerability discovery model (VDM) would provide a useful quantitative insight to assess software secu- rity. Thus far, several models have been proposed with some evidence supporting their goodness-of-t. In this work we describe an independent validation of the applicability of six existing VDMs in seventeen releases of the three popular browsers Firefox, Google Chrome and In- ternet Explorer. We have collected ve dierent kinds of data sets based on dierent denitions of a vulnerability. We introduce two quantitative metrics, goodness-of-t en-

Adversarial Risk Analysis The Somali Pirates Case

Juan Carlos Sevillano
David Ríos Insua
Jesús Ríos
Decision Analysis Journal, INFORMS, vol 9, number 2, pp 86-95, March 20102
Some of the current world’s biggest problems revolve around security issues. This has raised recent interest in resource allocation models to manage security threats, from terrorism to organized crime through money laundering. One of those approaches is adversarial risk analysis, which aims at dealing with decision making problems with intelligent opponents and

Adversarial Risk Analysis for Counterterrorism Modeling

Jesús Ríos
David Ríos Insúa
Risk Analysis Journal, Wiley, vol 32, n.5, pp.894-915, May 2012
Recent large scale terrorist attacks have raised interest in models for resource allocation against terrorist threats. The unifying theme in this area is the need to develop methods for the analysis of allocation decisions when risks stem from the intentional actions of intelligent adversaries. Most approaches to these problems have a game theoretic flavor although there are also several interesting decision analytic based proposals.