extended-abstract

Vulnerability Detection for software-intensive system

Author:

Refat Tahseen OthmanAuthors Info & Claims

EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering

Pages 510 - 515

https://doi.org/10.1145/3661167.3661170

Published: 18 June 2024 Publication History

Abstract

Cyberattacks are becoming more sophisticated, and organizations are constantly under threat from various types of security breaches. To protect against these threats, it is essential to identify the vulnerability and impact of these weaknesses and address them before attackers can exploit them. However, manually identifying and characterizing vulnerability can be a time-consuming and tedious process that adds to the workload of cybersecurity experts. To address this challenge, this research plan presents a doctoral research proposal to automate the process of identifying novel technologies, including learning-based technologies, to infer vulnerabilities from a text about an attack. In addition, this research plan uses natural language processing techniques to extract relevant information from attack text and analyze repositories for known vulnerabilities. This research plan presents an in-depth analysis of the research challenges and goals to understand how innovative technologies can be used to detect and identify vulnerabilities in text about attacks. It also covers the preliminary work done, literature review findings, and threats to validity.

References

[1]

Benjamin Ampel, Sagar Samtani, Steven Ullman, and Hsinchun Chen. 2021. Linking common vulnerabilities and exposures to the mitre att&ck framework: A self-distillation approach. arXiv preprint arXiv:2108.01696 (2021).

[2]

Taylor Armerding. 2017. CVE Definitions. Accessed: May 4, 2023. https://www.csoonline.com/article/3204884/what-is-cve-its-definition-and-purpose.html.

[3]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).

[4]

Sarah Elder, Nusrat Zahan, Rui Shu, Monica Metro, Valeri Kozarev, Tim Menzies, and Laurie Williams. 2022. Do I really need all this work to find vulnerabilities? An empirical case study comparing vulnerability detection techniques on a Java application. Empirical Software Engineering 27, 6 (2022), 154.

Digital Library

[5]

Hugging Face. 2024. paraphrase-multilingual-MiniLM-L12-v2. Accessed: July 2, 2023. https://huggingface.co/sentence-transformers/paraphrase-multilingual-MiniLM-L12-v2.

[6]

Octavian Grigorescu, Andreea Nica, Mihai Dascalu, and Razvan Rughinis. 2022. Cve2att&ck: Bert-based mapping of cves to mitre att&ck techniques. Algorithms 15, 9 (2022), 314.

[7]

Erik Hemberg, Jonathan Kelly, Michal Shlapentokh-Rothman, Bryn Reinstadler, Katherine Xu, Nick Rutar, and Una-May O’Reilly. 2021. Linking Threat Tactics, Techniques, and Patterns with Defensive Weaknesses, Vulnerabilities and Affected Platform Configurations for Cyber Hunting. arxiv:2010.00533 [cs.CR]

[8]

Hyeonseong Jo, Yongjae Lee, and Seungwon Shin. 2022. Vulcan: Automatic extraction and analysis of cyber threat intelligence from unstructured text. Computers & Security 120 (2022), 102763.

Digital Library

[9]

Aditya Kuppa, Lamine Aouad, and Nhien-An Le-Khac. 2021. Linking cve’s to mitre att&ck techniques. In Proceedings of the 16th International Conference on Availability, Reliability and Security. 1–12.

Digital Library

[10]

Yinhan Liu, Myle Ott, Naman Goyal, Jingfei Du, Mandar Joshi, Danqi Chen, Omer Levy, Mike Lewis, Luke Zettlemoyer, and Veselin Stoyanov. 2019. Roberta: A robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692 (2019).

[11]

Cláudia Mamede, Eduard Pinconschi, Rui Abreu, and José Campos. 2022. Exploring Transformers for Multi-Label Classification of Java Vulnerabilities. In 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS). IEEE, 43–52.

[12]

Rob McMillan. 2013. Definition: Threat intelligence.https://www.gartner.com/en/documents/2487216.

[13]

MITRE. 2024. ATTACK. https://attack.mitre.org/.

[14]

MITRE. 2024. CAPEC. https://capec.mitre.org/.

[15]

MITRE. 2024. CVE. https://cve.mitre.org/.

[16]

MITRE. 2024. CWE Dataset. https://cwe.mitre.org/.

[17]

MITRE. 2024. MITRE company. https://www.mitre.org/.

[18]

Refat Othman and Barbara Russo. 2023. VULDAT: Automated Vulnerability Detection From Cyberattack Text. In Embedded Computer Systems: Architectures, Modeling, and Simulation: 23rd International Conference, SAMOS.

[19]

Mircea Preda and Ana-Maria Mirea. 2009. Distributing deductive knowledge bases by clustering. In Proceedings of the WSEAES 13th international conference on Computers. 77–82.

Digital Library

[20]

Md Rayhanur Rahman and Laurie Williams. 2022. From Threat Reports to Continuous Threat Intelligence: A Comparison of Attack Technique Extraction Methods from Textual Artifacts. arXiv preprint arXiv:2210.02601 (2022).

[21]

Nils Reimers and Iryna Gurevych. 2019. Sentence-bert: Sentence embeddings using siamese bert-networks. arXiv preprint arXiv:1908.10084 (2019).

[22]

C. Research. 2022. 38% Increase in 2022 Global Cyberattacks. https://blog.checkpoint.com/2023/01/05/38-increase-in-2022-global-cyberattacks/.

[23]

Mac Margolis Robert Muggah. 2023. Cybercrime to cost the world 10.5 trillion annually by 2025. Accessed: January 28, 2024. https://www.weforum.org/agenda/2023/01/global-rules-crack-down-cybercrime/.

[24]

Georgios Sakellariou, Panagiotis Fouliras, Ioannis Mavridis, and Panagiotis Sarigiannidis. 2022. A Reference Model for Cyber Threat Intelligence (CTI) Systems. Electronics 11, 9 (2022), 1401.

[25]

Jiamou Sun, Zhenchang Xing, Hao Guo, Deheng Ye, Xiaohong Li, Xiwei Xu, and Liming Zhu. 2021. Generating informative CVE description from ExploitDB posts by extractive summarization. arXiv preprint arXiv:2101.01431 (2021).

[26]

Nan Sun, Ming Ding, Jiaojiao Jiang, Weikang Xu, Xiaoxing Mo, Yonghang Tai, and Jun Zhang. 2023. Cyber Threat Intelligence Mining for Proactive Cybersecurity Defense: A Survey and New Perspectives. IEEE Communications Surveys & Tutorials (2023).

[27]

Jun Zhao, Qiben Yan, Jianxin Li, Minglai Shao, Zuti He, and Bo Li. 2020. TIMiner: Automatically extracting and analyzing categorized cyber threat intelligence from social data. Computers & Security 95 (2020), 101867.

Cited By

Othman RRossi BRusso B(2024)Cybersecurity Defenses: Exploration of CVE Types Through Attack Descriptions2024 50th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)10.1109/SEAA64295.2024.00069(415-418)Online publication date: 28-Aug-2024
https://doi.org/10.1109/SEAA64295.2024.00069

Index Terms

Vulnerability Detection for software-intensive system
1. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

ThreatZoom: neural network for automated vulnerability mitigation
HotSoS '19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of Security

Increasing the variety and quantity of cyber threats becoming the evident that traditional human-in-loop approaches are no longer sufficient to keep systems safe. To address this momentous moot point, forward-thinking pioneers propose new cyber security ...
On the Usage of NLP on CVE Descriptions for Calculating Risk
Computer Security. ESORICS 2023 International Workshops
Abstract
In order to conduct a risk analysis on an ecosystem the potential threats to its assets must first be identified. The Risk Modelling Tool (RMT) of the CitySCAPE Project uses CWE - CAPEC - threat relationships that were mapped for identifying the ...
Current Challenges of Cyber Threat and Vulnerability Identification Using Public Enumerations
ARES '22: Proceedings of the 17th International Conference on Availability, Reliability and Security

Identification of cyber threats is one of the essential tasks for security teams. Currently, cyber threats can be identified using knowledge organized into various formats, enumerations, and knowledge bases. This paper studies the current challenges of ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

EASE '24: Proceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering

June 2024

728 pages

ISBN:9798400717017

DOI:10.1145/3661167

Copyright © 2024 Owner/Author.

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 18 June 2024

Check for updates

Author Tags

Qualifiers

Extended-abstract
Research
Refereed limited

Conference

EASE 2024

EASE 2024: 28th International Conference on Evaluation and Assessment in Software Engineering

June 18 - 21, 2024

Salerno, Italy

Acceptance Rates

Overall Acceptance Rate 71 of 232 submissions, 31%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

1
Total Citations
View Citations
81
Total Downloads

Downloads (Last 12 months)81
Downloads (Last 6 weeks)15

Reflects downloads up to 05 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Othman RRossi BRusso B(2024)Cybersecurity Defenses: Exploration of CVE Types Through Attack Descriptions2024 50th Euromicro Conference on Software Engineering and Advanced Applications (SEAA)10.1109/SEAA64295.2024.00069(415-418)Online publication date: 28-Aug-2024
https://doi.org/10.1109/SEAA64295.2024.00069

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Figures

Tables

Media

View Table of Conten