Abstract
The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of software vulnerabilities and measuring their severity. However, not all publicly known vulnerabilities have criticality rating in CVSS 3.x, which is the latest and most advanced version of the standard. This is due to the large time gap between the publication of the CVSS 2.0 and CVSS 3.x standards, the large number of the detected and published vulnerabilities at the time, and significant differences in the method of determining vulnerability criticality and assigning vector properties to evaluation components. Consequently, organizations using CVSS to prioritize vulnerabilities use both CVSS versions and abandoned the full transition to CVSS 3.x standard. In this paper authors introduce machine learning algorithms for performing conversions from CVSS 2.0 to CVSS 3.x, scores, which should significantly facilitate the upgrade to CVSS 3.x standard for all stakeholders. The considered case corresponds to a real world application with a large potential impact of the research.
Supported by organization Wroclaw University of Science and Technology.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Barber, D.: Bayesian Reasoning and Machine Learning. Cambridge University Press, Cambridge (2012)
Bird, S., Klein, E., Loper, E.: Natural Language Processing with Python: Analyzing Text with the Natural Language Toolkit. O’Reilly Media Inc., Newton (2009)
Bishop, C.M.: Pattern Recognition and Machine Learning. Springer, Berlin (2006)
Bonaccorso, G.: Machine Learning Algorithms. Packt Publishing Ltd., Birmingham (2017)
DSecure.me: VMC: Vulnerability Management Center (2021). Accessed 2 Jan 2021. https://github.com/DSecureMe/vmc
Elbaz, C., Rilling, L., Morin, C.: Fighting n-day vulnerabilities with automated CVSS vector prediction at disclosure. In: Proceedings of the 15th International Conference on Availability, Reliability and Security, pp. 1–10 (2020)
F-Secure: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.f-secure.com/us-en/business/solutions/vulnerability-management/radar
Fall, D., Kadobayashi, Y.: The common vulnerability scoring system vs. rock star vulnerabilities: why the discrepancy? In: ICISSP, pp. 405–411 (2019)
Fernández, A., García, S., Galar, M., Prati, R.C., Krawczyk, B., Herrera, F.: Learning from Imbalanced Data Sets. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-98074-4
FIRST: Common Vulnerability Scoring System v3.0: Specification Document (2017). Accessed 2 Jan 2021. https://www.first.org/cvss/v3.0/specification-document
FIRST: Common Vulnerability Scoring System v3.1: Specification Document (2019). Accessed 2 Jan 2021. https://www.first.org/cvss/v3.1/specification-document
Hovsepyan, A., Scandariato, R., Joosen, W., Walden, J.: Software vulnerability prediction using text analysis techniques. In: Proceedings of the 4th International Workshop on Security Measurements and Metrics, pp. 7–10 (2012)
Jacobs, J., Romanosky, S., Adjerid, I., Baker, W.: Improving vulnerability remediation through better exploit prediction. J. Cybersecur. 6(1), tyaa015 (2020)
Klinedinst, D.J.: CVSS and the Internet of Things (2015). Accessed 2 Jan 2021. https://insights.sei.cmu.edu/cert/2015/09/cvss-and-the-internet-of-things.html
Luers, A.L., Lobell, D.B., Sklar, L.S., Addams, C.L., Matson, P.A.: A method for quantifying vulnerability, applied to the agricultural system of the Yaqui Valley, Mexico. Glob. Environ. Change 13(4), 255–267 (2003)
Maciej, N., Walkowski, M., Sujecki, S.: CVSS 2.0 extended vector database (2021). Accessed 21 Jan 2021. https://github.com/mwalkowski/cvss-2-extended-vector-database
Mell, P., Hu, V., Lippmann, R., Haines, J., Zissman, M.: An overview of issues in testing intrusion detection systems (2003)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. IEEE Secur. Priv. 4(6), 85–89 (2006)
Nowak, M.R., et al.: Recognition of pharmacological bi-heterocyclic compounds by using terahertz time domain spectroscopy and chemometrics. Sensors 19(15), 3349 (2019)
NVD: National Vulnerability Database (2021). Accessed 2 Jan 2021. https://nvd.nist.gov/
Qualys: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.qualys.com/apps/vulnerability-management/
Rapid7: Vulnerability Management Tool (2021). Accessed 2 Jan 2021. https://www.rapid7.com/products/nexpose/
Ruohonen, J.: A look at the time delays in CVSS vulnerability scoring. Appl. Comput. Inf. 15(2), 129–135 (2019)
Tavabi, N., Goyal, P., Almukaynizi, M., Shakarian, P., Lerman, K.: Darkembed: exploit prediction with neural language models. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 32 (2018)
Walkowski, M., Krakowiak, M., Oko, J., Sujecki, S.: Distributed analysis tool for vulnerability prioritization in corporate networks. In: 2020 International Conference on Software, Telecommunications and Computer Networks (SoftCOM), pp. 1–6. IEEE (2020)
Walkowski, M., Krakowiak, M., Oko, J., Sujecki, S.: Efficient algorithm for providing live vulnerability assessment in corporate network environment. Appl. Sci. 10(21), 7926 (2020)
Younis, A.A., Malaiya, Y.K.: Using software structure to predict vulnerability exploitation potential. In: 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion, pp. 13–18. IEEE (2014)
Acknowledgments
The authors wish to thank Wroclaw University of Science and Technology (statutory activity) for financial support and Agata Szewczyk for proofreading and translation. This publication was created as a part of the Regional Security Operations Center (RegSOC) project (Regionalne Centrum Bezpieczeństwa Cybernetycznego), cofinanced by the National Centre for Research and Development as part of the CyberSecIdent-Cybersecurity and e-Identity program.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Nowak, M., Walkowski, M., Sujecki, S. (2021). Machine Learning Algorithms for Conversion of CVSS Base Score from 2.0 to 3.x. In: Paszynski, M., Kranzlmüller, D., Krzhizhanovskaya, V.V., Dongarra, J.J., Sloot, P.M. (eds) Computational Science – ICCS 2021. ICCS 2021. Lecture Notes in Computer Science(), vol 12744. Springer, Cham. https://doi.org/10.1007/978-3-030-77967-2_21
Download citation
DOI: https://doi.org/10.1007/978-3-030-77967-2_21
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-77966-5
Online ISBN: 978-3-030-77967-2
eBook Packages: Computer ScienceComputer Science (R0)