A New Vulnerability Reporting Framework for Software Vulnerability Databases

Автор: Hakan Kekül, Burhan Ergen, Halil Arslan

Журнал: International Journal of Education and Management Engineering @ijeme

Статья в выпуске: 3 vol.11, 2021 года.

Бесплатный доступ

Cyber security is one of the fundamental research areas of software engineering. The systems that make up today's information systems infrastructure have been developed largely with software support. Security vulnerabilities in the software used in these systems may cause undesirable results. It is very important to manage software vulnerabilities correctly. In addition, an effective communication mechanism and certain standards should be established among those working in this field. The importance of the subject has been understood in recent years and the studies in this area have gradually increased. The use of machine learning algorithms is increasing in recent studies in this area. Although there is a large data set accumulated in vulnerability databases, there is often the problem of unstructured data. Vulnerability databases and security reports are created in natural language that people can understand and interpret. These reports are difficult to read and understand by machines. Our study focuses on the difficulties of this unstructured and natural language system. In order to investigate this problem, firstly, up-to-date and accessible databases used in scientific research were examined and evaluated. Then, a three-stage security framework was proposed, consisting of the use of vulnerabilities by machines to assist experts from the notification stage to the reporting stage. The rules and flow charts of each stage are defined. In order to increase the usability of different databases in their own systems, the framework rules are defined as a guideline containing flexible directions, not rigid items. The point of consideration is not the methods and tools used, but the definition of outputs as common and similar attributes.

Еще

Software Security, Software Vulnerability, Vulnerability Databases, Cyber Security, Information Security

Короткий адрес: https://sciup.org/15017844

IDR: 15017844   |   DOI: 10.5815/ijeme.2021.03.02

Список литературы A New Vulnerability Reporting Framework for Software Vulnerability Databases

  • D. Craigen, N. Diakun-Thibault, and R. Purse, “Defining cybersecurity,” Technol. Innov. Manag. Rev., vol. 4, no. 10, 2014.
  • F. Chang, “Guest Editor’s Column,” Next Wave, vol. 4, no. 19, pp. 1–2, 2012.
  • B. S. Cruz and M. de Oliveira Dias, “CRASHED BOEING 737-MAX: FATALITIES OR MALPRACTICE?,” GSJ, vol. 8, no. 1, pp. 2615–2624, 2020.
  • M. M. A. Muhammad Noman Khalid, Muhammad iqbal, Kamran Rasheed, “Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner,” Int. J. Inf. Technol. Comput. Sci., vol. 12, no. 4, pp. 38–46, 2020.
  • C. P. T. Pubudu K. Hitigala Kaluarachchilage, Champike Attanayake, Sasith Rajasooriya, “An Analytical Approach to Assess and Compare the Vulnerability Risk of Operating Systems,” Int. J. Comput. Netw. Inf. Secur., vol. 12, no. 2, pp. 1–10, 2020.
  • S. Zhang, X. Ou, and D. Caragea, “Predicting Cyber Risks through National Vulnerability Database,” Inf. Secur. J. A Glob. Perspect., vol. 24, no. 4–6, pp. 194–206, 2015.
  • J. Ruohonen, “A look at the time delays in CVSS vulnerability scoring,” Appl. Comput. Informatics, vol. 15, no. 2, pp. 129–135, 2019.
  • A. Kuehn and M. Mueller, “Shifts in the cybersecurity paradigm: Zero-day exploits, discourse, and emerging institutions,” in Proceedings of the 2014 New Security Paradigms Workshop, 2014, pp. 63–68.
  • O. Bozoklu and C. Z. Çil, “Yazılım Güvenlik Açığı Ekosistemi Ve Türkiye’deki Durum Değerlendirmesi,” Uluslararası Bilgi Güvenliği Mühendisliği Derg., vol. 3, no. 1, pp. 6–26, 2017.
  • C. W. Samuel Ndichu, Sylvester McOyowo, Henry Okoyo, “A Remote Access Security Model based on Vulnerability Management,” Int. J. Inf. Technol. Comput. Sci., vol. 12, no. 5, pp. 38–51, 2020.
  • “Mitre Corporation,” 2020. [Online]. Available: https://www.mitre.org. [Accessed: 25-Jul-2020].
  • CVE, “CVE,” Common Vulnerabilities and Exposures, 2020. [Online]. Available: https://cve.mitre.org. [Accessed: 25-Jul-2020].
  • G. Schryen, “Security of open source and closed source software: An empirical comparison of published vulnerabilities,” AMCIS 2009 Proc., p. 387, 2009.
  • G. Schryen, “Is Open Source Security a Myth?,” Commun. ACM, vol. 54, no. 5, pp. 130–140, May 2011.
  • NVD, “NVD,” National Vulnerability Database, 2020. [Online]. Available: https://nvd.nist.gov. [Accessed: 25-Jul-2020].
  • Y. Fang, Y. Liu, C. Huang, and L. Liu, “Fastembed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm,” PLoS One, vol. 15, no. 2, pp. 1–28, 2020.
  • ExploitDB, “Exploit Database,” 2020. [Online]. Available: https://www.exploit-db.com. [Accessed: 25-Jul-2020].
  • SecurityFocus, “SecurityFocus,” 2020. [Online]. Available: https://www.securityfocus.com. [Accessed: 25-Jul-2020].
  • Rapid7, “Rapid7,” 2020. [Online]. Available: https://www.rapid7.com/db/. [Accessed: 25-Jul-2020].
  • Snyk, “Snyk,” 2020. [Online]. Available: https://snyk.io. [Accessed: 25-Jul-2020].
  • SARD, “SARD-Software Assurance Reference Dataset Project,” 2020. [Online]. Available: https://samate.nist.gov. [Accessed: 25-Jul-2020].
  • T. W. Moore, C. W. Probst, K. Rannenberg, and M. van Eeten, “Assessing ICT Security Risks in Socio-Technical Systems (Dagstuhl Seminar 16461),” Dagstuhl Reports, vol. 6, no. 11, pp. 63–89, 2017.
  • L. P. Kobek, “The State of Cybersecurity in Mexico: An Overview,” Wilson Centre’s Mex. Institute, Jan, 2017.
  • E. R. Russo, A. Di Sorbo, C. A. Visaggio, and G. Canfora, “Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities,” J. Syst. Softw., vol. 156, pp. 84–99, 2019.
  • C. Theisen and L. Williams, “Better together: Comparing vulnerability prediction models,” Inf. Softw. Technol., vol. 119, no. August 2019, 2020.
  • S. M. Ghaffarian and H. R. Shahriari, “Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey,” ACM Comput. Surv., vol. 50, no. 4, 2017.
  • G. Spanos and L. Angelis, “A multi-target approach to estimate software vulnerability characteristics and severity scores,” J. Syst. Softw., vol. 146, pp. 152–166, 2018.
  • “Description Summary Word Frequency,” 2021. [Online]. Available: https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/vuln-description-summary-word-frequency. [Accessed: 02-Jan-2021].
  • G. Spanos, A. Sioziou, and L. Angelis, “WIVSS: A New Methodology for Scoring Information Systems Vulnerabilities,” in Proceedings of the 17th Panhellenic Conference on Informatics, 2013, pp. 83–90.
Еще
Статья научная