Abstract

Computer security professionals and researchers do not have a history of sharing and analyzing computer vulnerability information. Scientists and engineers from older or more established elds have long understood that publicizing, analyzing, and learning from other people's mistakes is essential to the stepwise re nement of complex systems. Computer scientists, however, have not followed suit. Programmers reinvent classical programming mistakes, contributing to the reappearance of known vulnerabilities. In the recent past, computer systems have come to be a part of critical systems that have a direct e ect on the safety and well-being of human beings and hence we must have lower tolerance for software failures. In the dissertation I will attempt to show that computer vulnerability information presents important regularities and these can be detected, and possibly visualized, providing important insight about the reason of their prevalence and existence. The information derived from these observations could be used to improve on all phases of the development of software systems, as could be in the design, development, debugging, testing and maintenance of complex computer systems that must implement a set of policies de ned by security analysis. A signi cant portion of the work that must be performed will concentrate on the development of classi-cations and taxonomies that will permit the visualization and analysis of computer vulnerability information. I hope that these classi cations and taxonomies applied to a collection of vulnerabilities will provide a set of features whose analysis will show that there are clear statistical clusterings and patterns caused because developers and programmers are not learning from each others mistakes. This analysis may be performed by applying statistical analysis and knowledge discovery tools. 1