Return to Directory

Awad A. Younis Mussa


B.S., Computer Science, Garyounis University, Libya, 2001
M.S., Computer Science, University of Madras, India, 2008
M.S., Computer Science, Colorado State University, 2012
Ph.D., Computer Science, Colorado State University, 2016


Software security, resilience, and adaptability: design, development, and quantitative and empirical evaluation


Hi, I’m Awad, a lecturer in the Department of Computer Science at Georgia State University.  Before I started working at GSU, I was a graduate student in the Computer Science Department at Colorado State University from Fall 2009 to Summer 2016, where I received my M.S. and Ph.D. degrees. I worked as a research and teaching assistant for Professor Yashwant K. Malaiya. I was born and raised in a small town named Ajdabia in central northern Libya, near the Mediterranean Sea, in North Africa. I have been on a knowledge quest since 2000 studying and working in academia and industry in Libya, Malaysia, India, and the U.S.

My research focuses on developing techniques for achieving and evaluating high software security and resilience. My current research focuses on developing methods and techniques to improve software security and resiliency using adaptive and self-adaptive techniques.

I have worked on developing security metrics for software systems and applications using measurement and risk theory, graph-theoretic concepts, and machine learning models. I introduced a novel vulnerability discovery model called the Folded model that estimates the risk of vulnerability discovery based on the residual number of vulnerabilities. I proposed predicting vulnerability exploitability risk using standard internal software metrics. I also introduced two novel metrics known as Structural Severity to measure vulnerability exploitability risk and Time-to-Vulnerability-Disclosure to measure the likelihood of vulnerability discovery. In addition, I introduced a novel method termed Vulnerability Reward Programs scales to empirically evaluate and validate CVSS Base scores, the commonly used vulnerabilities severity measure.


Awad A. Younis, Yashwant K. Malaiya, and Indrajit Ray, Evaluating CVSS base score using vulnerability rewards programs, Proceedings of the 31st International Conference on Systems Security and Privacy Protection (IFIP SEC 2016), May-June 2016, pp. 62–75.

Awad A. Younis, Yashwant K. Malaiya, Charles Anderson, and Indrajit Ray, To fear or not to fear that is the question: code characteristics of a vulnerable function with an existing exploit, Proceedings of the Sixth ACM Conference on Data and Application Security and Privacy (CODASPY ’16), March 2016, pp. 97–104.

Awad A. Younis, Yashwant K. Malaiya, and Indrajit Ray, Assessing vulnerability exploitability risk using software properties, Software Quality Journal, vol. 24, no. 1, March 2016, pp. 159–202.

Awad A. Younis and Yashwant K. Malaiya, Comparing and evaluating CVSS base metrics and Microsoft rating system, Proceedings of the 2015 IEEE International Conference on Software Quality, Reliability and Security (QRS 2015), August 2015, pp. 252–261.

Awad A. Younis and Yashwant K. Malaiya, Using software structure to predict vulnerability exploitation potential, Proceedings of the 8th IEEE International Conference on Software Security and Reliability (SERE 2014), June-July 2014, pp. 13–18.

Awad A. Younis, Yashwant K. Malaiya, and Indrajit Ray, Using attack surface entry points and reachability analysis to assess the risk of software vulnerability exploitability, Proceedings of the 15th IEEE International Symposium on High-Assurance Systems Engineering (HASE 2014), January 2014, pp.1–8.

Awad A. Younis and  Yashwant K. Malaiya, Relationship between attack surface and vulnerability density: a case study on Apache HTTP server, Proceedings of the 2012 International Conference on Internet Computing (ICOMP ’12), July 2012, pp. 197–203.

A. A. Younis, H. Joh, and Y. K. Malaiya, Modeling learningless vulnerability discovery using a folded distribution, Proceedings of the 2011 International Conference on Security and Management (SAM ’11), July 2011, pp. 617–623.