Advanced

A Recommender System for User-Specific Vulnerability Scoring

Karlsson, Linus LU ; Nikbakht Bideh, Pegah LU and Hell, Martin LU (2019) 14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019
Abstract
With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these... (More)
With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization's requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users' reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score. (Less)
Please use this url to cite or link to this publication:
author
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
in press
subject
host publication
CRiSIS 2019
publisher
Springer
conference name
14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019
conference location
Hammamet, Tunisia
conference dates
2019-10-29 - 2019-10-31
language
English
LU publication?
yes
id
83dd4b29-3471-4c90-9bb2-ba14990ec364
date added to LUP
2019-08-26 16:13:09
date last changed
2019-08-27 14:53:16
@inproceedings{83dd4b29-3471-4c90-9bb2-ba14990ec364,
  abstract     = {With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization's requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users' reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score.},
  author       = {Karlsson, Linus and Nikbakht Bideh, Pegah and Hell, Martin},
  language     = {eng},
  location     = {Hammamet, Tunisia},
  publisher    = {Springer},
  title        = {A Recommender System for User-Specific Vulnerability Scoring},
  year         = {2019},
}