Muhammed Fatih Bulut,Abdulhamid Adebayo,Daby Sow,Steve Ocepek

DOI: https://doi.org/10.48550/arXiv.2206.11182

2022-06-22

Cryptography and Security

Abstract:Organizations struggle to handle sheer number of vulnerabilities in their cloud environments. The de facto methodology used for prioritizing vulnerabilities is to use Common Vulnerability Scoring System (CVSS). However, CVSS has inherent limitations that makes it not ideal for prioritization. In this work, we propose a new way of prioritizing vulnerabilities. Our approach is inspired by how offensive security practitioners perform penetration testing. We evaluate our approach with a real world case study for a large client, and the accuracy of machine learning to automate the process end to end.

Shengyi Pan,Lingfeng Bao,Jiayuan Zhou,Xing Hu,Xin Xia,Shanping Li

DOI: https://doi.org/10.1145/3597503.3639110

2024-01-01

Abstract:It is increasingly suggested to identify emerging software vulner-abilities (SVs) through relevant development activities (e.g., issue reports) to allow early warnings to open source software (OSS) users. However, the support for the following assessment of the de-tected SVs has not yet been explored. SV assessment characterizes the detected SVs to prioritize limited remediation resources on the critical ones. To fill this gap, we aim to enable early vulnerability assessment based on SV-related issue reports (SIR). Besides, we observe the following concerns of the existing assessment techniques: 1) the assessment output lacks rationale and practical value; 2) the associations between Common Vulnerability Scoring System (CVSS) metrics have been ignored; 3) insufficient evaluation sce-narios and metrics. We address these concerns to enhance the prac-ticality of our proposed early vulnerability assessment approach (namely proEVA). Specifically, based on the observation of strong associations between CVSS metrics, we propose a prompt-based model to exploit such relations for CVSS metrics prediction. More-over, we design a curriculum-learning (CL) schedule to guide the model better learn such hidden associations during training. Aside from the standard classification metrics adopted in existing works, we propose two severity-aware metrics to provide a more compre-hensive evaluation regarding the prioritization of the high-severe SVs. Experimental results show that proEVA significantly outper-forms the baselines in both types of metrics. We further discuss the transferability of the prediction model regarding the upgrade of the assessment system, an important yet overlooked evaluation scenario in existing works. The results verify that proEVA is more efficient and flexible in migrating to different assessment systems.

Chen,Gang Chen

DOI: https://doi.org/10.1109/aiipcc57291.2022.00077

2022-01-01

Abstract:With the rapid development and popular utilization of computer network system, the proportion of attacks against computer network system has been increasing year by year. The traditional security vulnerability assessment method only evaluates individual vulnerabilities in isolation, and the assessment results do not reflect the degree of impact of vulnerabilities on the whole network. To address this problem this paper proposes a computer network system security assessment method, which uses the CVSSv3 evaluation index to assess vulnerabilities based on vulnerability association graph and risk matrix, while taking into account the association relationship between the fore-order vulnerability nodes, back-order vulnerability nodes and the vulnerability itself. The vulnerability correlation hazard calculated by the method can accurately reflect the degree of impact of the vulnerability on the whole computer network system, and the accuracy and effectiveness of the method is proved through experiments.

Julia Wunder,Andreas Kurtz,Christian Eichenmüller,Freya Gassmann,Zinaida Benenson

DOI: https://doi.org/10.48550/arXiv.2308.15259

2024-05-08

Abstract:The Common Vulnerability Scoring System (CVSS) is a popular method for evaluating the severity of vulnerabilities in vulnerability management. In the evaluation process, a numeric score between 0 and 10 is calculated, 10 being the most severe (critical) value. The goal of CVSS is to provide comparable scores across different evaluators. However, previous works indicate that CVSS might not reach this goal: If a vulnerability is evaluated by several analysts, their scores often differ. This raises the following questions: Are CVSS evaluations consistent? Which factors influence CVSS assessments? We systematically investigate these questions in an online survey with 196 CVSS users. We show that specific CVSS metrics are inconsistently evaluated for widespread vulnerability types, including Top 3 vulnerabilities from the "2022 CWE Top 25 Most Dangerous Software Weaknesses" list. In a follow-up survey with 59 participants, we found that for the same vulnerabilities from the main study, 68% of these users gave different severity ratings. Our study reveals that most evaluators are aware of the problematic aspects of CVSS, but they still see CVSS as a useful tool for vulnerability assessment. Finally, we discuss possible reasons for inconsistent evaluations and provide recommendations on improving the consistency of scoring.

Cryptography and Security

Luca Allodi,Fabio Massacci

DOI: https://doi.org/10.1145/2630069

2013-09-24

Abstract:(U.S) Rule-based policies to mitigate software risk suggest to use the CVSS score to measure the individual vulnerability risk and act accordingly: an HIGH CVSS score according to the NVD (National (U.S.) Vulnerability Database) is therefore translated into a "Yes". A key issue is whether such rule is economically sensible, in particular if reported vulnerabilities have been actually exploited in the wild, and whether the risk score do actually match the risk of actual exploitation. We compare the NVD dataset with two additional datasets, the EDB for the white market of vulnerabilities (such as those present in Metasploit), and the EKITS for the exploits traded in the black market. We benchmark them against Symantec's threat explorer dataset (SYM) of actual exploit in the wild. We analyze the whole spectrum of CVSS submetrics and use these characteristics to perform a case-controlled analysis of CVSS scores (similar to those used to link lung cancer and smoking) to test its reliability as a risk factor for actual exploitation. We conclude that (a) fixing just because a high CVSS score in NVD only yields negligible risk reduction, (b) the additional existence of proof of concepts exploits (e.g. in EDB) may yield some additional but not large risk reduction, (c) fixing in response to presence in black markets yields the equivalent risk reduction of wearing safety belt in cars (you might also die but still..). On the negative side, our study shows that as industry we miss a metric with high specificity (ruling out vulns for which we shouldn't worry). In order to address the feedback from BlackHat 2013's audience, the final revision (V3) provides additional data in Appendix A detailing how the control variables in the study affect the results.

Cryptography and Security

Shengyi Pan,Lingfeng Bao,Xin Xia,David Lo,Shanping Li

DOI: https://doi.org/10.1109/icse48619.2023.00088

2023-01-01

Abstract:Identifying security patches via code commits to allow early warnings and timely fixes for Open Source Software (OSS) has received increasing attention. However, the existing detection methods can only identify the presence of a patch (i.e., a binary classification) but fail to pinpoint the vulnerability type. In this work, we take the first step to categorize the security patches into fine-grained vulnerability types. Specifically, we use the Common Weakness Enumeration (CWE) as the label and perform fine-grained classification using categories at the third level of the CWE tree. We first formulate the task as a Hierarchical Multi-label Classification (HMC) problem, i.e., inferring a path (a sequence of CWE nodes) from the root of the CWE tree to the node at the target depth. We then propose an approach named TREEVUL with a hierarchical and chained architecture, which manages to utilize the structure information of the CWE tree as prior knowledge of the classification task. We further propose a tree structure aware and beam search based inference algorithm for retrieving the optimal path with the highest merged probability. We collect a large security patch dataset from NVD, consisting of 6,541 commits from 1,560 GitHub OSS repositories. Experimental results show that TREEVUL significantly outperforms the best performing baselines, with improvements of 5.9%, 25.0%, and 7.7% in terms of weighted F1-score, macro F1-score, and MCC, respectively. We further conduct a user study and a case study to verify the practical value of TREEVUL in enriching the binary patch detection results and improving the data quality of NVD, respectively.

Maciej Roman Nowak,Michał Walkowski,Sławomir Sujecki

DOI: https://doi.org/10.3390/s23041802

IF: 3.9

2023-02-07

Sensors

Abstract:COVID-19 forced a number of changes in many areas of life, which resulted in an increase in human activity in cyberspace. Furthermore, the number of cyberattacks has increased. In such circumstances, detection, accurate prioritisation, and timely removal of critical vulnerabilities is of key importance for ensuring the security of various organisations. One of the most-commonly used vulnerability assessment standards is the Common Vulnerability Scoring System (CVSS), which allows for assessing the degree of vulnerability criticality on a scale from 0 to 10. Unfortunately, not all detected vulnerabilities have defined CVSS base scores, or if they do, they are not always expressed using the latest standard (CVSS 3.x). In this work, we propose using machine learning algorithms to convert the CVSS vector from Version 2.0 to 3.x. We discuss in detail the individual steps of the conversion procedure, starting from data acquisition using vulnerability databases and Natural Language Processing (NLP) algorithms, to the vector mapping process based on the optimisation of ML algorithm parameters, and finally, the application of machine learning to calculate the CVSS 3.x vector components. The calculated example results showed the effectiveness of the proposed method for the conversion of the CVSS 2.0 vector to the CVSS 3.x standard.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Milda Petraityte,Ali Dehghantanha,Gregory Epiphaniou

DOI: https://doi.org/10.1007/978-3-319-73951-9_11

2018-07-27

Abstract:Various researchers have shown that the Common Vulnerability Scoring System (CVSS) has many drawbacks and may not provide a precise view of the risks related to software vulnerabilities. However, many threat intelligence platforms and industry-wide standards are relying on CVSS score to evaluate cybersecurity compliance. This paper suggests several improvements to the calculation of Impact and Exploitability sub-scores within the CVSS, improve its accuracy and help threat intelligence analysts to focus on the key risks associated with their assets. We will apply our suggested improvements against risks associated with several Android and iOS applications and discuss achieved improvements and advantages of our modelling, such as the importance and the impact of time on the overall CVSS score calculation.

Cryptography and Security

Junaid Akram,Luo Ping

DOI: https://doi.org/10.1049/iet-ifs.2018.5647

2020-01-01

IET Information Security

Abstract:Cybercrimes are on a dramatic rise worldwide. The crime rate is growing day by day in every field or department which is directly or indirectly connected to the internet including Government, business or any individual. The main objective of this study is to evaluate the vulnerabilities in different software systems at the source code level by tracing their patch files. The authors have collected the source code of different types of vulnerabilities at a different level of granularities. They have proposed different ways to collect or trace the vulnerability code, which can be very helpful for security experts, organisations and software developers to maintain security measures. By following their proposed method, you can build your own vulnerability data-set and can detect vulnerabilities in any system by using suitable code clone detection technique. The study also includes a discussion of reasons for the rise in cybercrimes including zero-day exploits. A case study has been discussed with results and research questions to show the effectiveness of this study. This study concludes with the effective key findings of published and non-published vulnerabilities and the ways to prevent from different security attacks to overcome cybercrimes.

Ruyi Wang,Ling Gao,Qian Sun,Deheng Sun

DOI: https://doi.org/10.1109/mines.2011.27

2011-01-01

Abstract:Through scoring vulnerabilities according to their risks, mastering statuses of vulnerabilities, security managers could adjust the configuration for computer security in time and give repair methods to different vulnerabilities flexibly. Since scoring vulnerabilities is significant for evaluating and repairing vulnerabilities, this paper presents a vulnerability scoring mechanism based on CVSS by analyzing advantages and disadvantages of CVSS and comparing with some improved CVSS-based methods. Our improved scoring mechanism makes the vulnerability evaluating more exactly and effectively, simplifying the process of vulnerability evaluating.

Miguel Santana,Vinicius V. Cogo,Alan Oliveira de Sá

2024-05-14

Abstract:Background: Timely prioritising and remediating vulnerabilities are paramount in the dynamic cybersecurity field, and one of the most widely used vulnerability scoring systems (CVSS) does not address the increasing likelihood of emerging an exploit code. Aims: We present SecScore, an innovative vulnerability severity score that enhances CVSS Threat metric group with statistical models from empirical evidences of real-world exploit codes. Method: SecScore adjusts the traditional CVSS score using an explainable and empirical method that more accurately and promptly captures the dynamics of exploit code development. Results: Our approach can integrate seamlessly into the assessment/prioritisation stage of several vulnerability management processes, improving the effectiveness of prioritisation and ensuring timely remediation. We provide real-world statistical analysis and models for a wide range of vulnerability types and platforms, demonstrating that SecScore is flexible according to the vulnerability's profile. Comprehensive experiments validate the value and timeliness of SecScore in vulnerability prioritisation. Conclusions: SecScore advances the vulnerability metrics theory and enhances organisational cybersecurity with practical insights.

Cryptography and Security

Ehsan Aghaei,Ehab Al-Shaer,Waseem Shadid,Xi Niu

DOI: https://doi.org/10.48550/arXiv.2309.03040

2023-09-06

Abstract:The Common Vulnerabilities and Exposures (CVE) are pivotal information for proactive cybersecurity measures, including service patching, security hardening, and more. However, CVEs typically offer low-level, product-oriented descriptions of publicly disclosed cybersecurity vulnerabilities, often lacking the essential attack semantic information required for comprehensive weakness characterization and threat impact estimation. This critical insight is essential for CVE prioritization and the identification of potential countermeasures, particularly when dealing with a large number of CVEs. Current industry practices involve manual evaluation of CVEs to assess their attack severities using the Common Vulnerability Scoring System (CVSS) and mapping them to Common Weakness Enumeration (CWE) for potential mitigation identification. Unfortunately, this manual analysis presents a major bottleneck in the vulnerability analysis process, leading to slowdowns in proactive cybersecurity efforts and the potential for inaccuracies due to human errors. In this research, we introduce our novel predictive model and tool (called CVEDrill) which revolutionizes CVE analysis and threat prioritization. CVEDrill accurately estimates the CVSS vector for precise threat mitigation and priority ranking and seamlessly automates the classification of CVEs into the appropriate CWE hierarchy classes. By harnessing CVEDrill, organizations can now implement cybersecurity countermeasure mitigation with unparalleled accuracy and timeliness, surpassing in this domain the capabilities of state-of-the-art tools like ChaptGPT.

Cryptography and Security,Machine Learning

Assane Gueye,Peter Mell

DOI: https://doi.org/10.48550/arXiv.2102.01722

2021-02-02

Cryptography and Security

Abstract:Understanding the landscape of software vulnerabilities is key for developing effective security solutions. Fortunately, the evaluation of vulnerability databases that use a framework for communicating vulnerability attributes and their severity scores, such as the Common Vulnerability Scoring System (CVSS), can help shed light on the nature of publicly published vulnerabilities. In this paper, we characterize the software vulnerability landscape by performing a historical and statistical analysis of CVSS vulnerability metrics over the period of 2005 to 2019 through using data from the National Vulnerability Database. We conduct three studies analyzing the following: the distribution of CVSS scores (both empirical and theoretical), the distribution of CVSS metric values and how vulnerability characteristics change over time, and the relative rankings of the most frequent metric value over time. Our resulting analysis shows that the vulnerability threat landscape has been dominated by only a few vulnerability types and has changed little during the time period of the study. The overwhelming majority of vulnerabilities are exploitable over the network. The complexity to successfully exploit these vulnerabilities is dominantly low; very little authentication to the target victim is necessary for a successful attack. And most of the flaws require very limited interaction with users. However on the positive side, the damage of these vulnerabilities is mostly confined within the security scope of the impacted components. A discussion of lessons that could be learned from this analysis is presented.

Gaurav Sharma,Stilianos Vidalis,Catherine Menon,Niharika Anand

DOI: https://doi.org/10.1007/s11042-022-14036-y

Abstract:Proactive security plays a vital role in preventing the attack before entering active mode. In the modern information environment, it depends on the vulnerability management practitioners of an organization in which the critical factor is the prioritization of threats. The existing models and methodology follow the traditional approaches of a Common Vulnerability Scoring System (CVSS) to prioritize threats and vulnerabilities. The CVSS is not able to provide effectiveness to the security of the business of an organization. In contrast, the vulnerability analysis needs a model which can give significance to the prioritization policies. The model depends on the CVSS score of threats and compares various features of vulnerability like threat vectors, inputs, environments used by threat agent's groups, and potential outputs of threat agents. Therefore, the research aims to design a semi-automatic model for vulnerability analysis of threats for the National Institute of Standards and Technology (NIST) database of cyber-crime. We have developed a semi-automatic model that simulates the CVE (Common Vulnerabilities and Exposures) list of the NIST database between 1999 and 2021, concerning the resources used by the threat agents, pre-requisites input, attack vectors, and dormant results. The semi-automatic approach of the model to perform the vulnerability analysis of threat agent groups identified in a network makes the model more efficient and effective to addresses the profiling of threat agents and evaluating the CTI (Critical Threat intelligence feed). Our experimental results imply that the semi-automatic model implements the vulnerability prioritization based on the CVSS score and uses the comparative analysis based on the threat agent's vectors identified. It also provides potency and optimized complexity to an organization's business to mitigate the vulnerability identified in a network.

Luca Allodi,Sebastian Banescu,Henning Femmer,Kristian Beckers

DOI: https://doi.org/10.1145/3176258.3176340

2018-03-21

Abstract:The assessment of new vulnerabilities is an activity that accounts for information from several data sources and produces a `severity' score for the vulnerability. The Common Vulnerability Scoring System (\CVSS) is the reference standard for this assessment. Yet, no guidance currently exists on \emph{which information} aids a correct assessment and should therefore be considered. In this paper we address this problem by evaluating which information cues increase (or decrease) assessment accuracy. We devise a block design experiment with 67 software engineering students with varying vulnerability information and measure scoring accuracy under different information sets. We find that baseline vulnerability descriptions provided by standard vulnerability sources provide only part of the information needed to achieve an accurate vulnerability assessment. Further, we find that additional information on \texttt{assets}, \texttt{attacks}, and \texttt{vulnerability type} contributes in increasing the accuracy of the assessment; conversely, information on \texttt{known threats} misleads the assessor and decreases assessment accuracy and should be avoided when assessing vulnerabilities. These results go in the direction of formalizing the vulnerability communication to, for example, fully automate security assessments.

Cryptography and Security

Corren McCoy,Ross Gore,Michael L. Nelson,Michele C. Weigle

2024-06-10

Abstract:The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations for organizations to prioritize their vulnerability management strategy will offer significant improvements over using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We test our approach by identifying vulnerabilities in software associated with six universities and four government facilities. Ranking policy performance is measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The return on investment (ROI) of patching using our policies results in a savings of 23.3% - 25.5% in annualized costs. Our results demonstrate the efficacy of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies.

Cryptography and Security

Birendra Kumar Verma,Ajay Kumar Yadav

DOI: https://doi.org/10.1007/s12652-024-04778-y

IF: 3.662

2024-04-05

Journal of Ambient Intelligence and Humanized Computing

Abstract:As software gets more complicated, diverse, and crucial to people's daily lives, exploitable software vulnerabilities constitute a major security risk to the computer system. These vulnerabilities allow unauthorized access, which can cause losses in banking, energy, the military, healthcare, and other key infrastructure systems. Most vulnerability scoring methods employ Natural Language Processing to generate models from descriptions. These models ignore Impact scores, Exploitability scores, Attack Complexity and other statistical features when scoring vulnerabilities. A feature vector for machine learning models is created from a description, impact score, exploitability score, attack complexity score, etc. We score vulnerabilities more precisely than we categorize them. The Decision Tree Regressor, Random Forest Regressor, AdaBoost Regressor, K-nearest Neighbors Regressor, and Support Vector Regressor have been evaluated using the metrics explained variance, r-squared, mean absolute error, mean squared error, and root mean squared error. The tenfold cross-validation method verifies regressor test results. The research uses 193,463 Common Vulnerabilities and Exposures from the National Vulnerability Database. The Random Forest regressor performed well on four of the five criteria, and the tenfold cross-validation test performed even better (0.9968 vs. 0.9958).

computer science, information systems,telecommunications, artificial intelligence

Fabio Massacci

DOI: https://doi.org/10.1109/msec.2023.3333936

IF: 3.105

2024-02-03

IEEE Security & Privacy

Abstract:Scoring vulnerabilities is a hard task, and we build standards for this purpose: the Common Vulnerability Scoring System (CVSS) used by NIST is the oldest of them. It was invented by Peter Mell and Karen Scarfone, among others, to assess severity.1

computer science, information systems, software engineering

Yinghui Wang,Bin Yu,Haiyang Yu,Lingyun Xiao,Haojie Ji,Yanan Zhao

DOI: https://doi.org/10.1109/jsyst.2022.3230097

IF: 4.802

2022-01-01

IEEE Systems Journal

Abstract:As a promising technology, connected and autonomous vehicle (CAV) can reduce energy consumption and improve transportation safety. Nevertheless, as more enabling technologies are embedded in vehicles, the CAV is becoming more vulnerable to cybersecurity threats. Priority must be given to highly sensitive, life-threatening vulnerabilities. Therefore, an improved vulnerability assessment method for CAVs is proposed in this article, in which the common vulnerability scoring system (CVSS) and Bayes theory are adopted. Compared to the classical CVSS method, our scheme considers the impact of exploited vulnerabilities on the real world. In the meantime, a Bayesian network vulnerability classification model based on the $\text{CVSS}_{\text{CAV}}$ method is designed to resolve the problem that the CAVs' vulnerability dataset is small and incomplete. The case study as well as simulation results with different datasets or algorithms indicate that our proposal is effective for vehicle vulnerability evaluation.

computer science, information systems,telecommunications,engineering, electrical & electronic,operations research & management science

Alexander Kott,Curtis Arnold

DOI: https://doi.org/10.48550/arXiv.1512.07937

2015-12-25

Abstract:We review the current status and research challenges in the area of cyber security often called continuous monitoring and risk scoring (CMRS). We focus on two most salient aspects of CMRS. First, continuous collection of data through automated feeds; hence the term continuous monitoring. Typical data collected for continuous monitoring purposes include network traffic information as well as host information from host-based agents. Second, analysis of the collected data in order to assess the risks - the risk scoring. This assessment may include flagging especially egregious vulnerabilities and exposures, or computing metrics that provide an overall characterization of the network's risk level. Currently used risk metrics are often simple sums or counts of vulnerabilities and missing patches. The research challenges pertaining to CMRS fall mainly into two categories. The first centers on the problem of integrating and fusing highly heterogeneous information. The second group of challenges is the lack of rigorous approaches to computing risk. Existing risk scoring algorithms remain limited to ad hoc heuristics such as simple sums of vulnerability scores or counts of things like missing patches or open ports, etc. Weaknesses and potentially misleading nature of such metrics are well recognized. For example, the individual vulnerability scores are dangerously reliant on subjective, human, qualitative input, potentially inaccurate and expensive to obtain. Further, the total number of vulnerabilities may matters far less than how vulnerabilities are distributed over hosts, or over time. Similarly, neither topology of the network nor the roles and dynamics of inter-host interactions are considered by simple sums of vulnerabilities or missing patches.

Cryptography and Security