Modeling Learningless Vulnerability Discovery using a Folded Distribution

A vulnerability discovery model describes the vulnerability discovery rate in a software system, and predicts the future behavior. It can allow the IT managers and developers to allocate their resources optimally by timely development and application of patches. Such models also allow the end-users to assess security risk in their systems. Recently, researchers have proposed a few vulnerability discovery models. The models are based on different assumptions, and thus differ in their accuracy and prediction capabilities. Among these models, the AML model has been found to have performed better in many cases in terms of model fitting and prediction capabilities. The AML model assumes that the discovery rate is symmetric. However, it has been noted that there are cases when the discovery trend is asymmetric. In this paper, we investigate the applicability of using a new vulnerability discovery model called Folded model, based on the Folded normal distribution, and compare it with the AML model. Results show that Folded model performs better than the AML model in general for both model fitting and prediction capabilities in cases when the learning phase is not present.