research-article

Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure

Authors:

Clément Elbaz,

Christine MorinAuthors Info & Claims

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

Article No.: 26, Pages 1 - 10

https://doi.org/10.1145/3407023.3407038

Published: 25 August 2020 Publication History

Abstract

The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of a software vulnerability and measuring its severity. However, during the first days after a vulnerability disclosure, the initial human readable description of the vulnerability is not available as a machine readable CVSS vector yet. This situation creates a period of time when only expensive manual analysis can be used to react to new vulnerabilities because no data is available for cheaper automated analysis yet. We present a new technique based on linear regression to automatically predict the CVSS vector of newly disclosed vulnerabilities using only their human readable descriptions, with a strong emphasis on decision explicability. Our experimental results suggest real world applicability.

References

[1]

2020-08-04. A Complete Guide to the Common Vulnerability Scoring System: Version 2.0. https://www.first.org/cvss/v2/guide.

[2]

2020-08-04. AWS WAF - Web Application Firewall. https://aws.amazon.com/waf/.

[3]

2020-08-04. Cloudflare - Inside Shellshock: How hackers are using it to exploit systems. https://blog.cloudflare.com/inside-shellshock/.

[4]

2020-08-04. Cloudflare - Stopping SharePoint's CVE-2019-0604. https://blog.cloudflare.com/stopping-cve-2019-0604/.

[5]

2020-08-04. Cloudflare Web Application Firewall. https://www.cloudflare.com/waf/.

[6]

2020-08-04. Common Vulnerabilities and Exposures (CVE). https://cve.mitre.org/.

[7]

2020-08-04. Common Vulnerability Scoring System. https://www.first.org/cvss/.

[8]

2020-08-04. Common Vulnerability Scoring System v3.0: Specification Document. https://www.first.org/cvss/v3.0/specification-document.

[9]

2020-08-04. Common Vulnerability Scoring System v3.1: Specification Document. https://www.first.org/cvss/v3.1/specification-document.

[10]

2020-08-04. CVE and NVD Relationship. https://cve.mitre.org/about/cve_and_nvd_relationship.html.

[11]

2020-08-04. CWE - Common Weakness Enumeration. https://cwe.mitre.org/.

[12]

2020-08-04. Google Cloud Armor. https://cloud.google.com/armor/.

[13]

2020-08-04. National Vulnerability Database. https://nvd.nist.gov/.

[14]

2020-08-04. NVD - CPE. https://nvd.nist.gov/products/cpe.

[15]

2020-08-04. Security Content Automation Protocol. https://csrc.nist.gov/projects/security-content-automation-protocol.

[16]

2020-23-06. Firres. https://gitlab.inria.fr/celbaz/firres_ares.

[17]

Leyla Bilge and Tudor Dumitraş. 2012. Before We Knew It: An Empirical Study of Zero-day Attacks in the Real World. In Proceedings of the 2012 ACM Conference on Computer and Communications Security (CCS' 12).

Digital Library

[18]

Sandy Clark, Stefan Frei, Matt Blaze, and Jonathan Smith. 2010. Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-day Vulnerabilities. In Proceedings of the 26th Annual Computer Security Applications Conference (ACSAC '10).

Digital Library

[19]

Stefan Frei, Martin May, Ulrich Fiedler, and Bernhard Plattner. 2006. Large-scale Vulnerability Analysis. In Proceedings of the 2006 SIGCOMM Workshop on Large-scale Attack Defense (LSAD '06).

Digital Library

[20]

Leonid Glanz, Sebastian Schmidt, Sebastian Wollny, and Ben Hermann. 2015. A Vulnerability's Lifetime: Enhancing Version Information in CVE Databases. In Proceedings of the 15th International Conference on Knowledge Technologies and Data-driven Business (i-KNOW '15).

Digital Library

[21]

Paul W. Holland and Roy E. Welsch. 1977. Robust regression using iteratively reweighted least-squares. Communications in Statistics - Theory and Methods 6, 9 (1977).

[22]

Piotr Indyk and Rajeev Motwani. 1998. Approximate Nearest Neighbors: Towards Removing the Curse of Dimensionality. In Proceedings of the Thirtieth Annual ACM Symposium on Theory of Computing.

Digital Library

[23]

Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, and Idris Adjerid. 2019. Exploit Prediction Scoring System (EPSS). In Black Hat 2019. http://i.blackhat.com/USA-19/Thursday/us-19-Roytman-Predictive-Vulnerability-Scoring-System-wp.pdf

[24]

Karen Spärck Jones. 1972. A statistical interpretation of term specificity and its application in retrieval. Journal of Documentation 28 (1972).

[25]

Atefeh Khazaei, Mohammad Ghasemzadeh, and Vali Derhami. 2016. An automatic method for CVSS score prediction using vulnerabilities description. Journal of Intelligent & Fuzzy Systems 30, 1 (2016).

[26]

Ciyou Zhu, Richard H. Byrd, Peihuang Lu, and Jorge Nocedal. 1997. Algorithm 778: L-BFGS-B: Fortran Subroutines for Large-Scale Bound-Constrained Optimization. ACM Trans. Math. Softw. 23, 4 (1997).

Digital Library

Cited By

Coutinho LMenasche DMiranda LLovat EKumar SRamchandran AKocheturov ALimmer T(2024)How Context Impacts Vulnerability Severity: An Analysis of Product-Specific CVSS ScoresProceedings of the 13th Latin-American Symposium on Dependable and Secure Computing10.1145/3697090.3697109(17-27)Online publication date: 26-Nov-2024
https://dl.acm.org/doi/10.1145/3697090.3697109
Ruan BLiu JZhao WLiang ZFilkov VRay BZhou M(2024)VulZoo: A Comprehensive Vulnerability Intelligence DatasetProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695345(2334-2337)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695345
Le TAli Babar M(2024)Mitigating Data Imbalance for Software Vulnerability Assessment: Does Data Augmentation Help?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686674(119-130)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686674
Show More Cited By

Recommendations

CVSS: Ubiquitous and Broken
The Common Vulnerability Scoring System is at the core of vulnerability management for systems of private corporations to highly classified government networks, allowing organizations to prioritize remediation in descending order of risk. With a lack of ...
Automated Generation of Attack Graphs Using NVD
CODASPY '18: Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy

Today's computer networks are prone to sophisticated multi-step, multi-host attacks. Common approaches of identifying vulnerabilities and analyzing the security of such networks with naive methods such as counting the number of vulnerabilities, or ...
CVSS Attack Graphs
SITIS '11: Proceedings of the 2011 Seventh International Conference on Signal Image Technology & Internet-Based Systems

Attack models and attack graphs are efficient tools to describe and analyse attack scenarios aimed at computer networks. More precisely, attack graphs give all possible scenarios for an attacker to reach a certain goal, exploiting vulnerabilities of the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

August 2020

1073 pages

ISBN:9781450388337

DOI:10.1145/3407023

Program Chairs:
Melanie Volkamer
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)
,
Christian Wressnegger
Karlsruhe Institute of Technologie (KIT), Competence Center for Applied Security Technology (KASTEL)

Copyright © 2020 ACM.

© 2020 Association for Computing Machinery. ACM acknowledges that this contribution was authored or co-authored by an employee, contractor or affiliate of a national government. As such, the Government retains a nonexclusive, royalty-free right to publish or reproduce this article, or to allow others to do so, for Government purposes only.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 August 2020

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Brittany Council

Conference

ARES 2020

ARES 2020: The 15th International Conference on Availability, Reliability and Security

August 25 - 28, 2020

Virtual Event, Ireland

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

36
Total Citations
View Citations
413
Total Downloads

Downloads (Last 12 months)87
Downloads (Last 6 weeks)7

Reflects downloads up to 21 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Coutinho LMenasche DMiranda LLovat EKumar SRamchandran AKocheturov ALimmer T(2024)How Context Impacts Vulnerability Severity: An Analysis of Product-Specific CVSS ScoresProceedings of the 13th Latin-American Symposium on Dependable and Secure Computing10.1145/3697090.3697109(17-27)Online publication date: 26-Nov-2024
https://dl.acm.org/doi/10.1145/3697090.3697109
Ruan BLiu JZhao WLiang ZFilkov VRay BZhou M(2024)VulZoo: A Comprehensive Vulnerability Intelligence DatasetProceedings of the 39th IEEE/ACM International Conference on Automated Software Engineering10.1145/3691620.3695345(2334-2337)Online publication date: 27-Oct-2024
https://dl.acm.org/doi/10.1145/3691620.3695345
Le TAli Babar M(2024)Mitigating Data Imbalance for Software Vulnerability Assessment: Does Data Augmentation Help?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686674(119-130)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686674
Iannone ESellitto GIaccarino EFerrucci FDe Lucia APalomba F(2024)Early and Realistic Exploitability Prediction of Just-Disclosed Software Vulnerabilities: How Reliable Can It Be?ACM Transactions on Software Engineering and Methodology10.1145/365444333:6(1-41)Online publication date: 27-Jun-2024
https://dl.acm.org/doi/10.1145/3654443
Freitas TNovo CSoares JDutra ICorreia MShariati BMartins R(2024)HAL 9000: a Risk Manager for ITSs2024 IEEE 6th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA)10.1109/TPS-ISA62245.2024.00044(322-331)Online publication date: 28-Oct-2024
https://doi.org/10.1109/TPS-ISA62245.2024.00044
Mirtaheri SPugliese AMovahedkor NMajd A(2024)Advanced Automated Vulnerability Scoring: Improving Performance with a Fine-Tuned BERT-CNN Model2024 11th International Symposium on Telecommunications (IST)10.1109/IST64061.2024.10843410(109-113)Online publication date: 9-Oct-2024
https://doi.org/10.1109/IST64061.2024.10843410
Isogai SOgata SKashiwa YYazawa SOkano KOkubo TWashizaki H(2024)Toward Extracting Learning Pattern: A Comparative Study of GPT-4o-mini and BERT Models in Predicting CVSS Base Vectors2024 IEEE 35th International Symposium on Software Reliability Engineering Workshops (ISSREW)10.1109/ISSREW63542.2024.00067(127-134)Online publication date: 28-Oct-2024
https://doi.org/10.1109/ISSREW63542.2024.00067
Mirtaheri SPugliese A(2024)Leveraging Generative AI to Enhance Automated Vulnerability Scoring2024 IEEE Conference on Dependable, Autonomic and Secure Computing (DASC)10.1109/DASC64200.2024.00014(57-64)Online publication date: 5-Nov-2024
https://doi.org/10.1109/DASC64200.2024.00014
Bicudo MPereira CMiranda LSenos LBanjar CMenasché DSrivastava GLovat EKocheturov AMartins MDe Aguiar L(2024)A Statistical Approach to Severity Aware Vulnerability Prioritization2024 IEEE 13th International Conference on Cloud Networking (CloudNet)10.1109/CloudNet62863.2024.10815757(1-6)Online publication date: 27-Nov-2024
https://doi.org/10.1109/CloudNet62863.2024.10815757
Miranda LSenos LMenasché DSrivastava GKocheturov ARamchandran ALovat ELimmer T(2024)Learning CNA-Oriented CVSS Scores2024 IEEE 13th International Conference on Cloud Networking (CloudNet)10.1109/CloudNet62863.2024.10815736(1-5)Online publication date: 27-Nov-2024
https://doi.org/10.1109/CloudNet62863.2024.10815736
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents