Vulnerability defects in software that can allow hackers to bypass security measures have emerged as a significant threat in a society that increasingly relies on computer systems and the Internet for commerce and other uses.


Researchers at Colorado State University have developed a model to predict with much greater accuracy the number and severity of vulnerabilities that likely will surface in operating systems and in major software applications in the near future. The research was led by computer science professor Yashwant K. Malaiya, who was assisted by doctoral student Omar Alhazmi.


In 2005 alone, about 5,200 newly discovered vulnerabilities were reported by the U.S. Department of Homeland Securitys Computer Emergency Readiness Team, or CERT. Such vulnerabilities can be exploited by hackers if they are discovered and not fixed quickly through patches, or software updates.


The hope is that a vulnerability gets patched before it gets exploited, Malaiya says. Each individual vulnerability discovered can be widely reported to the public, and in some cases, it has caused the value of the stock of the company to drop.


It is impossible to implement an operating system like Windows XP or Linux, Web servers like Apache or Microsoft IIS, or Web browsers that are free from vulnerabilities, Malaiya says. If developers knew when and how many patches will be needed in a certain period of time, they could be better prepared to quickly develop patches and ensure the security of such applications and systems, he says.


Malaiyas group has developed two complementary approaches to predict vulnerabilities. Those approaches involve using whats called a logistic model to model the vulnerability detection rate and, based on the developer, predicting the number of vulnerabilities per 1,000 lines of computer code.


The group at Colorado State claims to be the only university team that is conducting a systematic study of the vulnerability discovery process. The university says some of the groups early results have attracted attention by CERT analysts.


Applications of such data can be far-ranging, Malaiya says. Companies such as Microsoft Corp. can project the manpower needed to quickly develop and release patches to minimize the probability of exploitation. Also, a bank or investment company brokerage can assess the potential risk levels because products containing more projected vulnerabilities tend to be riskier products.


The team says the logistic model it developed already has seen success in its predictions. It predicted in 2005 that the number of vulnerabilities discovered in Windows XP would grow rapidly. That number has grown, from 88 in January 2005 to 173 by the latest count, making the vulnerability density of XP comparable to that of earlier versions.