Skip to main content
Springer Nature Link
Log in

On the Usage of NLP on CVE Descriptions for Calculating Risk

  • Conference paper
  • First Online:
Computer Security. ESORICS 2023 International Workshops (ESORICS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 14398))

Included in the following conference series:

  • 536 Accesses

Abstract

In order to conduct a risk analysis on an ecosystem the potential threats to its assets must first be identified. The Risk Modelling Tool (RMT) of the CitySCAPE Project uses CWE - CAPEC - threat relationships that were mapped for identifying the threats that vulnerabilities can pose on specific assets, namely in the context of multimodal transport use cases, based on already existing vulnerabilities. However, nearly one third of all CVEs do not have any CWEs assigned to them or have generic CWEs like “NVD-CWE-Other” that do not offer any information about that vulnerability, to then be linked back to a threat. This paper proposes the use of a Natural Language Processing model and more specifically a text classification model to be trained on CVE descriptions that can be traced back to a threat using the created mapping. The model will therefore be able to extrapolate the threat that a specific vulnerability will expose and be detected earlier, allowing security analysts to be able to deploy countermeasures to combat that risk. The resulting model has an accuracy of over 90% across a ten-fold validation process. As such a more complete and accurate risk analysis can be performed using the larger number of applicable vulnerabilities found using our ML model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    https://www.cityscape-project.eu/.

  2. 2.

    https://www.cityscape-project.eu/wp-content/uploads/2022/07/D2.3-Multimodal-Transport-System_-System-Modelling-Risk-Analysis-and-Management-GDPR-Compliance-1.pdf.

  3. 3.

    https://www.cityscape-project.eu/wp-content/uploads/2022/07/D2.4-Cascading-risks-in-the-multimodal-transportation-platforms-1.pdf.

  4. 4.

    https://nvd.nist.gov/vuln/detail/CVE-2016-0380.

  5. 5.

    https://nvd.nist.gov/vuln/detail/CVE-2019-9516.

  6. 6.

    https://kb.cert.org/vuls/id/605641/.

  7. 7.

    https://spacy.io/.

  8. 8.

    https://prodi.gy/.

  9. 9.

    https://nvd.nist.gov/vuln/detail/CVE-1999-0011.

  10. 10.

    https://www.nltk.org/.

References

  1. Bird, S., Klein, E., Loper, E.: Natural language processing with Python: analyzing text with the natural language toolkit. O’Reilly Media, Inc. (2009)

    Google Scholar 

  2. CAPEC: About CAPEC. https://capec.mitre.org/about/index.html 04 Apr 2019

  3. Cheikes, B., Waltermire, D., Scarfone, K.: Common Platform Enumeration: Naming Specification Version 2, 3 (2011). https://doi.org/10.6028/NIST.IR.7695, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=909010

  4. CISA: Apache Log4j Vulnerability Guidance. https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance Accessed 27 Apr 2022

  5. CVE: CVE Numbering Authority (CNA) Rules. https://www.cve.org/ResourcesSupport/AllResources/CNARules 05 Mar 2020

  6. CVE: History. https://www.cve.org/About/History Accessed 27 Apr 2022

  7. CVE: Process for Assigning CVE IDs to End-of-Life (EOL) Products. https://cve.mitre.org/cve/cna/CVE_Program_End_of_Life_EOL_Assignment_Process.html 11 Dec 2020

  8. CWE: 2021 CWE Top 25 Most Dangerous Software Weaknesses. https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html 13 Oct 2022

  9. CWE: About CWE. https://cwe.mitre.org/about/index.html 06 June 2023

  10. CWE: CWE VIEW: Weaknesses for Simplified Mapping of Published Vulnerabilities. https://cwe.mitre.org/data/definitions/1003.html 27 Apr 2023

  11. CWE: Weaknesses Originally Used by NVD from 2008 to 2016. https://cwe.mitre.org/data/definitions/635.html 27 Apr 2023

  12. FIRST: Common Vulnerability Scoring System v1 Archive. https://www.first.org/cvss/v1/ 14 Apr 2005

  13. FIRST: Common Vulnerability Scoring System version 3.1: User Guide. https://www.first.org/cvss/user-guide Accessed 5 May 2022

  14. FIRST: New version of Common Vulnerability Scoring System released. https://www.first.org/cvss/v2/ 20 June 2007

  15. Kanakogi, K., et al.: Tracing CVE Vulnerability Information to CAPEC Attack Patterns Using Natural Language Processing Techniques. Information 12(8), (2021). https://doi.org/10.3390/info12080298, https://www.mdpi.com/2078-2489/12/8/298

  16. Kushner, D.: The real story of stuxnet. IEEE Spectr. 50(3), 48–53 (2013). https://doi.org/10.1109/MSPEC.2013.6471059

    Article  Google Scholar 

  17. Lyvas, C., et al.: A hybrid dynamic risk analysis methodology for cyber-physical systems. In: Kastsikas, S., et al. (eds.) Computer Security. ESORICS 2022 International Workshops: CyberICPS 2022, SECPRE 2022, SPOSE 2022, CPS4CIP 2022, CDT &SECOMANE 2022, EIS 2022, and SecAssure 2022, Copenhagen, Denmark, September 26–30, 2022, Revised Selected Papers, pp. 134–152. Springer International Publishing, Cham (2023). https://doi.org/10.1007/978-3-031-25460-4_8

    Chapter  Google Scholar 

  18. Manning, C.D., Raghavan, P., Schütze, H.: Introduction to Information Retrieval. Cambridge University Press (2008). https://doi.org/10.1017/CBO9780511809071

  19. Microsoft Security Response Center: Customer Guidance for WannaCrypt attacks. https://msrc-blog.microsoft.com/2017/05/12/customer-guidance-for-wannacrypt-attacks/ 12 May 2017

  20. NIST CSRC: Common Platform Enumeration (CPE). https://csrc.nist.gov/Projects/Security-Content-Automation-Protocol/Specifications/cpe 20 Apr 2023

  21. NVD: A Brief History of the NVD. https://nvd.nist.gov/general/brief-history Accessed 27 Apr 2022

  22. Ruder, S.: An overview of gradient descent optimization algorithms (2016). https://doi.org/10.48550/ARXIV.1609.04747, https://arxiv.org/abs/1609.04747

  23. Sammut, C., Webb, G.I. (eds.): Encyclopedia of Machine Learning and Data Mining. Springer US, Boston, MA (2017). https://doi.org/10.1007/978-1-4899-7687-1

    Book  Google Scholar 

  24. Sun, J., et al.: Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization (2021). https://doi.org/10.48550/ARXIV.2101.01431, https://arxiv.org/abs/2101.01431

  25. Tai, W.: How to Use VPR to Manage Threats Prior to NVD Publication. https://www.tenable.com/blog/how-to-use-vpr-to-manage-threats-prior-to-nvd-publication 22 May 2020

  26. Tai, W.: What Is VPR and How Is It Different from CVSS?. https://www.tenable.com/blog/what-is-vpr-and-how-is-it-different-from-cvss 16 Apr 2020

Download references

Acknowledgment

This work is a part of the CitySCAPE project. CitySCAPE has received funding from the European Union’s Horizon 2020 research & innovation programme under grant agreement no 883321. Content reflects only the authors’ view and European Commission is not responsible for any use that may be made of the information it contains.

Author information

Authors and Affiliations

  1. Department of Digital Systems, University of Piraeus, Piraeus, Greece

    Thrasyvoulos Giannakopoulos

  2. Department of Information and Communication Systems Engineering, University of the Aegean, Mytilene, Greece

    Konstantinos Maliatsos

Authors
  1. Thrasyvoulos Giannakopoulos
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Konstantinos Maliatsos
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Thrasyvoulos Giannakopoulos .

Editor information

Editors and Affiliations

  1. Norwegian University of Science and Technology, Gjøvik, Norway

    Sokratis Katsikas

  2. Polytechnique Montréal, Montreal, QC, Canada

    Frédéric Cuppens

  3. Polytechnique Montréal, Montreal, QC, Canada

    Nora Cuppens-Boulahia

  4. University of Piraeus, Piraeus, Greece

    Costas Lambrinoudakis

  5. Télécom SudParis, Palaiseau, France

    Joaquin Garcia-Alfaro

  6. Universitat Autonoma de Barcelona, Bellaterra, Spain

    Guillermo Navarro-Arribas

  7. University of Murcia, Murcia, Spain

    Pantaleone Nespoli

  8. University of the Aegean, Mytilene, Greece

    Christos Kalloniatis

  9. University of Toronto, Toronto, ON, Canada

    John Mylopoulos

  10. Georgia Institute of Technology, Atlanta, GA, USA

    Annie Antón

  11. University of Piraeus, Piraeus, Greece

    Stefanos Gritzalis

Rights and permissions

Reprints and permissions

Copyright information

© 2024 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Giannakopoulos, T., Maliatsos, K. (2024). On the Usage of NLP on CVE Descriptions for Calculating Risk. In: Katsikas, S., et al. Computer Security. ESORICS 2023 International Workshops. ESORICS 2023. Lecture Notes in Computer Science, vol 14398. Springer, Cham. https://doi.org/10.1007/978-3-031-54204-6_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-54204-6_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-54203-9

  • Online ISBN: 978-3-031-54204-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics