Towards Automating the Assessment of Software Vulnerability Risk

Huff, Philip Dale and Li, Qinghua (2020) Towards Automating the Assessment of Software Vulnerability Risk. EAI Endorsed Transactions on Security and Safety, 8 (27). e3. ISSN 2032-9393

[thumbnail of eai.25-6-2021.170247.pdf]
Available under License Creative Commons Attribution No Derivatives.

Download (2MB) | Preview


Remediating known software vulnerabilities is one of the most pressing operational challenges for personnel tasked with maintaining a secure system, mainly due to the large amount of vulnerabilities to analyze and mitigate. For computing environments such as data centers, Internet-of-Things infrastructure, and industrial control systems, vulnerability mitigation comes at an even higher cost because of the constant testing, coordination, and configuration change required. We address this problem by identifying a minimal set (i.e., as few as 4%) of the total applicable vulnerabilities with high risks for security personnel to concentrate mitigation effort on. To do so, we introduce a scheme to contextualize vulnerability risk by calculating the adversarial capability of exploiting a vulnerability on a target device. We use a machine learning and natural language processing pipeline to process online vulnerability descriptions and extract network service features, which can then correlate to the system’s network firewall policies. The pipeline then allows automated model-checking to assess an unsafe state for a given vulnerability, adversary, and target device.

Item Type: Article
Uncontrolled Keywords: security, vulnerability, risk, artificial intelligence
Subjects: Q Science > QA Mathematics > QA75 Electronic computers. Computer science
QA75 Electronic computers. Computer science
T Technology > T Technology (General)
Depositing User: EAI Editor IV
Date Deposited: 09 Jul 2021 08:32
Last Modified: 09 Jul 2021 08:32

Actions (login required)

View Item
View Item