Vulnerability exploitability assessment method based on network environment

doi:10.7523/j.ucas.2023.037

Abstract

Abstract: The common vulnerability scoring system is the most widely used vulnerability evaluation method, but its evaluation results tend to be the harmfulness of the vulnerability itself, ignoring the network environment factors. In view of the above problems, we propose a network environment-oriented vulnerability exploitability assessment method. Based on the experience of group experts, using statistical methods to select vulnerability attributes, the vulnerability exploitability assessment metric system is constructed. And combined with the target environment attributes, this method can evaluate the vulnerability exploitability based on the K-nearest neighbor (KNN) algorithm. This method performs accurate and intelligent assessment of known and unknown vulnerabilities, integrating the impact of the target environment and reducing the reliance on expert experience. At last, we validate the method through experiments. Our method provides a scientific decision-making basis for network security protection measures.

Key words: cybersecurity, vulnerability assessment, exploitability, metric parsimony, machine learning

CLC Number:

TP393

ZHENG Jinghua, KAI Shaofeng, SHI Fan. Vulnerability exploitability assessment method based on network environment[J]. Journal of University of Chinese Academy of Sciences, 2024, 41(6): 842-852.

References

[1] Singh U K, Joshi C. Quantitative security risk evaluation using CVSS metrics by estimation of frequency and maturity of exploit[C]//2016 Proceedings of the World Congress on Engineering and Computer Science (WCECS). October 19-21, 2016, San Francisco, USA. Newswood Limited, 2016: 170-175.
[2] Gallon L. On the impact of environmental metrics on CVSS scores[C]//2010 IEEE Second International Conference on Social Computing (SocialCom). September 30, 2010, Minneapolis, MN, USA. IEEE, 2010: 987-992. DOI:10.1109/SocialCom.2010.146.
[3] Allodi L, Biagioni S, Crispo B, et al. Estimating the assessment difficulty of CVSS environmental metrics: an experiment[C]//2017 Future Data and Security Engineering: 4th International Conference (FDSE). November 29–December 1, 2017, Ho Chi Minh City, Vietnam. Springer, 2017: 23-39. DOI:10.1007/978-3-319-70004-5_2.
[4] Holm H, Afridi K K. An expert-based investigation of the common vulnerability scoring system[J]. Computers & Security, 2015, 53: 18-30. DOI:10.1016/j.cose.2015.04.012.
[5] Peterson L E. K-nearest neighbor[J]. Scholarpedia, 2009, 4(2): 1883. DOI:10.4249/scholarpedia.1883.
[6] Kramer O. K-nearest neighbors[M]//Dimensionality Reduction with Unsupervised Nearest Neighbors, Berlin:Springer Berlin Heidelberg, 2013: 13-23. DOI: 10.1007/978-3-642-38652-7_2.
[7] 王秋艳, 张玉清. 一种通用漏洞评级方法[J]. 计算机工程, 2008, 34(19): 133-136, 140. DOI: 10.3969/j.issn.1000-3428.2008.19.046.
[8] 温涛. 安全漏洞危害评估研究暨标准漏洞库的设计与实现[D].西安：西安电子科技大学, 2016.
[9] 贾炜, 冯登国, 连一峰. 基于网络中心性的计算机网络脆弱性评估方法[J]. 中国科学院研究生院学报, 2012, 29(4): 529-535. DOI: 10.7523/j.issn.2095-6134.2012. 4.015.
[10] Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis[C]//2002 Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS). November 18–22, 2002, Washington, DC, USA. ACM, 2002: 217-224. DOI:10.1145/586110.586140.
[11] Dawkins J, Hale J. A systematic approach to multi-stage network attack analysis[C]//2004 Second IEEE International Information Assurance Workshop (IWIA). August 24, 2004, Charlotte, NC, USA. IEEE, 2004: 48-56. DOI:10.1109/IWIA.2004.1288037.
[12] 陆余良, 夏阳. 主机安全量化融合模型研究[J]. 计算机学报, 2005(05): 914-920. DOI：10.3321/j.issn:0254-4164.2005.05.021.
[13] Kalogeraki E M, Papastergiou S, Panayiotopoulos T. An attack simulation and evidence chains generation model for critical information infrastructures[J]. Electronics, 2022, 11(3): 404. DOI: 10.3390/electronics11030404.
[14] Forum of Incident Response and Security Teams. Common vulnerability scoring system[EB/OL]. (2021-12-25)[2021/12/29]. https://www.first.org/cvss/.
[15] Schiffman M, Wright A, Ahmad D, et al. The common vulnerability scoring system[R]. National Infrastructure Advisory Council, Vulnerability Disclosure Working Group, Vulnerability Scoring Subgroup, 2004:2-20.
[16] Mell P, Scarfone K, Romanosky S. Common vulnerability scoring system[J]. IEEE Security & Privacy, 2006, 4(6): 85-89. DOI:10.1109/MSP.2006.145.
[17] 雷柯楠, 张玉清, 吴晨思, 等.基于漏洞类型的漏洞可利用性量化评估系统[J].计算机研究与发展, 2017, 54(10):2296-2309. DOI：10.7544/issn1000-1239.2017.20170457.
[18] Liu Q X, Zhang Y Q, Kong Y, et al. Improving VRSS-based vulnerability prioritization using analytic hierarchy process[J]. Journal of Systems and Software, 2012, 85(8): 1699-1708. DOI: 10.1016/j.jss.2012.03.057.
[19] Keskin O, Gannon N, Lopez B, et al. Scoring cyber vulnerabilities based on their impact on organizational goals[C]//2021 Systems and Information Engineering Design Symposium (SIEDS). April 29-30, 2021, Charlottesville, VA, USA. IEEE, 2021: 1-6. DOI: 10.1109/SIEDS52267. 2021.9483741.
[20] Yin J, Tang M J, Cao J L, et al. A real-time dynamic concept adaptive learning algorithm for exploitability prediction[J]. Neurocomputing, 2022, 472: 252-265. DOI: 10.1016/j.neucom.2021.01.144.
[21] Lyu J H, Bai Y D, Xing Z C, et al. A character-level convolutional neural network for predicting exploitability of vulnerability[C]//2021 International Symposium on Theoretical Aspects of Software Engineering (TASE). August 25-27, 2021, Shanghai, China. IEEE, 2021: 119-126. DOI: 10.1109/TASE52547.2021.00014.
[22] Bhatt N, Anand A, Yadavalli V S S. Exploitability prediction of software vulnerabilities[J]. Quality and Reliability Engineering International, 2021, 37(2): 648-663. DOI:10.1002/qre.2754.
[23] Yin J, Tang M J, Cao J L, et al. Apply transfer learning to cybersecurity: predicting exploitability of vulnerabilities by description[J]. Knowledge-Based Systems, 2020, 210: 106529. DOI: 10.1016/j.knosys.2020.106529.
[24] Fang Y, Liu Y C, Huang C, et al. FastEmbed: predicting vulnerability exploitation possibility based on ensemble machine learning algorithm[J]. PLoS One, 2020, 15(2): e0228439. DOI: 10.1371/journal.pone.0228439.
[25] 孙宇祥, 周献中, 戴迪.基于属性约简与BP神经网络的舰艇目标威胁评估方法[J].指挥与控制学报, 2021, 7(4):397-402. DOI:10.3969/j.issn.2096-0204.2021.04.0397.
[26] 毋雪雁, 王水花, 张煜东.K最近邻算法理论与应用综述[J].计算机工程与应用, 2017, 53(21):1-7. DOI：10.3778/j.issn.1002-8331.1707-0202.
[27] 张庆国, 张宏伟, 张君玉. 一种基于 k最近邻的快速文本分类方法[J]. 中国科学院研究生院学报, 2005, 22(5): 554-559. DOI: 10.7523/j.issn.2095-6134.2005.5.004.