Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Hao Zhuang,Florian Pydde

DOI: https://doi.org/10.48550/arXiv.1611.07383

2016-12-07

Abstract:Understanding the severity of vulnerabilities within cloud services is particularly important for today service <a class="link-external link-http" href="http://administrators.Although" rel="external noopener nofollow">this http URL</a> many systems, e.g., CVSS, have been built to evaluate and score the severity of vulnerabilities for administrators, the scoring schemes employed by these systems fail to take into account the contextual information of specific services having these vulnerabilities, such as what roles they play in a particular service. Such a deficiency makes resulting scores unhelpful. This paper presents a practical framework, NCVS, that offers automatic and contextual scoring mechanism to evaluate the severity of vulnerabilities for a particular service. Specifically, for a given service S, NCVS first automatically collects S contextual information including topology, configurations, vulnerabilities and their dependencies. Then, NCVS uses the collected information to build a contextual dependency graph, named CDG, to model S context. Finally, NCVS scores and ranks all the vulnerabilities in S by analyzing S context, such as what roles the vulnerabilities play in S, and how critical they affect the functionality of S. NCVS is novel and useful, because 1) context-based vulnerability scoring results are highly relevant and meaningful for administrators to understand each vulnerability importance specific to the target service; and 2) the workflow of NCVS does not need instrumentation or modifications to any source code. Our experimental results demonstrate that NCVS can obtain more relevant vulnerability scoring results than comparable system, such as CVSS.

Cryptography and Security

Zhou Li,Cong Tang,Jianbin Hu,Zhong Chen

DOI: https://doi.org/10.1109/uic-atc-scalcom-cbdcom-iop.2015.242

2016-01-01

Abstract:It is known to be full of challenges to score vulnerabilities of cloud services developed by different third-party providers. Although there have been a few systems for scoring vulnerabilities (e.g., CVSS) of many existing softwares, most of them are unable to be leveraged to score vulnerabilities in cloud services, because they fail to consider some important factors located in the clouds such as business context (i.e., Dependency relationships between services). This paper presents VScorer, a novel security framework to score vulnerabilities in various cloud services based on different given requirements. By inputting concrete business context and security requirement into VScorer, cloud provider can get a ranking list of vulnerabilities in the business based on the given security requirement. Following the ranking list, cloud provider is able to patch the most critical vulnerabilities first. We developed a prototype and demonstrate VScorer can work better than current representative vulnerability scoring system CVSS.

Jiang Zhen

Abstract:The paper introduces the current severe situation of the Web security, and brings up the necessity to design Web vulnerability scanning software. Then it analyzes Web crawler, construction of website structure tree, and detection methods of SQL injection, XSS, integer overflow and URL redirection, which provides a guarantee for developing the system successfully. The paper also describes the software architecture and the design of modules. The final testing results prove that the software is able to detect the common types of vulnerabilities rapidly and comprehensively. The software has been published.

Computer Science

Matthew Tassava,Cameron Kolodjski,Jeremy Straub

2023-06-07

Abstract:A system vulnerability analysis technique (SVAT) for complex mission critical systems (CMCS) was developed in response to the need to be able to conduct penetration testing on large industrial systems which cannot be taken offline or risk disablement or impairment for conventional penetration testing. SVAT-CMCS facilitates the use of known vulnerability and exploit information, incremental testing of system components and data analysis techniques to identify attack pathways in CMCSs. This data can be utilized for corrective activities or to target controlled manual follow-up testing. This paper presents the SVAT-CMCS paradigm and describes its implementation in a software tool, which was built using the Blackboard Architecture, that can be utilized for attack pathway identification. The performance of this tool is characterized using three example models. In particular, it explores the path generation speed and the impact of link cap restrictions on system operations, under different levels of network size and complexity. Accurate fact-rule processing is also tested using these models. The results show significant decreases in path generation efficiency as the link cap and network complexity increase; however, rule processing accuracy is not impacted.

Cryptography and Security

Jing Luo,Heyuan Shi,Yongchao Zhang,Runzhe Wang,Yuheng Shen,Yuao Chen,Xiaohai Shi,Rongkai Liu,Chao Hu,Yu Jiang

DOI: https://doi.org/10.1145/3663529.3663852

2024-01-01

Abstract:Vulnerability management is a time-consuming and labor-intensive task for Linux distribution maintainers. It involves the continuous identification, assessment, and fixing of vulnerabilities in Linux distributions. Due to the complexity of the vulnerability management process and the gap between community requirements and existing tools, there is little systematic study on automated vulnerability management for Linux distributions. In this paper, in collaboration with enterprise developers from Alibaba and maintainers from the Linux distribution community of OpenAnolis, we develop an automated vulnerability management system called CVECenter. We conduct the industry practice on the 3 versions of Linux distribution, which are responsible for many business and cloud services. We address the following challenges in developing and applying CVECenter to the Linux distribution: multi-source heterogeneous vulnerability record inconsistency, large-scale vulnerability retrieval response delay, manual vulnerability assessment cost, vulnerability auto-fixing tools absence, and continuous vulnerability management complexity. By CVECenter, we have successfully managed over 8,000 CVEs related to the Linux distribution and published a total of 1,157 security advisories, which reduces the mean time to fix vulnerabilities by 70% compared to the traditional workflow of the Linux distribution community.

Danielle Gonzalez,Holly Hastings,Mehdi Mirakhorli

DOI: https://doi.org/10.48550/arXiv.1909.13693

2019-09-30

Software Engineering

Abstract:Preventing vulnerability exploits is a critical software maintenance task, and software engineers often rely on Common Vulnerability and Exposure (CVEs) reports for information about vulnerable systems and libraries. These reports include descriptions, disclosure sources, and manually-populated vulnerability characteristics such as root cause from the NIST Vulnerability Description Ontology (VDO). This information needs to be complete and accurate so stakeholders of affected products can prevent and react to exploits of the reported vulnerabilities. However, characterizing each report requires significant time and expertise which can lead to inaccurate or incomplete reports. This directly impacts stakeholders ability to quickly and correctly maintain their affected systems. In this study, we demonstrate that VDO characteristics can be automatically detected from the textual descriptions included in CVE reports. We evaluated the performance of 6 classification algorithms with a dataset of 365 vulnerability descriptions, each mapped to 1 of 19 characteristics from the VDO. This work demonstrates that it is feasible to train classification techniques to accurately characterize vulnerabilities from their descriptions. All 6 classifiers evaluated produced accurate results, and the Support Vector Machine classifier was the best-performing individual classifier. Automating the vulnerability characterization process is a step towards ensuring stakeholders have the necessary data to effectively maintain their systems.

Muhammed Fatih Bulut,Abdulhamid Adebayo,Daby Sow,Steve Ocepek

DOI: https://doi.org/10.48550/arXiv.2206.11182

2022-06-22

Cryptography and Security

Abstract:Organizations struggle to handle sheer number of vulnerabilities in their cloud environments. The de facto methodology used for prioritizing vulnerabilities is to use Common Vulnerability Scoring System (CVSS). However, CVSS has inherent limitations that makes it not ideal for prioritization. In this work, we propose a new way of prioritizing vulnerabilities. Our approach is inspired by how offensive security practitioners perform penetration testing. We evaluate our approach with a real world case study for a large client, and the accuracy of machine learning to automate the process end to end.

Ruyi Wang,Ling Gao,Qian Sun,Deheng Sun

DOI: https://doi.org/10.1109/mines.2011.27

2011-01-01

Abstract:Through scoring vulnerabilities according to their risks, mastering statuses of vulnerabilities, security managers could adjust the configuration for computer security in time and give repair methods to different vulnerabilities flexibly. Since scoring vulnerabilities is significant for evaluating and repairing vulnerabilities, this paper presents a vulnerability scoring mechanism based on CVSS by analyzing advantages and disadvantages of CVSS and comparing with some improved CVSS-based methods. Our improved scoring mechanism makes the vulnerability evaluating more exactly and effectively, simplifying the process of vulnerability evaluating.

Zhongqiang Chen,Yuan Zhang,Zhongrong Chen

DOI: https://doi.org/10.1093/comjnl/bxp040

2009-01-01

The Computer Journal

Abstract:The dictionary of common vulnerabilities and exposures (CVEs) is a compilation of known security loopholes whose objective is to both facilitate the exchange of security-related information and expedite vulnerability analysis of computer systems. Its lack of categorization and generalization capability renders the dictionary ineffective when it comes to developing defense strategies for clustered vulnerabilities instead of individual exploits. To address this issue, we propose a CVE categorization framework termed CVE Classifier that transforms the dictionary into a classifier that not only categorizes CVEs with respect to diverse taxonomic features but can also evaluate general trends in the evolution of vulnerabilities. With the help of support vector machines, CVE Classifier builds learning models for taxonomic features based on training data automatically extracted from pertinent vulnerability databases including BID, X-Force and Secunia, and CVE entries containing telltale keywords unique to taxonomic features. We use word-stemming and stopword-removal techniques to reduce the dimensions of the feature space formed by CVEs and develop a data fusion and cleansing process to eliminate data inconsistencies to improve classification performance. The CVE classification produced by the proposed framework reveals that the majority of the Internet security loopholes are harbored by a small set of services. Moreover, it becomes evident that the widespread deployment of security devices provides many additional attack points as such devices demonstrate a great mount of vulnerabilities. Finally, the CVE Classifier points out that remotely exploitable security loopholes continue to dominate the CVEs landscape.

Xiuzhen Chen,Qinghua Zheng,Xiaohong Guan

DOI: https://doi.org/10.1007/s10796-008-9111-6

2008-01-01

Information Systems Frontiers

Abstract:Many security problems are caused by vulnerabilities hidden in enterprise computer networks. It is very important for system administrators to have knowledge about the security vulnerabilities. However, current vulnerability assessment methods may encounter the issues of high false positive rates, long computational time, and requirement of developing attack codes. Moreover, they are only capable of locating individual vulnerabilities on a single host without considering correlated effect of these vulnerabilities on a host or a section of network with the vulnerabilities possibly distributed among different hosts. To address these issues, an active vulnerability assessment system NetScope with C/S architecture is developed for evaluating computer network security based on open vulnerability assessment language instead of simulating attacks. The vulnerabilities and known attacks with their prerequisites and consequences are modeled based on predicate logic theory and are correlated so as to automatically construct potential attack paths with strong operation power of relational database management system. The testing results from a series of experiments show that this system has the advantages of a low false positive rate, short running periods, and little impact on the performance of audited systems and good scalability. The security vulnerabilities, undetectable if assessed individually in a network, are discovered without the need to simulate attacks. It is shown that the NetScope system is well suited for vulnerability assessment of large-scale computer networks such as campus networks and enterprise networks. Moreover, it can also be easily integrated with other security tools based on relational databases.

Evan Martin,Suranjana Basu,Tao Xie

2006-01-01

Abstract:Web services are a popular way of implementing a Service-Oriented Architecture (SOA), which has gained rapid adoption and support from leading industrial players such as IBM, Oracle, and Microsoft. Testing can be used to help assure both the correctness and robustness of a web service. Because manual testing is tedious, tools are needed to automate test genera tion and execution for web services. This paper presents a new framework for automatically generating and executing web-service requests. Given a service provider's WSDL, we first generate the necessary code to implement a client (service requestor). We then leverage existing automated unit test generation tools to g enerate unit tests and finally execute the generated unit tests, which in turn invok e the service under test. Our preliminary results show that we can quickly generate and execute web- service requests that may reveal robustness problems with no knowledge of the underlying web service implementation.

Yu-Zheng Lin,Muntasir Mamun,Muhtasim Alam Chowdhury,Shuyu Cai,Mingyu Zhu,Banafsheh Saber Latibari,Kevin Immanuel Gubbi,Najmeh Nazari Bavarsad,Arjun Caputo,Avesta Sasan,Houman Homayoun,Setareh Rafatirad,Pratik Satam,Soheil Salehi

2023-12-21

Abstract:The escalating complexity of modern computing frameworks has resulted in a surge in the cybersecurity vulnerabilities reported to the National Vulnerability Database (NVD) by practitioners. Despite the fact that the stature of NVD is one of the most significant databases for the latest insights into vulnerabilities, extracting meaningful trends from such a large amount of unstructured data is still challenging without the application of suitable technological methodologies. Previous efforts have mostly concentrated on software vulnerabilities; however, a holistic strategy incorporates approaches for mitigating vulnerabilities, score prediction, and a knowledge-generating system that may extract relevant insights from the Common Weakness Enumeration (CWE) and Common Vulnerability Exchange (CVE) databases is notably absent. As the number of hardware attacks on Internet of Things (IoT) devices continues to rapidly increase, we present the Hardware Vulnerability to Weakness Mapping (HW-V2W-Map) Framework, which is a Machine Learning (ML) framework focusing on hardware vulnerabilities and IoT security. The architecture that we have proposed incorporates an Ontology-driven Storytelling framework, which automates the process of updating the ontology in order to recognize patterns and evolution of vulnerabilities over time and provides approaches for mitigating the vulnerabilities. The repercussions of vulnerabilities can be mitigated as a result of this, and conversely, future exposures can be predicted and prevented. Furthermore, our proposed framework utilized Generative Pre-trained Transformer (GPT) Large Language Models (LLMs) to provide mitigation suggestions.

Cryptography and Security,Artificial Intelligence,Machine Learning

Luis Alberto Benthin Sanguino,Rafael Uetz

DOI: https://doi.org/10.48550/arXiv.1705.05347

2017-05-16

Abstract:In this paper, we analyze the Common Platform Enumeration (CPE) dictionary and the Common Vulnerabilities and Exposures (CVE) feeds. These repositories are widely used in Vulnerability Management Systems (VMSs) to check for known vulnerabilities in software products. The analysis shows, among other issues, a lack of synchronization between both datasets that can lead to incorrect results output by VMSs relying on those datasets. To deal with these problems, we developed a method that recommends to a user a prioritized list of CPE identifiers for a given software product. The user can then assign (and, if necessary, adapt) the most suitable CPE identifier to the software so that regular (e.g., daily) checks can find known vulnerabilities for this software in the CVE feeds. Our evaluation of this method shows that this interaction is indeed necessary because a fully automated CPE assignment is prone to errors due to the CPE and CVE shortcomings. We implemented an open-source VMS that employs the proposed method and published it on GitHub.

Cryptography and Security

Gaurav Sharma,Stilianos Vidalis,Catherine Menon,Niharika Anand

DOI: https://doi.org/10.1007/s11042-022-14036-y

Abstract:Proactive security plays a vital role in preventing the attack before entering active mode. In the modern information environment, it depends on the vulnerability management practitioners of an organization in which the critical factor is the prioritization of threats. The existing models and methodology follow the traditional approaches of a Common Vulnerability Scoring System (CVSS) to prioritize threats and vulnerabilities. The CVSS is not able to provide effectiveness to the security of the business of an organization. In contrast, the vulnerability analysis needs a model which can give significance to the prioritization policies. The model depends on the CVSS score of threats and compares various features of vulnerability like threat vectors, inputs, environments used by threat agent's groups, and potential outputs of threat agents. Therefore, the research aims to design a semi-automatic model for vulnerability analysis of threats for the National Institute of Standards and Technology (NIST) database of cyber-crime. We have developed a semi-automatic model that simulates the CVE (Common Vulnerabilities and Exposures) list of the NIST database between 1999 and 2021, concerning the resources used by the threat agents, pre-requisites input, attack vectors, and dormant results. The semi-automatic approach of the model to perform the vulnerability analysis of threat agent groups identified in a network makes the model more efficient and effective to addresses the profiling of threat agents and evaluating the CTI (Critical Threat intelligence feed). Our experimental results imply that the semi-automatic model implements the vulnerability prioritization based on the CVSS score and uses the comparative analysis based on the threat agent's vectors identified. It also provides potency and optimized complexity to an organization's business to mitigate the vulnerability identified in a network.

Evan Martin,Suranjana Basu,Tao Xie

DOI: https://doi.org/10.1109/ICWS.2007.49

2007-01-01

Abstract:Web services are a popular way of implementing a Service-Oriented Architecture (SOA), which has gained rapid adoption and support from leading companies in industry. Testing can be used to help assure both the corectness and robustness of a web service. Because manual testing is tedious, tools are needed to automate test generation and execution for web services. This paper presents a framework and its supporting tool for automaically generating and executing web-service requests and analyzing the subsequent request-response pairs. Given a service provider's Web Service Description Language (WSDL) specification, we first automatically generate neessary Java code to implement a client (service requestor). We then leverage automated unit test generation tools for Java to generate unit tests (including extreme, special, and random input values), and execute the generated unit tests, which in turn invoke the service under test. Finally we an alyze the large number of request-response pairs from the web service invocation and identify robustness problems. We have applied our framework to freely available web services and our experiences show that we can quickly gen erate and execute web-service requests that may reveal robustness problems with no knowledge of the underlying web service implementation.

Mahmoud Mohammadi,Bill Chu,Heather Richter Lipford,Emerson Murphy-Hill

DOI: https://doi.org/10.1145/2896921.2896929

2018-04-03

Abstract:Integrating security testing into the workflow of software developers not only can save resources for separate security testing but also reduce the cost of fixing security vulnerabilities by detecting them early in the development cycle. We present an automatic testing approach to detect a common type of Cross Site Scripting (XSS) vulnerability caused by improper encoding of untrusted data. We automatically extract encoding functions used in a web application to sanitize untrusted inputs and then evaluate their effectiveness by automatically generating XSS attack strings. Our evaluations show that this technique can detect 0-day XSS vulnerabilities that cannot be found by static analysis tools. We will also show that our approach can efficiently cover a common type of XSS vulnerability. This approach can be generalized to test for input validation against other types injections such as command line injection.

Cryptography and Security

Jin He,Boxiang Shang,Yan Li,Bo Yin

DOI: https://doi.org/10.1088/1742-6596/1550/3/032057

2020-05-01

Journal of Physics: Conference Series

Abstract:Abstract With the promotion of the ubiquitous power IoT strategy, as well as the extensive application of advanced information communication technology and Internet + in the power grid, the power system has gradually broken the previous closure and exclusivity. The construction and deployment of open, interactive, extensive and interconnected power web business system are becoming more and more widespread. The inherent vulnerability and hidden danger of power web system make power face the risk transfer from network and information security to power system. Aiming at the potential security problems of vulnerability in the massive power web system, an in-depth study is made on the automatic mining and utilization technology of the vulnerability in the power web system. By carrying out researches on the framework design of automatic mining and utilization of vulnerabilities in power web system and the intelligent new mode of exploiting vulnerabilities in power web system, the overall design is made for the mechanism and model of automatic mining of asset vulnerabilities in power information system.

Bo Lin,Shangwen Wang,Liqian Chen,Xiaoguang Mao

2024-11-27

Abstract:As software vulnerabilities increase in both volume and complexity, vendors often struggle to repair them promptly. Automated vulnerability repair has emerged as a promising solution to reduce the burden of manual debugging and fixing activities. However, existing techniques exclusively focus on repairing the vulnerabilities at the source code level, which has various limitations. For example, they are not applicable to those (e.g., users or security analysts) who do not have access to the source code. Consequently, this restricts the practical application of these techniques, especially in cases where vendors are unable to provide timely patches. In this paper, we aim to address the above limitations by performing vulnerability repair at binary code level, and accordingly propose a template-based automated vulnerability repair approach for Java binaries. Built on top of the literature, we collect fix templates from both existing template-based automated program repair approaches and vulnerability-specific analyses, which are then implemented for the Java binaries. Our systematic application of these templates effectively mitigates vulnerabilities: experiments on the Vul4J dataset demonstrate that TemVUR successfully repairs 11 vulnerabilities, marking a notable 57.1% improvement over current repair techniques. Moreover, TemVUR securely fixes 66.7% more vulnerabilities compared to leading techniques (15 vs. 9), underscoring its effectiveness in mitigating the risks posed by these vulnerabilities. To assess the generalizability of TemVUR, we curate the ManyVuls4J dataset, which goes beyond Vul4J to encompass a wider diversity of vulnerabilities. With 30% more vulnerabilities than its predecessor (increasing from 79 to 103). The evaluation on ManyVuls4J reaffirms TemVUR's effectiveness and generalizability across a diverse set of real-world vulnerabilities.

Software Engineering

Yuanwei Hou,Xingzhang Ren,Yongle Hao,Tong Mo,Weiping Li

DOI: https://doi.org/10.1007/978-3-319-69811-3_38

2018-01-01

Abstract:In the management and assessment of security vulnerabilities, it is always involving the task of threat classification. The traditional method requires the professional security management personnel to assess the vulnerability by analyzing the factors of access paths, the complexity, influence degree (confidentiality, integrity, availability) and the others. Due to the huge number and constantly generated security vulnerabilities, it needs a lot of professionals to manage, so that it may be due to the different subjective judgment criteria, judgment mistakes, lacking knowledge, etc., which caused the inconsistent, incorrect and inaccurate classification result of security vulnerabilities. In this paper, a GBDT based security vulnerability threat classification method is proposed, and effective features are extracted from semi-structured vulnerability description. In the experimental part, the supervised classification experiment was carried out by using the CNNVD (China National Vulnerability Database) from 1988 to the present which was manually annotated. The experimental results show that the proposed method has a good practical effect.