Vulnerability Discovery and Intelligence

Overview

Automated CVE Detection & Characterization

Security professionals rely on Common Vulnerability and Exposure (CVE) reports, to make sure disclosed vulnerabilities are not exploited by attackers. Similarly, the security research community relies on CVEs to conduct empirical studies as well as develop and validate their techniques. There are public vulnerability database systems that score, characterize and publish disclosed
vulnerabilities. However, prior research has raised serious concerns about the competency of these systems and the consistency of the data and characterization services they provide. An automated end-to-end approach is needed that can automatically characterize vulnerabilities, thereby reducing the manual effort needed for CVE management. We design and develop NVIP- a new, automated, configurable, and portable software platform that provides near real-time publishing of vulnerabilities and incorporates intelligent analysis and characterization services using Machine Learning (ML) and novel Information Theoretical (IT) methods. It characterizes each software vulnerability in five domains defined in the NIST Vulnerability Description Ontology (VDO) framework the Attack Theater, Context, Impact Method, Logical Impact, and Mitigation. Experiment results indicate that software vulnerabilities can be detected up to 95 hours earlier than the US National Vulnerability Database, and using a variety of ML/IT methods, CVEs can be characterized with F-Measure values up to 1.

Figure 2: An overview of the NVIP.

 

 

REFERENCES

[1] Len Bass, Paul Clements, and Rick Kazman. Software Architecture in Practice. Adison Wesley, 2003.

[2] Munawar Hafiz, Paul Adamczyk, and Ralph E. Johnson. Growing a pattern language (for security). In Proceedings of the ACM International Symposium on New Ideas, New Paradigms, and Reflections on Programming and Software, Onward! 2012, pages 139–158, New York, NY, USA, 2012. ACM.

[3] R. Kazman, M. Klein, and P. Clements. Atam: A method for architecture evaluation. Software Engineering Institute, 2000.

[4] Richard N. Taylor, Nenad Medvidovic, and Eric Dashofy. Software Architecture: Foundations, Theory, and Practice. John Wiley and Sons, 2009.

[5] George Fairbanks. Just Enough Software Architecture A Risk-Driven Approach. Marshall & Brainerd, 2010.

[6] Dewayne E. Perry and Alexander L. Wolf. Foundations for the study of software architecture. SIGSOFT Softw. Eng. Notes, 17:40–52, October 1992.

[7] Jan Bosch. Design and use of software architectures: adopting and evolving a product-line approach. ACM Press/Addison-Wesley Publishing Co., New York, NY, USA, 2000.

[8] M. Mirakhorli, J. Carvalho, J. Cleland-Huang, and P. Mader. A domaincentric approach for recommending architectural tactics to satisfy quality concerns. In Twin Peaks of Requirements and Architecture (TwinPeaks), 2013 3rd International Workshop on the, pages 1-8, July 2013.

[9] S. Rehman and K. Mustafa. Research on software design level security vulnerabilities. SIGSOFT Softw. Eng. Notes, 34(6):1–5, December 2009.

[10] IEEE Center for Secure Design. Avoiding the top 10 software security design flaws. http://cybersecurity.ieee.org/center-for-secure-design/, 2015. (Accessed on 10/06/2016).

[11] NIST. The Five Functions of the Cybersecurity Framework. https://www.nist.gov/cyberframework/online-learning/five-functions. (Accessed on 7/7/2020).