research-article

A Recommender System for Tracking Vulnerabilities

Authors:

Kylie McClanahan,

Qinghua LiAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 114, Pages 1 - 7

https://doi.org/10.1145/3465481.3470039

Published: 17 August 2021 Publication History

Abstract

Mitigating vulnerabilities in software requires first identifying the vulnerabilities with an organization’s software assets. This seemingly trivial task involves maintaining vendor product vulnerability notification for a kludge of hardware and software packages from innumerable software publishers, coding projects, and third-party package managers. On the other hand, software vulnerability databases are often consistently reported and categorized in clean, standard formats and neatly tied to a common software product enumerator (i.e., CPE). Currently it is a heavy workload for cybersecurity analysts at organizations to match their hardware and software package inventory to target CPEs. This hinders organizations from getting notifications for new vulnerabilities, and identifying applicable vulnerabilities. In this paper, we present a recommender system to automatically identify a minimal candidate set of CPEs for software names to improve vulnerability identification and alerting accuracy. The recommender system uses a pipeline of natural language processing, fuzzy matching, and machine learning to significantly reduce the human effort needed for software product vulnerability matching.

References

[1]

Abdullah Abuhussein, Sajjan Shiva, and Frederick T Sheldon. 2016. CSSR: cloud services security recommender. In 2016 IEEE world congress on services (SERVICES). IEEE, 48–55.

[2]

Jesús Bobadilla, Fernando Ortega, Antonio Hernando, and Abraham Gutiérrez. 2013. Recommender systems survey. Knowledge-based systems 46 (2013), 109–132.

Digital Library

[3]

Robin Burke. 2002. Hybrid recommender systems: Survey and experiments. User modeling and user-adapted interaction 12, 4 (2002), 331–370.

[4]

Brant A Cheikes, Brant A Cheikes, Karen Ann Kent, and David Waltermire. 2011. Common platform enumeration: Naming specification version 2.3. US Department of Commerce, National Institute of Standards and Technology.

[5]

Mark Dowd, John McDonald, and Justin Schuh. 2006. The art of software security assessment: Identifying and preventing software vulnerabilities. Pearson Education.

[6]

Muriel Figueredo Franco, Bruno Rodrigues, and Burkhard Stiller. 2019. MENTOR: the design and evaluation of a protection services recommender system. In 2019 15th international conference on network and service management (CNSM). IEEE, 1–7.

[7]

Seyed Mohammad Ghaffarian and Hamid Reza Shahriari. 2017. Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey. ACM Computing Surveys (CSUR) 50, 4 (2017), 1–36.

Digital Library

[8]

Philip Huff and Qinghua Li. 2021. Towards Automated Assessment of Vulnerability Exposures in Security Operations. In EAI International Conference on Security and Privacy in Communication Networks.

[9]

Andreas Kuehn and Milton Mueller. 2014. Shifts in the cybersecurity paradigm: zero-day exploits, discourse, and emerging institutions. In Proceedings of the 2014 New Security Paradigms Workshop. 63–68.

Digital Library

[10]

H. T. Le and P. K. K. Loh. 2011. Using Natural Language Tool to Assist VPRG Automated Extraction from Textual Vulnerability Description. In 2011 IEEE Workshops of International Conference on Advanced Information Networking and Applications.

Digital Library

[11]

Triet Huynh Minh Le, Bushra Sabir, and Muhammad Ali Babar. 2019. Automated software vulnerability assessment with concept drift. In 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). 371–382.

[12]

Kylie McClanahan and Qinghua Li. 2020. Automatically Locating Mitigation Information for Security Vulnerabilities. In IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids.

[13]

Tomas Mikolov, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781(2013).

[14]

Fitzroy D Nembhard, Marco M Carvalho, and Thomas C Eskridge. 2019. Towards the application of recommender systems to secure coding. EURASIP Journal on Information Security 2019, 1 (2019), 1–24.

[15]

Paul Resnick and Hal R Varian. 1997. Recommender systems. Commun. ACM 40, 3 (1997), 56–58.

Digital Library

[16]

Jukka Ruohonen. 2019. A look at the time delays in CVSS vulnerability scoring. Applied Computing and Informatics 15, 2 (2019), 129–135.

[17]

Ernesto Rosario Russo, Andrea Di Sorbo, Corrado A Visaggio, and Gerardo Canfora. 2019. Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities. Journal of Systems and Software 156 (2019), 84–99.

Digital Library

[18]

Peichao Wang, Yun Zhou, Baodan Sun, and Weiming Zhang. 2019. Intelligent Prediction of Vulnerability Severity Level Based on Text Mining and XGBboost. In 2019 Eleventh International Conference on Advanced Computational Intelligence (ICACI). 72–77.

[19]

Y. Yamamoto, D. Miyamoto, and M. Nakayama. 2015. Text-Mining Approach for Estimating Vulnerability Score. In 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). 67–73.

[20]

Fengli Zhang, Philip Huff, Kylie McClanahan, and Qinghua Li. 2020. A Machine Learning-based Approach for Automated Vulnerability Remediation Analysis. In IEEE Conference on Communications and Network Security (CNS).

[21]

Fengli Zhang and Qinghua Li. 2018. Security Vulnerability and Patch Management in Electric Utilities: A Data-Driven Analysis. In The 1st Radical and Experiential Security Workshop (RESEC).

Digital Library

[22]

Fengli Zhang and Qinghua Li. 2020. Dynamic Risk-Aware Patch Scheduling. In IEEE Conference on Communications and Network Security (CNS).

Cited By

Franco MOmlin CKamer OScheid EGranville LStiller B(2024)SECAdvisor: A Tool for Cybersecurity Planning using Economic ModelsAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.240810(554-569)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.240810
Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
McClanahan KLi Q(2024)Towards Automatically Matching Security Advisories to CPEs: String Similarity-based Vendor Matching2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556231(233-238)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556231
Show More Cited By

Index Terms

A Recommender System for Tracking Vulnerabilities
1. Computing methodologies
  1. Machine learning
    1. Learning paradigms
      1. Unsupervised learning
    2. Machine learning approaches

Index terms have been assigned to the content through auto-classification.

Recommendations

Using Software Structure to Predict Vulnerability Exploitation Potential
SERE-C '14: Proceedings of the 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion

Most of the attacks on computer systems are due to the presence of vulnerabilities in software. Recent trends show that number of newly discovered vulnerabilities still continue to be significant. Studies have also shown that the time gap between the ...
Detecting Software Vulnerabilities Using Neural Networks
ICMLC '21: Proceedings of the 2021 13th International Conference on Machine Learning and Computing

As software vulnerabilities remain prevalent, automatically detecting software vulnerabilities is crucial for software security. Recently neural networks have been shown to be a promising tool in detecting software vulnerabilities. In this paper, we ...
Assessing vulnerability exploitability risk using software properties

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article
Research
Refereed limited

Funding Sources

NSF

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

14
Total Citations
View Citations
603
Total Downloads

Downloads (Last 12 months)321
Downloads (Last 6 weeks)29

Reflects downloads up to 09 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Franco MOmlin CKamer OScheid EGranville LStiller B(2024)SECAdvisor: A Tool for Cybersecurity Planning using Economic ModelsAnais do XXIV Simpósio Brasileiro de Segurança da Informação e de Sistemas Computacionais (SBSeg 2024)10.5753/sbseg.2024.240810(554-569)Online publication date: 16-Sep-2024
https://doi.org/10.5753/sbseg.2024.240810
Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
McClanahan KLi Q(2024)Towards Automatically Matching Security Advisories to CPEs: String Similarity-based Vendor Matching2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10556231(233-238)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10556231
McClanahan KElder SUwibambe MLiu YHeng RLi Q(2024)When ChatGPT Meets Vulnerability Management: The Good, the Bad, and the Ugly2024 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC59896.2024.10555953(664-670)Online publication date: 19-Feb-2024
https://doi.org/10.1109/ICNC59896.2024.10555953
Mfogo VZemkoho ANjilla LNkenlifack MKamhoua C(2024)Adaptive learning-based hybrid recommender system for deception in Internet of ThingComputer Networks10.1016/j.comnet.2024.110853255(110853)Online publication date: Dec-2024
https://doi.org/10.1016/j.comnet.2024.110853
Tudesco DDeshpande ALaghari AKhan ALopes RJenice Aroma RRaimond KTeng LKhan A(2024)Utilization of Deep Learning Models for Safe Human‐Friendly Computing in Cloud, Fog, and Mobile Edge NetworksApplying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection10.1002/9781394196470.ch12(221-248)Online publication date: 22-Mar-2024
https://doi.org/10.1002/9781394196470.ch12
Stutz Dde Assis JLaghari AKhan AAndreopoulos NTerziev ADeshpande AKulkarni DGrata E(2024) Enhancing Security in Cloud Computing Using Artificial Intelligence ( AI ) Applying Artificial Intelligence in Cybersecurity Analytics and Cyber Threat Detection10.1002/9781394196470.ch11(179-220)Online publication date: 22-Mar-2024
https://doi.org/10.1002/9781394196470.ch11
Vasireddy DDale DLi Q(2023)CVSS Base Score Prediction Using an Optimized Machine Learning Scheme2023 Resilience Week (RWS)10.1109/RWS58133.2023.10284627(1-6)Online publication date: 27-Nov-2023
https://doi.org/10.1109/RWS58133.2023.10284627
Dale DMcClanahan KLi Q(2023)AI-based Cyber Event OSINT via Twitter Data2023 International Conference on Computing, Networking and Communications (ICNC)10.1109/ICNC57223.2023.10074187(436-442)Online publication date: 20-Feb-2023
https://doi.org/10.1109/ICNC57223.2023.10074187
Ferreira LSilva DItzazelaia M(2023)Recommender Systems in CybersecurityKnowledge and Information Systems10.1007/s10115-023-01906-665:12(5523-5559)Online publication date: 5-Jun-2023
https://dl.acm.org/doi/10.1007/s10115-023-01906-6
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents