Predicting Exploitation of Disclosed Software Vulnerabilities Using Open-source Data
作者: Benjamin L. Bullough , Anna K. Yanchenko , Joseph R. Zipkin , Christopher L. Smith
关键词:
摘要: Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known a significant security risk. It is imperative that vendors quickly provide patches once users install those as soon they available. However, most never actually exploited. Since writing, testing, installing can involve considerable resources, it would be desirable prioritize remediation likely Several published research studies have moderate success in applying machine learning techniques task predicting whether vulnerability will These approaches typically use features derived from databases (such summary text describing vulnerability) or social media posts mention by name. these prior share multiple methodological shortcomings inflate predictive power approaches. We replicate key portions work, compare their approaches, show how selection training test data critically affect estimated performance models. The results this study point important considerations should taken into account so reflect real-world utility.
arxiv.org
sci-hub.st 参考文章(12)
Su Zhang, Doina Caragea, Xinming Ou, An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities Lecture Notes in Computer Science. pp. 217- 231 ,(2011) , 10.1007/978-3-642-23088-2_15
Luca Allodi, Fabio Massacci, Comparing Vulnerability Severity and Exploits Using Case-Control Studies ACM Transactions on Information and System Security. ,vol. 17, pp. 1- 20 ,(2014) , 10.1145/2630069
Kartik Nayak, Daniel Marino, Petros Efstathopoulos, Tudor Dumitraş, Some Vulnerabilities Are Different Than Others recent advances in intrusion detection. pp. 426- 446 ,(2014) , 10.1007/978-3-319-11379-1_21
Stefan Frei, Dominik Schatzmann, Bernhard Plattner, Brian Trammell, Modeling the Security Ecosystem - The Dynamics of (In)Security Economics of Information Security and Privacy. pp. 79- 106 ,(2010) , 10.1007/978-1-4419-6967-5_6
Tudor Dumitras, Carl Sabottke, Octavian Suciu, Vulnerability disclosure in the age of social media: exploiting twitter for predicting real-world exploits usenix security symposium. pp. 1041- 1056 ,(2015)
Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, Geoffrey M. Voelker, Beyond heuristics: learning to classify vulnerabilities and predict exploits knowledge discovery and data mining. pp. 105- 114 ,(2010) , 10.1145/1835804.1835821
Robin Sommer, Vern Paxson, Outside the Closed World: On Using Machine Learning for Network Intrusion Detection ieee symposium on security and privacy. pp. 305- 316 ,(2010) , 10.1109/SP.2010.25
Leyla Bilge, Tudor Dumitras, Before we knew it Proceedings of the 2012 ACM conference on Computer and communications security - CCS '12. pp. 833- 844 ,(2012) , 10.1145/2382196.2382284
Christian Rossow, Christian J. Dietrich, Chris Grier, Christian Kreibich, Vern Paxson, Norbert Pohlmann, Herbert Bos, Maarten van Steen, Prudent Practices for Designing Malware Experiments: Status Quo and Outlook ieee symposium on security and privacy. pp. 65- 79 ,(2012) , 10.1109/SP.2012.14
Zeynep Tufekci, Big Questions for Social Media Big Data: Representativeness, Validity and Other Methodological Pitfalls arXiv: Social and Information Networks. ,(2014)