Litcius/Paper detail

Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure

Clément Elbaz, Louis Rilling, Christine Morin

202060 citationsDOI

Abstract

The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of a software vulnerability and measuring its severity. However, during the first days after a vulnerability disclosure, the initial human readable description of the vulnerability is not available as a machine readable CVSS vector yet. This situation creates a period of time when only expensive manual analysis can be used to react to new vulnerabilities because no data is available for cheaper automated analysis yet. We present a new technique based on linear regression to automatically predict the CVSS vector of newly disclosed vulnerabilities using only their human readable descriptions, with a strong emphasis on decision explicability. Our experimental results suggest real world applicability.

Topics & Concepts

Vulnerability (computing)Computer scienceSupport vector machineMachine learningVulnerability assessmentSoftwareArtificial intelligenceData miningRisk analysis (engineering)Computer securityPsychologyPsychological resilienceProgramming languagePsychotherapistMedicineAdvanced Malware Detection TechniquesWeb Application Security VulnerabilitiesSoftware Testing and Debugging Techniques
Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure | Litcius