Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

Authors

DOI:

https://doi.org/10.15587/1729-4061.2021.248673

Keywords:

risk management, information security, machine learning, vulnerability evaluation, risk scores

Abstract

One of the key processes in software development and information security management is the evaluation of vulnerability risks. Analysis and evaluation of vulnerabilities are considered a resource-intensive process that requires high qualifications and a lot of technical information. The main opportunities and drawbacks of existing systems for evaluation of vulnerability risks in software, which include the lack of consideration of the impact of trends and the degree of popularity of vulnerability on the final evaluation, were analyzed.

During the study, the following information was analyzed in the structured form: the vector of the general system of vulnerability evaluation, the threat type, the attack vector, the existence of the original code with patches, exploitation programs, and trends. The obtained result made it possible to determine the main independent characteristics, the existence of a correlation between the parameters, the order, and schemes of the relationships between the basic magnitudes that affect the final value of evaluation of vulnerability impact on a system.

A dataset with formalized characteristics, as well as expert evaluation for further construction of a mathematical model, was generated. Analysis of various approaches and methods for machine learning for construction of a target model of dynamic risk evaluation was carried out: neuro-fuzzy logic, regression analysis algorithms, neuro-network modeling.

A mathematical model of dynamic evaluation of vulnerability risk in software, based on the dynamics of spreading information about a vulnerability in open sources and a multidimensional model with an accuracy of 88.9 %, was developed. Using the obtained model makes it possible to reduce the analysis time from several hours to several minutes and to make a more effective decision regarding the establishment of the order of patch prioritization, to unify the actions of experts, to reduce the cost of managing information security risks

Author Biographies

Yuliia Tatarinova, Samsung Research and Development Institute Ukraine (SRK)

Lead Engineer

Olga Sinelnikova, Taras Shevchenko National University of Kyiv; Samsung Research and Development Institute Ukraine (SRK)

PhD, Associate Professor

Department of Algebra and Computer Mathematics

Senior Engineer, Head of Laboratory

Laboratory of “DTV Security”

References

  1. Microsoft Security Development Lifecycle. Microsoft Inc. Available at: https://www.microsoft.com/en-us/securityengineering/sdl
  2. Common Vulnerability Scoring System SIG. First.org, Inc. Available at: https://www.first.org/cvss/
  3. Common Vulnerabilities and Exposures (CVE). Mitre.org, Inc. Available at: https://cve.mitre.org/
  4. Wu, C., Wen, T., Zhang, Y. (2019). A revised CVSS-based system to improve the dispersion of vulnerability risk scores. Science China Information Sciences, 62 (3). doi: https://doi.org/10.1007/s11432-017-9445-4
  5. Shlens, J. (2014). A tutorial on principal component analysis. arXiv.org. Available at: https://arxiv.org/pdf/1404.1100.pdf
  6. Keramati, M. (2016). New Vulnerability Scoring System for dynamic security evaluation. 2016 8th International Symposium on Telecommunications (IST). doi: https://doi.org/10.1109/istel.2016.7881922
  7. Zhang, F., Huff, P., McClanahan, K., Li, Q. (2020). A Machine Learning-based Approach for Automated Vulnerability Remediation Analysis. 2020 IEEE Conference on Communications and Network Security (CNS). doi: https://doi.org/10.1109/cns48642.2020.9162309
  8. Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., Roytman, M. (2021). Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice, 2 (3), 1–17. doi: https://doi.org/10.1145/3436242
  9. Official Common Platform Enumeration (CPE) Dictionary. NIST. Available at: https://nvd.nist.gov/products/cpe
  10. National Vulnerability Database. NIST. Available at: https://nvd.nist.gov/
  11. Edkrantz, M., Said, A. (2015). Predicting Cyber Vulnerability Exploits with Machine Learning. Thirteenth Scandinavian Conference on Artificial Intelligence, 48–57. doi: https://doi.org/10.3233/978-1-61499-589-0-48
  12. Aksu, M. U., Bicakci, K., Dilek, M. H., Ozbayoglu, A. M., Tatli, E. ıslam. (2018). Automated Generation of Attack Graphs Using NVD. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. doi: https://doi.org/10.1145/3176258.3176339
  13. He, W., Li, H., Li, J. (2019). Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey. IEEE Access, 7, 168201–168225. doi: https://doi.org/10.1109/access.2019.2954092
  14. Petraityte, M., Dehghantanha, A., Epiphaniou, G. (2018). A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies. Cyber Threat Intelligence, 219–237. doi: https://doi.org/10.1007/978-3-319-73951-9_11
  15. Exploit database. Available at: https://www.exploitdb.com/
  16. Vulnerability Lab. Vulnerability Research, Bug Bounties & Vulnerability Assessments. Vulnerability Lab. Available at: https://www.vulnerability-lab.com/
  17. Tatarinova, Y., Sinelnikova, O. (2019). Extended Vulnerability Feature Extraction Based on Public Resources. Theoretical and Applied Cybersecurity, 1 (1). doi: https://doi.org/10.20535/tacs.2664-29132019.1.169085
  18. Google Trends. Available at: https://trends.google.com/trends
  19. Yuan, X. (2017). An improved Apriori algorithm for mining association rules. AIP Conference Proceedings. doi: https://doi.org/10.1063/1.4977361
  20. Tatarinova, Y., Sinelnikova, O. (2019). Automatic construction of a neuro-fuzzy vulnerability risk analysis model. 2019 IEEE 14th International Conference on Computer Sciences and Information Technologies (CSIT). doi: https://doi.org/10.1109/stc-csit.2019.8929770
  21. Rapid7. InsightVM. Nexpose. Available at: https://www.rapid7.com/products/insightvm/
  22. Tripwire IP360. Available at: https://www.tripwire.com/products/tripwire-ip360
  23. Tenable Lumin. Available at: https://www.tenable.com/products/tenable-lumin
  24. Qualys Vulnerability Management. Available at: https://www.qualys.com/apps/vulnerability-management/

Downloads

Published

2021-12-29

How to Cite

Tatarinova, Y., & Sinelnikova, O. (2021). Constructing a model for the dynamic evaluation of vulnerability in software based on public sources. Eastern-European Journal of Enterprise Technologies, 6(2 (114), 19–29. https://doi.org/10.15587/1729-4061.2021.248673