Constructing a model for the dynamic evaluation of vulnerability in software based on public sources

Authors

DOI:

https://doi.org/10.15587/1729-4061.2021.248673

Keywords:

risk management, information security, machine learning, vulnerability evaluation, risk scores

Abstract

One of the key processes in software development and information security management is the evaluation of vulnerability risks. Analysis and evaluation of vulnerabilities are considered a resource-intensive process that requires high qualifications and a lot of technical information. The main opportunities and drawbacks of existing systems for evaluation of vulnerability risks in software, which include the lack of consideration of the impact of trends and the degree of popularity of vulnerability on the final evaluation, were analyzed.

During the study, the following information was analyzed in the structured form: the vector of the general system of vulnerability evaluation, the threat type, the attack vector, the existence of the original code with patches, exploitation programs, and trends. The obtained result made it possible to determine the main independent characteristics, the existence of a correlation between the parameters, the order, and schemes of the relationships between the basic magnitudes that affect the final value of evaluation of vulnerability impact on a system.

A dataset with formalized characteristics, as well as expert evaluation for further construction of a mathematical model, was generated. Analysis of various approaches and methods for machine learning for construction of a target model of dynamic risk evaluation was carried out: neuro-fuzzy logic, regression analysis algorithms, neuro-network modeling.

A mathematical model of dynamic evaluation of vulnerability risk in software, based on the dynamics of spreading information about a vulnerability in open sources and a multidimensional model with an accuracy of 88.9 %, was developed. Using the obtained model makes it possible to reduce the analysis time from several hours to several minutes and to make a more effective decision regarding the establishment of the order of patch prioritization, to unify the actions of experts, to reduce the cost of managing information security risks

Author Biographies

Yuliia Tatarinova, Samsung Research and Development Institute Ukraine (SRK)

Lead Engineer

Olga Sinelnikova, Taras Shevchenko National University of Kyiv; Samsung Research and Development Institute Ukraine (SRK)

PhD, Associate Professor

Department of Algebra and Computer Mathematics

Senior Engineer, Head of Laboratory

Laboratory of “DTV Security”

References

  1. Microsoft Security Development Lifecycle. Microsoft Inc. Available at: https://www.microsoft.com/en-us/securityengineering/sdl
  2. Common Vulnerability Scoring System SIG. First.org, Inc. Available at: https://www.first.org/cvss/
  3. Common Vulnerabilities and Exposures (CVE). Mitre.org, Inc. Available at: https://cve.mitre.org/
  4. Wu, C., Wen, T., Zhang, Y. (2019). A revised CVSS-based system to improve the dispersion of vulnerability risk scores. Science China Information Sciences, 62 (3). doi: https://doi.org/10.1007/s11432-017-9445-4
  5. Shlens, J. (2014). A tutorial on principal component analysis. arXiv.org. Available at: https://arxiv.org/pdf/1404.1100.pdf
  6. Keramati, M. (2016). New Vulnerability Scoring System for dynamic security evaluation. 2016 8th International Symposium on Telecommunications (IST). doi: https://doi.org/10.1109/istel.2016.7881922
  7. Zhang, F., Huff, P., McClanahan, K., Li, Q. (2020). A Machine Learning-based Approach for Automated Vulnerability Remediation Analysis. 2020 IEEE Conference on Communications and Network Security (CNS). doi: https://doi.org/10.1109/cns48642.2020.9162309
  8. Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., Roytman, M. (2021). Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice, 2 (3), 1–17. doi: https://doi.org/10.1145/3436242
  9. Official Common Platform Enumeration (CPE) Dictionary. NIST. Available at: https://nvd.nist.gov/products/cpe
  10. National Vulnerability Database. NIST. Available at: https://nvd.nist.gov/
  11. Edkrantz, M., Said, A. (2015). Predicting Cyber Vulnerability Exploits with Machine Learning. Thirteenth Scandinavian Conference on Artificial Intelligence, 48–57. doi: https://doi.org/10.3233/978-1-61499-589-0-48
  12. Aksu, M. U., Bicakci, K., Dilek, M. H., Ozbayoglu, A. M., Tatli, E. ıslam. (2018). Automated Generation of Attack Graphs Using NVD. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. doi: https://doi.org/10.1145/3176258.3176339
  13. He, W., Li, H., Li, J. (2019). Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey. IEEE Access, 7, 168201–168225. doi: https://doi.org/10.1109/access.2019.2954092
  14. Petraityte, M., Dehghantanha, A., Epiphaniou, G. (2018). A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies. Cyber Threat Intelligence, 219–237. doi: https://doi.org/10.1007/978-3-319-73951-9_11
  15. Exploit database. Available at: https://www.exploitdb.com/
  16. Vulnerability Lab. Vulnerability Research, Bug Bounties & Vulnerability Assessments. Vulnerability Lab. Available at: https://www.vulnerability-lab.com/
  17. Tatarinova, Y., Sinelnikova, O. (2019). Extended Vulnerability Feature Extraction Based on Public Resources. Theoretical and Applied Cybersecurity, 1 (1). doi: https://doi.org/10.20535/tacs.2664-29132019.1.169085
  18. Google Trends. Available at: https://trends.google.com/trends
  19. Yuan, X. (2017). An improved Apriori algorithm for mining association rules. AIP Conference Proceedings. doi: https://doi.org/10.1063/1.4977361
  20. Tatarinova, Y., Sinelnikova, O. (2019). Automatic construction of a neuro-fuzzy vulnerability risk analysis model. 2019 IEEE 14th International Conference on Computer Sciences and Information Technologies (CSIT). doi: https://doi.org/10.1109/stc-csit.2019.8929770
  21. Rapid7. InsightVM. Nexpose. Available at: https://www.rapid7.com/products/insightvm/
  22. Tripwire IP360. Available at: https://www.tripwire.com/products/tripwire-ip360
  23. Tenable Lumin. Available at: https://www.tenable.com/products/tenable-lumin
  24. Qualys Vulnerability Management. Available at: https://www.qualys.com/apps/vulnerability-management/

Downloads

Published

2021-12-29

How to Cite

Tatarinova, Y., & Sinelnikova, O. (2021). Constructing a model for the dynamic evaluation of vulnerability in software based on public sources. Eastern-European Journal of Enterprise Technologies, 6(2 (114), 19–29. https://doi.org/10.15587/1729-4061.2021.248673

Issue

Vol. 6 No. 2 (114) (2021): Information technology. Industry control systems

Section

Information technology

License

Copyright (c) 2021 Yuliia Tatarinova, Olga Sinelnikova

Creative Commons License

This work is licensed under a Creative Commons Attribution 4.0 International License.

The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.

A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.