Abstract
Inadequate information security practices, such as using single metrics in Vulnerability Management (VM), can cause analysts to underestimate the likelihood and impact of vulnerability exploitation. Ideally, vulnerability, threat intelligence, and context information should be used in this task. Nonetheless, the lack of specialized tools makes this activity impractical since analysts have to manually correlate data from various security sources to identify the most critical vulnerabilities among thousands of organization assets. Although Machine Learning (ML) can assist in this process, its application has been little explored in the literature. Thus, we present a methodology based on Active Learning (AL) to create a supervised model capable of emulating the experience of experts in the Risk Assessment (RA) of vulnerabilities. Our experiments indicated that the proposed solution performed similarly to that of the analysts and achieved an average accuracy of 88% for critical vulnerabilities.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
National Institute of Standards and Technology: https://nvd.nist.gov/.
References
Afaq, S.A., Husain, M.S., Bello, A., Sadia, H.: A critical analysis of cyber threats and their global impact. In: Computational Intelligent Security in Wireless Communications, pp. 201–220. CRC Press (2022)
Spring, J., Hatleback, E., Manion, A., Shic, D.: Towards improving CVSS. Software Engineering Institute Carnegie Mellon University (2018)
Dey, D., Lahiri, A., Zhang, G.: Optimal policies for security patch management. INFORMS J. Comput. 27(3), 462–477 (2015)
Lawson, C., Schneider, M., Bhajanka, P., Gardner, D.: Market Guide for Vulnerability Assessment (2019). https://www.gartner.com/en/documents/3975388. Accessed 19 May 2022
Andress, J.: Foundations of Information Security: A Straightforward Introduction. No Starch Press, San Francisco (2019)
Trifonov, R., Nakov, O., Mladenov, V.: Artificial intelligence in cyber threats intelligence. In: 2018 International Conference on Intelligent and Innovative Computing Applications (ICONIC), pp. 1–4. IEEE (2018)
Furnell, S., Fischer, P., Finch, A.: Can’t get the staff? The growing need for cyber-security skills. Comput. Fraud Secur. 2017(2), 5–10 (2017)
Elbaz, C., Rilling, L., Morin, C.: Automated risk analysis of a vulnerability disclosure using active learning. In: Proceedings of the 28th Computer & Electronics Security Application Rendezvous (2021)
Geluvaraj, B., Satwik, P.M., Ashok Kumar, T.A.: The future of cybersecurity: major role of artificial intelligence, machine learning, and deep learning in cyberspace. In: Smys, S., Bestak, R., Chen, J.I.-Z., Kotuliak, I. (eds.) International Conference on Computer Networks and Communication Technologies. LNDECT, vol. 15, pp. 739–747. Springer, Singapore (2019). https://doi.org/10.1007/978-981-10-8681-6_67
Shaukat, K., Luo, S., Varadharajan, V., Hameed, I.A., Xu, M.: A survey on machine learning techniques for cyber security in the last decade. IEEE Access 8, 222310–222354 (2020)
Settles, B.: Active learning literature survey [White paper]. University of Wisconsin-Madison Department of Computer Sciences (2009)
Kure, H.I., Islam, S., Ghazanfar, M., Raza, A., Pasha, M.: Asset criticality and risk prediction for an effective cybersecurity risk management of cyber-physical system. Neural Comput. Appl. 34(1), 493–514 (2022). https://doi.org/10.1007/s00521-021-06400-0
Walkowski, M., Krakowiak, M., Jaroszewski, M., Oko, J., Sujecki, S.: Automatic CVSS-based vulnerability prioritization and response with context information. In: 2021 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–6. IEEE (2021)
Wang, W., Shi, F., Zhang, M., Xu, C., Zheng, J.: A vulnerability risk assessment method based on heterogeneous information network. IEEE Access 8, 148315–148330 (2020)
Gonzalez-Granadillo, G., Diaz, R., Veroni, E., Xenakis, C.: A Multi-factor Assessment Mechanism to Define Priorities on Vulnerabilities affecting Healthcare Organizations (2021)
Chawla, G., Sharma, N., Rawal, N.: IVSEV: improved vulnerability scoring mechanism with environment representative and vulnerability type. Int. J. Sci. Technol. Res. 8(10), 1043–1047 (2019)
Tenable, Inc.: Whitepaper: Focus on the 3% of vulnerabilities likely to be exploited [White paper] (2020). https://lookbook.tenable.com/predictive-prioritization/technical-whitepaper-predictive-prioritization. Accessed 20 June 2022
Rapid7, Inc.: Rapid7 whitepaper: The four pillars of modern vulnerability management [White paper] (2021). https://www.rapid7.com/info/whitepaper-the-four-pillars-of-modern-vulnerability-management/. Accessed 20 June 2022
Kenna Security, Inc.: Understanding the Kenna Risk Score Prioritizing Vulnerabilities with Data Science [White paper] (2020). https://www.vmware.com/content/dam/digitalmarketing/vmware/en/pdf/docs/vmwcb-whitepaper-understanding-the-kenna-security-vulnerability-risk-score.pdf. Accessed 20 June 2022
Bromander, S.: Understanding Cyber Threat Intelligence: Towards Automation [Doctoral’s Thesis, University of Oslo]. The University of Oslo Institutt for informatikk (2021). https://www.duo.uio.no/handle/10852/84713
Kenna Security Inc., Cyentia Institute.: Winning the Remediation Race [White paper] (2019). https://website.kennasecurity.com/wp-content/uploads/2020/09/Kenna_Prioritization_to_Prediction_Vol3.pdf. Accessed 20 June 2022
Miller, B., Linder, F., Mebane, W.R.: Active learning approaches for labeling text: review and assessment of the performance of active learning approaches. Polit. Anal. 28(4), 532–551 (2020)
Ponte, F.R.P., Rodrigues, E.B., Mattos, C.L.: CVEjoin: An Information Security Vulnerability and Threat Intelligence Dataset. figshare. Dataset (2022). https://doi.org/10.6084/m9.figshare.21586923.v3
Adobe, Inc.: Adobe: Severity ratings (2022). https://helpx.adobe.com/security/severity-ratings.html. Accessed 16 Aug 2022
Microsoft, Inc.: Microsoft: Security update severity rating system (2022). https://www.microsoft.com/en-us/msrc/security-update-severity-rating-system. Accessed 16 Aug 2022
Murphy, K.: Probabilistic Machine Learning: An Introduction. MIT Press, Cambridge (2022)
Acknowledgment
The authors would like to thank CAPES for the financial support and the National Center of High Performance Processing (CENAPAD-UFC) of the Federal University of Ceará for the availability of the computational resources used in the experiments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
da Ponte, F.R.P., Rodrigues, E.B., Mattos, C.L.C. (2023). A Vulnerability Risk Assessment Methodology Using Active Learning. In: Barolli, L. (eds) Advanced Information Networking and Applications. AINA 2023. Lecture Notes in Networks and Systems, vol 654. Springer, Cham. https://doi.org/10.1007/978-3-031-28451-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-28451-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-28450-2
Online ISBN: 978-3-031-28451-9
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)