skip to main content
10.1145/1852666.1852699acmotherconferencesArticle/Chapter ViewAbstractPublication PagescsiirwConference Proceedingsconference-collections
research-article

Vulnerability categorization using Bayesian networks

Published: 21 April 2010 Publication History

Abstract

This paper proposes a novel model and methodology to classify and categorize vulnerabilities according to their security types. We use Bayesian networks to automate the process. An example is provided to demonstrate the process of categorization. The automatically generated result is compared to the CVE type in NVD [6], and it proved the correctness of our method.

Supplementary Material

Supplemental material. (a29-wang_slides.pdf)

References

[1]
M. Bishop. A taxonomy of UNIX system and network vulnerabilities. Technical Report CSE-9510. Davis: Department of Computer Science, University of California; 1995.
[2]
I. V. Krsul. Software vulnerability analysis. Available from: http://www.krsul.org/ivan/articles/main.pdf; May 1998.
[3]
H. S. Venter and J. H. P. Eloff. Harmonising vulnerability categories. South African Computer Journal, 29, 2002.
[4]
H. S. Venter, J. H. P. Eloff, Y. L. Li. Standardising Vulnerability Categories. Computers & Security, 27, p71--83, 2008.
[5]
Melanie Tupper. A Comparison of Word Frequency and N-Gram Based Vulnerability Categorization Using SOM.
[6]
National Vulnerability Database. CWE Cross Section Mapped into by NVD. Available from: http://nvd.nist.gov/cwe.cfm; March 2010.
[7]
J. A. Wang, H. Wang, M. Guo, L. Zhou and J. Camargo, Ranking Attacks Based on Vulnerability Analysis, in Proceedings of the 43rd Annual Hawaii International Conference on System Sciences. Published by the IEEE Computer Society, ISBN: 978-0-7695-3869-3; ISSN 1530--1605. January 5--8, 2010.
[8]
J. A. Wang, L. Zhou, M. Guo, H. Wang, and J. Camargo, Measuring Similarity for Security Vulnerabilities, in Proceedings of the 43rd Annual Hawaii International Conference on System Sciences. Published by the IEEE Computer Society, ISBN: 978-0-7695-3869-3; ISSN 1530--1605. January 5--8, 2010.
[9]
J. A. Wang, Minzhe Guo, Hao Wang, Min Xia, and Lingfeng Zhou, Ontology-based Security Assessment for Software Products, in Proceedings of the 5th Annual Workshop on Cyber Security and Information Intelligence Research: Cyber Security and Information Intelligence Challenges and Strategies, ISBN 978-1-60558-518-5, Oak Ridge, TN, April 13--15, 2009.
[10]
J. A. Wang, M. Guo, and J. Camargo, An Ontological Approach to Computer System Security, Information Security Journal: A Global Perspective, V.19 N.2:61--73, 2010. ISSN: 1939--355.
[11]
Nir Friedman, Dan Geiger, and Moises Goldszmidt, Bayesian Network Classifiers, Machine Learning, V. 29, N. 2--3, Nov/Dec. 1997, pages: 131--163.

Cited By

View all
  • (2022)A Survey on Data-driven Software Vulnerability Assessment and PrioritizationACM Computing Surveys10.1145/352975755:5(1-39)Online publication date: 3-Dec-2022
  • (2022)Is This IoT Device Likely to Be Secure? Risk Score Prediction for IoT Devices Using Gradient Boosting MachinesMobile and Ubiquitous Systems: Computing, Networking and Services10.1007/978-3-030-94822-1_7(115-127)Online publication date: 8-Feb-2022
  • (2022)Automatic software vulnerability classification by extracting vulnerability triggersJournal of Software: Evolution and Process10.1002/smr.2508Online publication date: 8-Sep-2022
  • Show More Cited By

Index Terms

  1. Vulnerability categorization using Bayesian networks

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Other conferences
      CSIIRW '10: Proceedings of the Sixth Annual Workshop on Cyber Security and Information Intelligence Research
      April 2010
      257 pages
      ISBN:9781450300179
      DOI:10.1145/1852666
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 21 April 2010

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. Bayesian networks
      2. categorization
      3. vulnerability analysis and management
      4. vulnerability management

      Qualifiers

      • Research-article

      Conference

      CSIIRW '10

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)15
      • Downloads (Last 6 weeks)2
      Reflects downloads up to 19 Feb 2025

      Other Metrics

      Citations

      Cited By

      View all
      • (2022)A Survey on Data-driven Software Vulnerability Assessment and PrioritizationACM Computing Surveys10.1145/352975755:5(1-39)Online publication date: 3-Dec-2022
      • (2022)Is This IoT Device Likely to Be Secure? Risk Score Prediction for IoT Devices Using Gradient Boosting MachinesMobile and Ubiquitous Systems: Computing, Networking and Services10.1007/978-3-030-94822-1_7(115-127)Online publication date: 8-Feb-2022
      • (2022)Automatic software vulnerability classification by extracting vulnerability triggersJournal of Software: Evolution and Process10.1002/smr.2508Online publication date: 8-Sep-2022
      • (2021)Why Some Bug-bounty Vulnerability Reports are Invalid?Proceedings of the 15th ACM / IEEE International Symposium on Empirical Software Engineering and Measurement (ESEM)10.1145/3475716.3484193(1-6)Online publication date: 11-Oct-2021
      • (2020)Detection of Weaknesses in Information Systems for Automatic Selection of Security ActionsAutomatic Control and Computer Sciences10.3103/S014641161908008X53:8(1029-1037)Online publication date: 4-Mar-2020
      • (2020)An automated framework for evaluating open-source web scanner vulnerability severityService Oriented Computing and Applications10.1007/s11761-020-00296-9Online publication date: 18-Jul-2020
      • (2020)CVE Based Classification of Vulnerable IoT SystemsTheory and Applications of Dependable Computer Systems10.1007/978-3-030-48256-5_9(82-93)Online publication date: 22-May-2020
      • (2020)An empirical comparison of commercial and open‐source web vulnerability scannersSoftware: Practice and Experience10.1002/spe.287050:9(1842-1857)Online publication date: 3-Jul-2020
      • (2019)Vulnerability Severity Prediction With Deep Neural Network2019 5th International Conference on Big Data and Information Analytics (BigDIA)10.1109/BigDIA.2019.8802851(114-119)Online publication date: Jul-2019
      • (2019)Combining Bayesian Networks and Fishbone Diagrams to Distinguish Between Intentional Attacks and Accidental Technical FailuresGraphical Models for Security10.1007/978-3-030-15465-3_3(31-50)Online publication date: 31-Mar-2019
      • Show More Cited By

      View Options

      Login options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Figures

      Tables

      Media

      Share

      Share

      Share this Publication link

      Share on social media