Predicting Exploitations of Information Systems Vulnerabilities Through Attackers’ Characteristics

Dobrovoljc, Andrej; Trček, Denis; Likar, Borut

doi:10.1109/access.2017.2769063

Cited by 16 publications

(12 citation statements)

References 21 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Papers such as [18], by Houmb et al, use CVSS to predict the frequency and impact of failures from a risk management perspective. Dobrovoljc et al [12] suggest an improvement over CVSS that explicitly includes the features of perceived attackers who may be able to exploit a vulnerability. Similarly, Wang et al [38], and Liu and Zhang [22] also suggest new scales by pointing our certain deficiencies in CVSS that restrict its usage in their contexts.…”

Section: Cvss Scalementioning

confidence: 99%

Automatically assessing vulnerabilities discovered by compositional analysis

Ognawala

Amato

Pretschner

et al. 2018

Proceedings of the 1st International Workshop on Machine Learning and Software Engineering in Symbiosis

View full text Add to dashboard Cite

Testing is the most widely employed method to find vulnerabilities in real-world software programs. Compositional analysis, based on symbolic execution, is an automated testing method to find vulnerabilities in medium-to large-scale programs consisting of many interacting components. However, existing compositional analysis frameworks do not assess the severity of reported vulnerabilities. In this paper, we present a framework to analyze vulnerabilities discovered by an existing compositional analysis tool and assign CVSS3 (Common Vulnerability Scoring System v3.0) scores to them, based on various heuristics such as interaction with related components, ease of reachability, complexity of design and likelihood of accepting unsanitized input. By analyzing vulnerabilities reported with CVSS3 scores in the past, we train simple machine learning models. By presenting our interactive framework to developers of popular open-source software and other security experts, we gather feedback on our trained models and further improve the features to increase the accuracy of our predictions. By providing qualitative (based on community feedback) and quantitative (based on prediction accuracy) evidence from 21 open-source programs, we show that our severity prediction framework can effectively assist developers with assessing vulnerabilities.

show abstract

Section: Cvss Scalementioning

confidence: 99%

Automatically assessing vulnerabilities discovered by compositional analysis

Ognawala

Amato

Pretschner

et al. 2018

Proceedings of the 1st International Workshop on Machine Learning and Software Engineering in Symbiosis

View full text Add to dashboard Cite

show abstract

“…Fixing vulnerabilities requires a lot of effort, time, and resources [1,2]. The cybersecurity analysts in the CERT/CSIRT of the different organizations have an arduous task at the level of proactive services whose main objective is to prevent attacks before they happen [3]. Those responsible for security must also analyze what vulnerabilities affect IT assets.…”

Section: Introductionmentioning

confidence: 99%

“…However, the efficiency of this metric is affected by additional environment variables present in computer networks. Thus, by itself, it is not a good predictor of vulnerability exploitation and probability of occurrence [1][2][3]. Additionally, due to the large number of vulnerabilities that NVD contains and the amount of information for each exposure, it is essential to maintain an analysis with as many variables as possible [9].…”

Section: Introductionmentioning

confidence: 99%

An Environment-Specific Prioritization Model for Information-Security Vulnerabilities Based on Risk Factor Analysis

et al. 2022

View full text Add to dashboard Cite

Vulnerabilities represent a constant and growing risk for organizations. Their successful exploitation compromises the integrity and availability of systems. The use of specialized tools facilitates the vulnerability monitoring and scanning process. However, the large amount of information transmitted over the network makes it difficult to prioritize the identified vulnerabilities based on their severity and impact. This research aims to design and implement a prioritization model for detecting vulnerabilities based on their network environment variables and characteristics. A mathematical prioritization model was developed, which allows for calculating the risk factor using the phases of collection, analysis, and extraction of knowledge from the open information sources of the OSINT framework. The input data were obtained through the Shodan REST API. Then, the mathematical model was applied to the relevant information on vulnerabilities and their environment to quantify and calculate the risk factor. Additionally, a software prototype was designed and implemented that automates the prioritization process through a Client–Server architecture incorporating data extraction, correlation, and calculation modules. The results show that prioritization of vulnerabilities was achieved with the information available to the attacker, which allows evaluating the overexposure of information from organizations. Finally, we concluded that Shodan has relevant variables that assess and quantify the overexposure of an organization’s data. In addition, we determined that the Common Vulnerability Scoring System (CVSS) is not sufficient to prioritize software vulnerabilities since the environments where they reside have different characteristics.

show abstract

“…Recent studies have used machine learning or deep learning to predict vulnerability exploitation [11][12][13][14][15]. Machine learning is divided into supervised learning to train with answer data and non-supervised learning to train without answer data.…”

Section: Introductionmentioning

confidence: 99%

Better Not to Use Vulnerability’s Reference for Exploitability Prediction

et al. 2020

View full text Add to dashboard Cite

About half of all exploit codes will become available within about two weeks of the release date of its vulnerability. However, 80% of the released vulnerabilities are never exploited. Since putting the same effort to eliminate all vulnerabilities can be somewhat wasteful, software companies usually use different methods to assess which vulnerability is more serious and needs an immediate patch. Recently, there have been some attempts to use machine learning techniques to predict a vulnerability’s exploitability. In doing so, a vulnerability’s related URL, called its reference, is commonly used as a machine learning algorithm’s feature. However, we found that some references contained proof-of-concept codes. In this paper, we analyzed all references in the National Vulnerability Database and found that 46,202 of them contained such codes. We compared prediction performances between feature matrix with and without reference information. Experimental results showed that test sets that used references containing proof-of-concept codes had better prediction performance than ones that used references without such codes. Even though the difference is not huge, it is clear that references having answer information contributed to the prediction performance, which is not desirable. Thus, it is better not to use reference information to predict vulnerability exploitation.

show abstract

Predicting Exploitations of Information Systems Vulnerabilities Through Attackers’ Characteristics

Cited by 16 publications

References 21 publications

Automatically assessing vulnerabilities discovered by compositional analysis

Automatically assessing vulnerabilities discovered by compositional analysis

An Environment-Specific Prioritization Model for Information-Security Vulnerabilities Based on Risk Factor Analysis

Better Not to Use Vulnerability’s Reference for Exploitability Prediction

Contact Info

Product

Resources

About