Skip to main content
SpringerLink
Log in

Machine Learning Algorithms for Conversion of CVSS Base Score from 2.0 to 3.x

  • Conference paper
  • First Online:
Computational Science – ICCS 2021 (ICCS 2021)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 12744))

Included in the following conference series:

Abstract

The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of software vulnerabilities and measuring their severity. However, not all publicly known vulnerabilities have criticality rating in CVSS 3.x, which is the latest and most advanced version of the standard. This is due to the large time gap between the publication of the CVSS 2.0 and CVSS 3.x standards, the large number of the detected and published vulnerabilities at the time, and significant differences in the method of determining vulnerability criticality and assigning vector properties to evaluation components. Consequently, organizations using CVSS to prioritize vulnerabilities use both CVSS versions and abandoned the full transition to CVSS 3.x standard. In this paper authors introduce machine learning algorithms for performing conversions from CVSS 2.0 to CVSS 3.x, scores, which should significantly facilitate the upgrade to CVSS 3.x standard for all stakeholders. The considered case corresponds to a real world application with a large potential impact of the research.

Supported by organization Wroclaw University of Science and Technology.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Barber, D.: Bayesian Reasoning and Machine Learning. Cambridge University Press, Cambridge (2012)

    MATH  Google Scholar 

  2. Bird, S., Klein, E., Loper, E.: Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. O’Reilly Media Inc., Newton (2009)

    MATH  Google Scholar 

  3. Bishop, C.M.: Pattern Recognition and Machine Learning. Springer, Berlin (2006)

    Google Scholar 

  4. Bonaccorso, G.: Machine Learning Algorithms. Packt Publishing Ltd., Birmingham (2017)

    Google Scholar 

  5. DSecure.me: VMC: Vulnerability Management Center (2021). Accessed 2 Jan 2021. https://github.com/DSecureMe/vmc

  6. Elbaz, C., Rilling, L., Morin, C.: Fighting n-day vulnerabilities with automated CVSS vector prediction at disclosure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)

    Google Scholar 

  7. F-Secure: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.f-secure.com/us-en/business/solutions/vulnerability-management/radar

  8. Fall, D., Kadobayashi, Y.: The common vulnerability scoring system vs. rock star vulnerabilities: why the discrepancy? In: ICISSP, pp. 405–411 (2019)

    Google Scholar 

  9. Fernández, A., García, S., Galar, M., Prati, R.C., Krawczyk, B., Herrera, F.: Learning from Imbalanced Data Sets. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98074-4

    Book  Google Scholar 

  10. FIRST: Common Vulnerability Scoring System v3.0: Specification Document (2017). Accessed 2 Jan 2021. https://www.first.org/cvss/v3.0/specification-document

  11. FIRST: Common Vulnerability Scoring System v3.1: Specification Document (2019). Accessed 2 Jan 2021. https://www.first.org/cvss/v3.1/specification-document

  12. Hovsepyan, A., Scandariato, R., Joosen, W., Walden, J.: Software vulnerability prediction using text analysis techniques. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics, pp. 7–10 (2012)

    Google Scholar 

  13. Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersecur. 6(1), tyaa015 (2020)

    Google Scholar 

  14. Klinedinst, D.J.: CVSS and the Internet of Things (2015). Accessed 2 Jan 2021. https://insights.sei.cmu.edu/cert/2015/09/cvss-and-the-internet-of-things.html

  15. Luers, A.L., Lobell, D.B., Sklar, L.S., Addams, C.L., Matson, P.A.: A method for quantifying vulnerability, applied to the agricultural system of the Yaqui Valley, Mexico. Glob. Environ. Change 13(4), 255–267 (2003)

    Article  Google Scholar 

  16. Maciej, N., Walkowski, M., Sujecki, S.: CVSS 2.0 extended vector database (2021). Accessed 21 Jan 2021. https://github.com/mwalkowski/cvss-2-extended-vector-database

  17. Mell, P., Hu, V., Lippmann, R., Haines, J., Zissman, M.: An overview of issues in testing intrusion detection systems (2003)

    Google Scholar 

  18. Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)

    Article  Google Scholar 

  19. Nowak, M.R., et al.: Recognition of pharmacological bi-heterocyclic compounds by using terahertz time domain spectroscopy and chemometrics. Sensors 19(15), 3349 (2019)

    Article  Google Scholar 

  20. NVD: National Vulnerability Database (2021). Accessed 2 Jan 2021. https://nvd.nist.gov/

  21. Qualys: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.qualys.com/apps/vulnerability-management/

  22. Rapid7: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.rapid7.com/products/nexpose/

  23. Ruohonen, J.: A look at the time delays in CVSS vulnerability scoring. Appl. Comput. Inf. 15(2), 129–135 (2019)

    Google Scholar 

  24. Tavabi, N., Goyal, P., Almukaynizi, M., Shakarian, P., Lerman, K.: Darkembed: exploit prediction with neural language models. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 32 (2018)

    Google Scholar 

  25. Walkowski, M., Krakowiak, M., Oko, J., Sujecki, S.: Distributed analysis tool for vulnerability prioritization in corporate networks. In: 2020 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–6. IEEE (2020)

    Google Scholar 

  26. Walkowski, M., Krakowiak, M., Oko, J., Sujecki, S.: Efficient algorithm for providing live vulnerability assessment in corporate network environment. Appl. Sci. 10(21), 7926 (2020)

    Article  Google Scholar 

  27. Younis, A.A., Malaiya, Y.K.: Using software structure to predict vulnerability exploitation potential. In: 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion, pp. 13–18. IEEE (2014)

    Google Scholar 

Download references

Acknowledgments

The authors wish to thank Wroclaw University of Science and Technology (statutory activity) for financial support and Agata Szewczyk for proofreading and translation. This publication was created as a part of the Regional Security Operations Center (RegSOC) project (Regionalne Centrum Bezpieczeństwa Cybernetycznego), cofinanced by the National Centre for Research and Development as part of the CyberSecIdent-Cybersecurity and e-Identity program.

Author information

Authors and Affiliations

  1. Department of Telecommunications and Teleinformatics, Wroclaw University of Science and Technology, 50-370, Wroclaw, Poland

    Maciej Nowak, Michał Walkowski & Sławomir Sujecki

Authors
  1. Maciej Nowak
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Michał Walkowski
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Sławomir Sujecki
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Maciej Nowak .

Editor information

Editors and Affiliations

  1. AGH University of Science and Technology, Krakow, Poland

    Maciej Paszynski

  2. Ludwig-Maximilians-Universität München, Munich, Germany

    Dieter Kranzlmüller

  3. University of Amsterdam, Amsterdam, The Netherlands

    Valeria V. Krzhizhanovskaya

  4. University of Tennessee at Knoxville, Knoxville, TN, USA

    Jack J. Dongarra

  5. University of Amsterdam, Amsterdam, The Netherlands

    Peter M.A. Sloot

Rights and permissions

Reprints and permissions

Copyright information

© 2021 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Nowak, M., Walkowski, M., Sujecki, S. (2021). Machine Learning Algorithms for Conversion of CVSS Base Score from 2.0 to 3.x. In: Paszynski, M., Kranzlmüller, D., Krzhizhanovskaya, V.V., Dongarra, J.J., Sloot, P.M. (eds) Computational Science – ICCS 2021. ICCS 2021. Lecture Notes in Computer Science(), vol 12744. Springer, Cham. https://doi.org/10.1007/978-3-030-77967-2_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-77967-2_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-77966-5

  • Online ISBN: 978-3-030-77967-2

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation