Abstract
Software vulnerabilities constitute a critical threat for cybersecurity analysts in the contemporary society, since the successfully exploited vulnerabilities could harm any system in terms of Confidentiality, Integrity and Availability. Similarly, the characterization of vulnerabilities and the assessment of vulnerability risk is a crucial task for cybersecurity managers regarding the resource management. However, the proliferation of software vulnerabilities causes problems related to the response time of the security experts. For this reason, a methodology based on RAndom k-labELsets (RAkEL) is proposed in this paper in order to estimate software vulnerability characteristics and score from the vulnerability technical description. The proposed methodology aims to a) improve an existing multi-target methodology and b) be integrated in a Cyber Threat Intelligence (CTI) information sharing system. The results, in a dataset containing more than 130000 vulnerabilities, clearly proved that the proposed methodology could improve the existing methodology regarding the estimation of vulnerability characteristics and score.
Similar content being viewed by others
Explore related subjects
Discover the latest articles, news and stories from top researchers in related subjects.Notes
European network of Cybersecurity centres and competence Hub for innovation and Operations
References
Bodungen C (2019) Industrial vulnerability scoring system (ivss). https://securingics.com/IVSS/IVSS.html
Bogaert M, Ballings M, Van den Poel D (2016) The added value of facebook friends data in event attendance prediction. Decis Support Syst 82:26–34
Boutell M R, Luo J, Shen X, Brown C M (2004) Learning multi-label scene classification. Pattern Recogn 37(9):1757–1771
Breiman L, Friedman J, Olshen R, Stone C (1984) Classification and regression trees. Chapman & Hall, New York
Breiman L (1996) Bagging predictors. Mach Learn 24(2):123–140
Breiman L (2001) Random forests. Mach Learn 45(1):5–32
Chen J, Kudjo P K, Mensah S, Brown S A, Akorfu G (2020) An automatic software vulnerability classification framework using term frequency-inverse gravity moment and feature selection. J Syst Softw:110616
Dembczyński K, Waegeman W, Cheng W, Hüllermeier E (2012) On label dependence and loss minimization in multi-label classification. Mach Learn 88(1-2):5–45
First O (2015) Common vulnerability scoring system v3.0: user guide. https://www.first.org/cvss/cvss-v30-user_guide_v1.4.pdf
Freund Y, Schapire R, Abe N (1999) A short introduction to boosting. J-Japan Soc Artif Intell 14(771–780):1612
Ho T K (1998) The random subspace method for constructing decision forests. IEEE Trans Pattern Anal Mach Intell 20(8):832–844
Huang G, Li Y, Wang Q, Ren J, Cheng Y, Zhao X (2019) Automatic classification method for software vulnerability based on deep neural network. IEEE Access 7:28291–28298
Hyndman R J, Koehler A B (2006) Another look at measures of forecast accuracy. Int J Forecast 22(4):679–688
Kudjo P K, Chen J, Mensah S, Amankwah R, Kudjo C (2020) The effect of bellwether analysis on software vulnerability severity prediction models. Softw Qual J:1–34
Kudjo P K, Chen J, Zhou M, Mensah S, Huang R (2019) Improving the accuracy of vulnerability report classification using term frequency-inverse gravity moment. In: 2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS). IEEE, pp 248–259
Le T H M, Sabir B, Babar M A (2019) Automated software vulnerability assessment with concept dr ift. In: 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, pp 371–382
Liaw A, Wiener M, et al. (2002) Classification and regression by randomforest. R news 2(3):18–22
Liu C, Li J, Chen X (2012) Network vulnerability analysis using text mining. In: Asian Conference on Intelligent Information and Database Systems. Springer, pp 274–283
Liu K, Zhou Y, Wang Q, Zhu X (2019) Vulnerability severity prediction with deep neural network. In: 2019 5th International Conference on Big Data and Information Analytics (BigDIA). IEEE, pp 114–119
Liu Q, Zhang Y (2011) Vrss: A new system for rating and scoring vulnerabilities. Comput Commun 34(3):264–273
Liu Q, Zhang Y, Kong Y, Wu Q (2012) Improving vrss-based vulnerability prioritization using analytic hierarchy process. J Syst Softw 85(8):1699–1708
Meire M, Ballings M, Van den Poel D (2016) The added value of auxiliary data in sentiment analysis of facebook posts. Decis Support Syst 89:98–112
Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system version 2.0 1, 23
Na S, Kim T, Kim H (2016) A study on the classification of common vulnerabilities and exposures using naïve bayes. In: International Conference on Broadband and Wireless Computing, Communication and Applications. Springer, pp 657–662
Neuhaus S, Zimmermann T (2010) Security trend analysis with cve topic models. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering. IEEE, pp 111–120
Quinlan J (2014) C4. 5: programs for machine learning. Elsevier
Ruohonen J (2019) A look at the time delays in cvss vulnerability scoring. Appl Comput Inf 15(2):129–135
Russo E R, Di Sorbo A, Visaggio C A, Canfora G (2019) Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities. J Syst Softw 156:84–99
Sahin S E, Tosun A (2019) A conceptual replication on predicting the severity of software vulnerabilities. In: Proceedings of the Evaluation and Assessment on Software Engineering, pp 244–250
Schiffman M, Cisco CIAG (2005) A complete guide to the common vulnerability scoring system (cvss). White paper. Identification of Basic Measurable Security Components in Software Intensive Systems
Spanos G, Angelis L (2015) Impact metrics of security vulnerabilities: Analysis and weighing. Inf Secur J Glob Perspect 24(1-3):57–71
Spanos G, Angelis L (2018) A multi-target approach to estimate software vulnerability characteristics and severity scores. J Syst Softw 146:152–166
Spanos G, Angelis L, Toloudis D (2017) Assessment of vulnerability severity using text mining. In: Proceedings of the 21st Pan-Hellenic Conference on Informatics, pp 1–6
Spanos G, Sioziou A, Angelis L (2013) Wivss: a new methodology for scoring information systems vulnerabilities. In: Proceedings of the 17th Panhellenic Conference on Informatics, pp 83–90
Toloudis D, Spanos G, Angelis L (2016) Associating the severity of vulnerabilities with their description. In: International Conference on Advanced Information Systems Engineering. Springer, pp 231–242
Tsoumakas G, Katakis I, Vlahavas I (2010) Random k-labelsets for multilabel classification. IEEE Trans Knowl Data Eng 23(7):1079–1089
Wang Y, Yang Y (2012) Pvl: a novel metric for single vulnerability rating and its application in ims. J Comput Inf Syst 8(2):579–590
Yamamoto Y, Miyamoto D, Nakayama M (2015) Text-mining approach for estimating vulnerability score. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). IEEE, pp 67–73
Zhang M-L, Zhou Z-H (2013) A review on multi-label learning algorithms. IEEE Trans Knowl Data Eng 26(8):1819–1837
Acknowledgments
This work is partially funded by the European Union’s Horizon 2020 Research and Innovation Programme through ECHO (https://echonetwork.eu/) project under Grant Agreement No. 830943. This paper reflects only the authors views. The European Union is not liable for any use that may be made of the information contained therein.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher’s note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Aivatoglou, G., Anastasiadis, M., Spanos, G. et al. A RAkEL-based methodology to estimate software vulnerability characteristics & score - an application to EU project ECHO. Multimed Tools Appl 81, 9459–9479 (2022). https://doi.org/10.1007/s11042-021-11073-x
Received:
Revised:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11042-021-11073-x