Log In Sign Up

Common Vulnerability Scoring System Prediction based on Open Source Intelligence Information Sources

by   Philipp Kuehn, et al.

The number of newly published vulnerabilities is constantly increasing. Until now, the information available when a new vulnerability is published is manually assessed by experts using a Common Vulnerability Scoring System (CVSS) vector and score. This assessment is time consuming and requires expertise. Various works already try to predict CVSS vectors or scores using machine learning based on the textual descriptions of the vulnerability to enable faster assessment. However, for this purpose, previous works only use the texts available in databases such as National Vulnerability Database. With this work, the publicly available web pages referenced in the National Vulnerability Database are analyzed and made available as sources of texts through web scraping. A Deep Learning based method for predicting the CVSS vector is implemented and evaluated. The present work provides a classification of the National Vulnerability Database's reference texts based on the suitability and crawlability of their texts. While we identified the overall influence of the additional texts is negligible, we outperformed the state-of-the-art with our Deep Learning prediction models.


page 1

page 2

page 3

page 4


VulCurator: A Vulnerability-Fixing Commit Detector

Open-source software (OSS) vulnerability management process is important...

Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS

The assessment of new vulnerabilities is an activity that accounts for i...

A Look at the Time Delays in CVSS Vulnerability Scoring

This empirical paper examines the time delays that occur between the pub...

Web Application Weakness Ontology Based on Vulnerability Data

Web applications are becoming more ubiquitous. All manner of physical de...

Enhanced Integrated Scoring for Cleaning Dirty Texts

An increasing number of approaches for ontology engineering from text ar...

Is the OWASP Top 10 list comprehensive enough for writing secure code?

The OWASP Top 10 is a list that is published by the Open Web Application...