Constructing a model for the dynamic evaluation of vulnerability in software based on public sources
DOI:
https://doi.org/10.15587/1729-4061.2021.248673Keywords:
risk management, information security, machine learning, vulnerability evaluation, risk scoresAbstract
One of the key processes in software development and information security management is the evaluation of vulnerability risks. Analysis and evaluation of vulnerabilities are considered a resource-intensive process that requires high qualifications and a lot of technical information. The main opportunities and drawbacks of existing systems for evaluation of vulnerability risks in software, which include the lack of consideration of the impact of trends and the degree of popularity of vulnerability on the final evaluation, were analyzed.
During the study, the following information was analyzed in the structured form: the vector of the general system of vulnerability evaluation, the threat type, the attack vector, the existence of the original code with patches, exploitation programs, and trends. The obtained result made it possible to determine the main independent characteristics, the existence of a correlation between the parameters, the order, and schemes of the relationships between the basic magnitudes that affect the final value of evaluation of vulnerability impact on a system.
A dataset with formalized characteristics, as well as expert evaluation for further construction of a mathematical model, was generated. Analysis of various approaches and methods for machine learning for construction of a target model of dynamic risk evaluation was carried out: neuro-fuzzy logic, regression analysis algorithms, neuro-network modeling.
A mathematical model of dynamic evaluation of vulnerability risk in software, based on the dynamics of spreading information about a vulnerability in open sources and a multidimensional model with an accuracy of 88.9 %, was developed. Using the obtained model makes it possible to reduce the analysis time from several hours to several minutes and to make a more effective decision regarding the establishment of the order of patch prioritization, to unify the actions of experts, to reduce the cost of managing information security risks
References
- Microsoft Security Development Lifecycle. Microsoft Inc. Available at: https://www.microsoft.com/en-us/securityengineering/sdl
- Common Vulnerability Scoring System SIG. First.org, Inc. Available at: https://www.first.org/cvss/
- Common Vulnerabilities and Exposures (CVE). Mitre.org, Inc. Available at: https://cve.mitre.org/
- Wu, C., Wen, T., Zhang, Y. (2019). A revised CVSS-based system to improve the dispersion of vulnerability risk scores. Science China Information Sciences, 62 (3). doi: https://doi.org/10.1007/s11432-017-9445-4
- Shlens, J. (2014). A tutorial on principal component analysis. arXiv.org. Available at: https://arxiv.org/pdf/1404.1100.pdf
- Keramati, M. (2016). New Vulnerability Scoring System for dynamic security evaluation. 2016 8th International Symposium on Telecommunications (IST). doi: https://doi.org/10.1109/istel.2016.7881922
- Zhang, F., Huff, P., McClanahan, K., Li, Q. (2020). A Machine Learning-based Approach for Automated Vulnerability Remediation Analysis. 2020 IEEE Conference on Communications and Network Security (CNS). doi: https://doi.org/10.1109/cns48642.2020.9162309
- Jacobs, J., Romanosky, S., Edwards, B., Adjerid, I., Roytman, M. (2021). Exploit Prediction Scoring System (EPSS). Digital Threats: Research and Practice, 2 (3), 1–17. doi: https://doi.org/10.1145/3436242
- Official Common Platform Enumeration (CPE) Dictionary. NIST. Available at: https://nvd.nist.gov/products/cpe
- National Vulnerability Database. NIST. Available at: https://nvd.nist.gov/
- Edkrantz, M., Said, A. (2015). Predicting Cyber Vulnerability Exploits with Machine Learning. Thirteenth Scandinavian Conference on Artificial Intelligence, 48–57. doi: https://doi.org/10.3233/978-1-61499-589-0-48
- Aksu, M. U., Bicakci, K., Dilek, M. H., Ozbayoglu, A. M., Tatli, E. ıslam. (2018). Automated Generation of Attack Graphs Using NVD. Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy. doi: https://doi.org/10.1145/3176258.3176339
- He, W., Li, H., Li, J. (2019). Unknown Vulnerability Risk Assessment Based on Directed Graph Models: A Survey. IEEE Access, 7, 168201–168225. doi: https://doi.org/10.1109/access.2019.2954092
- Petraityte, M., Dehghantanha, A., Epiphaniou, G. (2018). A Model for Android and iOS Applications Risk Calculation: CVSS Analysis and Enhancement Using Case-Control Studies. Cyber Threat Intelligence, 219–237. doi: https://doi.org/10.1007/978-3-319-73951-9_11
- Exploit database. Available at: https://www.exploitdb.com/
- Vulnerability Lab. Vulnerability Research, Bug Bounties & Vulnerability Assessments. Vulnerability Lab. Available at: https://www.vulnerability-lab.com/
- Tatarinova, Y., Sinelnikova, O. (2019). Extended Vulnerability Feature Extraction Based on Public Resources. Theoretical and Applied Cybersecurity, 1 (1). doi: https://doi.org/10.20535/tacs.2664-29132019.1.169085
- Google Trends. Available at: https://trends.google.com/trends
- Yuan, X. (2017). An improved Apriori algorithm for mining association rules. AIP Conference Proceedings. doi: https://doi.org/10.1063/1.4977361
- Tatarinova, Y., Sinelnikova, O. (2019). Automatic construction of a neuro-fuzzy vulnerability risk analysis model. 2019 IEEE 14th International Conference on Computer Sciences and Information Technologies (CSIT). doi: https://doi.org/10.1109/stc-csit.2019.8929770
- Rapid7. InsightVM. Nexpose. Available at: https://www.rapid7.com/products/insightvm/
- Tripwire IP360. Available at: https://www.tripwire.com/products/tripwire-ip360
- Tenable Lumin. Available at: https://www.tenable.com/products/tenable-lumin
- Qualys Vulnerability Management. Available at: https://www.qualys.com/apps/vulnerability-management/
Downloads
Published
How to Cite
Issue
Section
License
Copyright (c) 2021 Yuliia Tatarinova, Olga Sinelnikova
This work is licensed under a Creative Commons Attribution 4.0 International License.
The consolidation and conditions for the transfer of copyright (identification of authorship) is carried out in the License Agreement. In particular, the authors reserve the right to the authorship of their manuscript and transfer the first publication of this work to the journal under the terms of the Creative Commons CC BY license. At the same time, they have the right to conclude on their own additional agreements concerning the non-exclusive distribution of the work in the form in which it was published by this journal, but provided that the link to the first publication of the article in this journal is preserved.
A license agreement is a document in which the author warrants that he/she owns all copyright for the work (manuscript, article, etc.).
The authors, signing the License Agreement with TECHNOLOGY CENTER PC, have all rights to the further use of their work, provided that they link to our edition in which the work was published.
According to the terms of the License Agreement, the Publisher TECHNOLOGY CENTER PC does not take away your copyrights and receives permission from the authors to use and dissemination of the publication through the world's scientific resources (own electronic resources, scientometric databases, repositories, libraries, etc.).
In the absence of a signed License Agreement or in the absence of this agreement of identifiers allowing to identify the identity of the author, the editors have no right to work with the manuscript.
It is important to remember that there is another type of agreement between authors and publishers – when copyright is transferred from the authors to the publisher. In this case, the authors lose ownership of their work and may not use it in any way.