Dataset: Adaptive Modelling for Security Vulnerability Propagation
Description
This dataset was used to construct and simulate the security vulnerability propagation model in the study entitled: Adaptive Modelling for Security Vulnerability Propagation to Predict the Impact of Business Process Redesign. In this study, we used six business process redesign (BPR) case studies that occurred in Magento 2.1 to 2.2 and Magento 2.2 to 2.3. This dataset was used as input for the propagation modelling of information security vulnerabilities. We have 11 datasets representing the Magento business process models from Magento 2.1, 2.2, and 2.3, their vulnerability data, and their relation with application modules. In Magento 2.1 to 2.2, BPR occurred in the processes of managing consumer accounts, managing communication channels, and managing payments. The dataset on the first and second sheets relates to the process of managing consumer accounts in Magento 2.1 and 2.2. The dataset on the third and fourth sheets relates to the process of managing communication channels in Magento 2.1 and 2.2. Meanwhile, the dataset on the fifth and sixth sheets relates to the process of managing payments in Magento 2.1 and 2.2. In the upgrade from Magento 2.2 to 2.3, BPR appeared in managing payments, inventory, and shipping. The dataset on the sixth and seventh sheets relates to the process of managing payments in Magento 2.2 and 2.3. The eighth and ninth sheets dataset relates to the process of managing inventory in Magento 2.2 and 2.3. Meanwhile, the dataset on the tenth and eleventh sheets relates to the process of managing shipping in Magento 2.2 and 2.3. Each dataset contains a list of tasks (Task ID and Task Name column) that make up the Magento business process model. Tasks can be under a process (Process Name column) or a sub-process (Sub Process column). Data for each task is accompanied by the task type (Task Type column) and the task vulnerabilities. Task vulnerabilities are expressed by the CWE ID (Task Vuln column). The vulnerability scores consist of the score for each CWE (Task Vuln Score column) and the maximum score for each task (Max Task Score column). These vulnerability data were obtained from the results of the previous study entitled: Information Security Vulnerability Prediction Based On Business Process Model Using Machine Learning Approach. Each task is also accompanied by the next task (Next Task column) that follows so it can be used to form a series of business process models. Each task is also accompanied by a related module (Related Module ID and Related Module column) along with module vulnerability data. Module vulnerability data consists of two types, the predicted score (Max Predict column) and materialized score (Module Exploited Vuln Score) based on Magento CVE vulnerability data from the National Vulnerability Database (NVD).
Files
Steps to reproduce
Users can use the dataset to form a graph representing the propagation model of information security vulnerabilities. Users build nodes using data related to tasks and modules along with their vulnerability data. Furthermore, the relationship between nodes is formed by using relationship data between tasks (Task ID and Next Task column) and the relationship between tasks and modules (Task ID and Related Module ID column). Users can perform simulations to predict the propagation of vulnerabilities due to BPR by utilizing a pair of datasets. For example, users can use the first and second sheets to simulate the vulnerability propagation in the process model of managing consumer accounts that experience BPR from version 2.1 to 2.2. Users form an initial vulnerability propagation model (as-is model) using the dataset on the first sheet, then add new tasks from the second sheet as new nodes in the model. Users need to follow each step in the Node Strength-based Vulnerability Modelling (NSVM) method to be able to simulate the propagation of information security vulnerabilities due to BPR. This method can be obtained from our research paper entitled: Adaptive Modeling for Security Vulnerability Propagation to Predict the Impact of Business Process Redesign.