A Recommender System for User-Specific Vulnerability Scoring

Karlsson, Linus; Nikbakht Bideh, Pegah; Hell, Martin

A Recommender System for User-Specific Vulnerability Scoring

Mark

Karlsson, Linus ^LU

; Nikbakht Bideh, Pegah ^LU

and Hell, Martin ^LU (2020) 14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019 In Lecture Notes in Computer Science 12026. p.355-364

Abstract: With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these... (More); With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization's requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users' reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score. (Less)

Please use this url to cite or link to this publication: https://lup.lub.lu.se/record/83dd4b29-3471-4c90-9bb2-ba14990ec364

author

Karlsson, Linus ^LU

; Nikbakht Bideh, Pegah ^LU

and Hell, Martin ^LU

organization

publishing date

2020

type

Chapter in Book/Report/Conference proceeding

publication status

published

subject

Information Systems

host publication

CRiSIS 2019: Risks and Security of Internet and Systems

series title

Lecture Notes in Computer Science

volume

12026

pages

355 - 364

publisher

Springer

conference name

14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019

conference location

Hammamet, Tunisia

conference dates

2019-10-29 - 2019-10-31

external identifiers

scopus:85082102633

ISSN

0302-9743

1611-3349

ISBN

978-3-030-41568-6

DOI

10.1007/978-3-030-41568-6

project

Säkra mjukvaruuppdateringar för den smarta staden

language

English

LU publication?

yes

id

83dd4b29-3471-4c90-9bb2-ba14990ec364

date added to LUP

2019-08-26 16:13:09

date last changed

2024-03-19 18:45:33

@inproceedings{83dd4b29-3471-4c90-9bb2-ba14990ec364,
  abstract     = {{With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization's requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users' reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score.}},
  author       = {{Karlsson, Linus and Nikbakht Bideh, Pegah and Hell, Martin}},
  booktitle    = {{CRiSIS 2019: Risks and Security of Internet and Systems}},
  isbn         = {{978-3-030-41568-6}},
  issn         = {{0302-9743}},
  language     = {{eng}},
  pages        = {{355--364}},
  publisher    = {{Springer}},
  series       = {{Lecture Notes in Computer Science}},
  title        = {{A Recommender System for User-Specific Vulnerability Scoring}},
  url          = {{https://lup.lub.lu.se/search/files/68795201/recommender_cameraready.pdf}},
  doi          = {{10.1007/978-3-030-41568-6}},
  volume       = {{12026}},
  year         = {{2020}},
}

Lund University Publications

LUND UNIVERSITY LIBRARIES

A Recommender System for User-Specific Vulnerability Scoring