Beyond heuristics: learning to classify vulnerabilities and predict exploits
作者: Mehran Bozorgi , Lawrence K. Saul , Stefan Savage , Geoffrey M. Voelker
关键词:
摘要: The security demands on modern system administration are enormous and getting worse. Chief among these demands, administrators must monitor the continual ongoing disclosure of software vulnerabilities that have potential to compromise their systems in some way. Such include buffer overflow errors, improperly validated inputs, other unanticipated attack modalities. In 2008, over 7,400 new were disclosed--well 100 per week. While no enterprise is affected by all disclosures, commonly face many outstanding across they manage. Vulnerabilities can be addressed patches, reconfigurations, workarounds; however, actions may incur down-time or unforeseen side-effects. Thus, a key question for which prioritize. From publicly available databases document past vulnerabilities, we show how train classifiers predict whether soon vulnerability likely exploited. As input, our operate high dimensional feature vectors extract from text fields, time stamps, cross references, entries existing reports. Compared current industry-standard heuristics based expert knowledge static formulas, much more accurately individual
acm.org 
ai.google 参考文章(14)
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammell, Modeling the Security Ecosystem - The Dynamics of (In)Security Economics of Information Security and Privacy. pp. 79- 106 ,(2010) , 10.1007/978-1-4419-6967-5_6
David D. Lewis, Naive (Bayes) at forty: The independence assumption in information retrieval Machine Learning: ECML-98. pp. 4- 15 ,(1998) , 10.1007/BFB0026666
J. McHugh, W.L. Fithen, W.A. Arbaugh, Windows of vulnerability: a case study analysis IEEE Computer. ,vol. 33, pp. 52- 59 ,(2000) , 10.1109/2.889093
Ashish Arora, Rahul Telang, Hao Xu, Optimal Policy for Software Vulnerability Disclosure Social Science Research Network. ,(2005) , 10.2139/SSRN.669023
S.M. Bellovin, On the Brittleness of Software and the Infeasibility of Security Metrics ieee symposium on security and privacy. ,vol. 4, pp. 96- 96 ,(2006) , 10.1109/MSP.2006.101
David Moore, Colleen Shannon, k claffy, Code-Red: a case study on the spread and victims of an internet worm acm special interest group on data communication. pp. 273- 284 ,(2002) , 10.1145/637201.637244
Eric Rescorla, Security holes... who cares usenix security symposium. pp. 6- 6 ,(2003)
Rong-En Fan, Kai-Wei Chang, Cho-Jui Hsieh, Chih-Jen Lin, Xiang-Rui Wang, LIBLINEAR: A Library for Large Linear Classification Journal of Machine Learning Research. ,vol. 9, pp. 1871- 1874 ,(2008)
Ashish Arora, Anand Nandkumar, Rahul Telang, Does information security attack frequency increase with vulnerability disclosure? An empirical analysis Information Systems Frontiers. ,vol. 8, pp. 350- 362 ,(2007) , 10.1007/S10796-006-9012-5
Andy Ozment, The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting WEIS. ,(2005)