Skip to main content
Log in

A RAkEL-based methodology to estimate software vulnerability characteristics & score - an application to EU project ECHO

  • 1180: Cybersecurity, Intelligent Multimedia Systems for Threat Detection and Data Protection
  • Published:
Multimedia Tools and Applications Aims and scope Submit manuscript

Abstract

Software vulnerabilities constitute a critical threat for cybersecurity analysts in the contemporary society, since the successfully exploited vulnerabilities could harm any system in terms of Confidentiality, Integrity and Availability. Similarly, the characterization of vulnerabilities and the assessment of vulnerability risk is a crucial task for cybersecurity managers regarding the resource management. However, the proliferation of software vulnerabilities causes problems related to the response time of the security experts. For this reason, a methodology based on RAndom k-labELsets (RAkEL) is proposed in this paper in order to estimate software vulnerability characteristics and score from the vulnerability technical description. The proposed methodology aims to a) improve an existing multi-target methodology and b) be integrated in a Cyber Threat Intelligence (CTI) information sharing system. The results, in a dataset containing more than 130000 vulnerabilities, clearly proved that the proposed methodology could improve the existing methodology regarding the estimation of vulnerability characteristics and score.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13

Similar content being viewed by others

Notes

  1. https://www.misp-project.org/

  2. European network of Cybersecurity centres and competence Hub for innovation and Operations

  3. https://www.rheagroup.com/

  4. https://www.nist.gov/

  5. https://cve.mitre.org/

  6. https://www.us-cert.gov/

  7. http://nvd.nist.gov

  8. https://www.dhs.gov/

  9. http://cve.mitre.gov

  10. https://scikit-learn.org/stable/

  11. https://spacy.io/

References

  1. Bodungen C (2019) Industrial vulnerability scoring system (ivss). https://securingics.com/IVSS/IVSS.html

  2. Bogaert M, Ballings M, Van den Poel D (2016) The added value of facebook friends data in event attendance prediction. Decis Support Syst 82:26–34

    Article  Google Scholar 

  3. Boutell M R, Luo J, Shen X, Brown C M (2004) Learning multi-label scene classification. Pattern Recogn 37(9):1757–1771

    Article  Google Scholar 

  4. Breiman L, Friedman J, Olshen R, Stone C (1984) Classification and regression trees. Chapman & Hall, New York

  5. Breiman L (1996) Bagging predictors. Mach Learn 24(2):123–140

    MATH  Google Scholar 

  6. Breiman L (2001) Random forests. Mach Learn 45(1):5–32

    Article  Google Scholar 

  7. Chen J, Kudjo P K, Mensah S, Brown S A, Akorfu G (2020) An automatic software vulnerability classification framework using term frequency-inverse gravity moment and feature selection. J Syst Softw:110616

  8. Dembczyński K, Waegeman W, Cheng W, Hüllermeier E (2012) On label dependence and loss minimization in multi-label classification. Mach Learn 88(1-2):5–45

    Article  MathSciNet  Google Scholar 

  9. First O (2015) Common vulnerability scoring system v3.0: user guide. https://www.first.org/cvss/cvss-v30-user_guide_v1.4.pdf

  10. Freund Y, Schapire R, Abe N (1999) A short introduction to boosting. J-Japan Soc Artif Intell 14(771–780):1612

    Google Scholar 

  11. Ho T K (1998) The random subspace method for constructing decision forests. IEEE Trans Pattern Anal Mach Intell 20(8):832–844

    Article  Google Scholar 

  12. Huang G, Li Y, Wang Q, Ren J, Cheng Y, Zhao X (2019) Automatic classification method for software vulnerability based on deep neural network. IEEE Access 7:28291–28298

    Article  Google Scholar 

  13. Hyndman R J, Koehler A B (2006) Another look at measures of forecast accuracy. Int J Forecast 22(4):679–688

    Article  Google Scholar 

  14. Kudjo P K, Chen J, Mensah S, Amankwah R, Kudjo C (2020) The effect of bellwether analysis on software vulnerability severity prediction models. Softw Qual J:1–34

  15. Kudjo P K, Chen J, Zhou M, Mensah S, Huang R (2019) Improving the accuracy of vulnerability report classification using term frequency-inverse gravity moment. In: 2019 IEEE 19th International Conference on Software Quality, Reliability and Security (QRS). IEEE, pp 248–259

  16. Le T H M, Sabir B, Babar M A (2019) Automated software vulnerability assessment with concept dr ift. In: 2019 IEEE/ACM 16th International Conference on Mining Software Repositories (MSR). IEEE, pp 371–382

  17. Liaw A, Wiener M, et al. (2002) Classification and regression by randomforest. R news 2(3):18–22

    Google Scholar 

  18. Liu C, Li J, Chen X (2012) Network vulnerability analysis using text mining. In: Asian Conference on Intelligent Information and Database Systems. Springer, pp 274–283

  19. Liu K, Zhou Y, Wang Q, Zhu X (2019) Vulnerability severity prediction with deep neural network. In: 2019 5th International Conference on Big Data and Information Analytics (BigDIA). IEEE, pp 114–119

  20. Liu Q, Zhang Y (2011) Vrss: A new system for rating and scoring vulnerabilities. Comput Commun 34(3):264–273

    Article  Google Scholar 

  21. Liu Q, Zhang Y, Kong Y, Wu Q (2012) Improving vrss-based vulnerability prioritization using analytic hierarchy process. J Syst Softw 85(8):1699–1708

    Article  Google Scholar 

  22. Meire M, Ballings M, Van den Poel D (2016) The added value of auxiliary data in sentiment analysis of facebook posts. Decis Support Syst 89:98–112

    Article  Google Scholar 

  23. Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system version 2.0 1, 23

  24. Na S, Kim T, Kim H (2016) A study on the classification of common vulnerabilities and exposures using naïve bayes. In: International Conference on Broadband and Wireless Computing, Communication and Applications. Springer, pp 657–662

  25. Neuhaus S, Zimmermann T (2010) Security trend analysis with cve topic models. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering. IEEE, pp 111–120

  26. Quinlan J (2014) C4. 5: programs for machine learning. Elsevier

  27. Ruohonen J (2019) A look at the time delays in cvss vulnerability scoring. Appl Comput Inf 15(2):129–135

    Google Scholar 

  28. Russo E R, Di Sorbo A, Visaggio C A, Canfora G (2019) Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities. J Syst Softw 156:84–99

    Article  Google Scholar 

  29. Sahin S E, Tosun A (2019) A conceptual replication on predicting the severity of software vulnerabilities. In: Proceedings of the Evaluation and Assessment on Software Engineering, pp 244–250

  30. Schiffman M, Cisco CIAG (2005) A complete guide to the common vulnerability scoring system (cvss). White paper. Identification of Basic Measurable Security Components in Software Intensive Systems

  31. Spanos G, Angelis L (2015) Impact metrics of security vulnerabilities: Analysis and weighing. Inf Secur J Glob Perspect 24(1-3):57–71

    Article  Google Scholar 

  32. Spanos G, Angelis L (2018) A multi-target approach to estimate software vulnerability characteristics and severity scores. J Syst Softw 146:152–166

    Article  Google Scholar 

  33. Spanos G, Angelis L, Toloudis D (2017) Assessment of vulnerability severity using text mining. In: Proceedings of the 21st Pan-Hellenic Conference on Informatics, pp 1–6

  34. Spanos G, Sioziou A, Angelis L (2013) Wivss: a new methodology for scoring information systems vulnerabilities. In: Proceedings of the 17th Panhellenic Conference on Informatics, pp 83–90

  35. Toloudis D, Spanos G, Angelis L (2016) Associating the severity of vulnerabilities with their description. In: International Conference on Advanced Information Systems Engineering. Springer, pp 231–242

  36. Tsoumakas G, Katakis I, Vlahavas I (2010) Random k-labelsets for multilabel classification. IEEE Trans Knowl Data Eng 23(7):1079–1089

    Article  Google Scholar 

  37. Wang Y, Yang Y (2012) Pvl: a novel metric for single vulnerability rating and its application in ims. J Comput Inf Syst 8(2):579–590

    Google Scholar 

  38. Yamamoto Y, Miyamoto D, Nakayama M (2015) Text-mining approach for estimating vulnerability score. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). IEEE, pp 67–73

  39. Zhang M-L, Zhou Z-H (2013) A review on multi-label learning algorithms. IEEE Trans Knowl Data Eng 26(8):1819–1837

    Article  Google Scholar 

Download references

Acknowledgments

This work is partially funded by the European Union’s Horizon 2020 Research and Innovation Programme through ECHO (https://echonetwork.eu/) project under Grant Agreement No. 830943. This paper reflects only the authors views. The European Union is not liable for any use that may be made of the information contained therein.

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Georgios Aivatoglou.

Additional information

Publisher’s note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Aivatoglou, G., Anastasiadis, M., Spanos, G. et al. A RAkEL-based methodology to estimate software vulnerability characteristics & score - an application to EU project ECHO. Multimed Tools Appl 81, 9459–9479 (2022). https://doi.org/10.1007/s11042-021-11073-x

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11042-021-11073-x

Keywords

Navigation