ABSTRACT
The security demands on modern system administration are enormous and getting worse. Chief among these demands, administrators must monitor the continual ongoing disclosure of software vulnerabilities that have the potential to compromise their systems in some way. Such vulnerabilities include buffer overflow errors, improperly validated inputs, and other unanticipated attack modalities. In 2008, over 7,400 new vulnerabilities were disclosed--well over 100 per week. While no enterprise is affected by all of these disclosures, administrators commonly face many outstanding vulnerabilities across the software systems they manage. Vulnerabilities can be addressed by patches, reconfigurations, and other workarounds; however, these actions may incur down-time or unforeseen side-effects. Thus, a key question for systems administrators is which vulnerabilities to prioritize. From publicly available databases that document past vulnerabilities, we show how to train classifiers that predict whether and how soon a vulnerability is likely to be exploited. As input, our classifiers operate on high dimensional feature vectors that we extract from the text fields, time stamps, cross references, and other entries in existing vulnerability disclosure reports. Compared to current industry-standard heuristics based on expert knowledge and static formulas, our classifiers predict much more accurately whether and how soon individual vulnerabilities are likely to be exploited.
Supplemental Material
- W. A. Arbaugh, W. L. Fithen, and J. McHugh. Windows of vulnerability: A case study analysis. Computer, 33(12):52--59, 2000. Google ScholarDigital Library
- A. Arora, A. Nandkumar, and R. Telang. Does information security attack frequency increase with vulnerability disclosure? an empirical analysis. Information Systems Frontiers, 8(5), 2006. Google ScholarDigital Library
- A. Arora, R. Telang, and H. Xu. Optimal policy for software vulnerability disclosure. In Workshop on Economics and Information Security (WEIS'04), 2004.Google Scholar
- S. M. Bellovin. On the Brittleness of Software and the Infeasibility of Security Metrics. IEEE Security and Privacy, 4(4), July 2006. Google ScholarDigital Library
- Cisco. Risk Assessment: Risk Triage for Security Vulnerability Announcements. Cisco Whitepaper, Accessed September, 2009. http://www.cisco.com/web/about/security/intelligence/vulnerability-risk-triage.html.Google Scholar
- CVE Editorial Board. Common Vulnerabilities and Exposures: The Standard for Information Security Vulnerability Names. http://cve.mitre.org/.Google Scholar
- C. Dougherty. Vulnerability metric, Updated on July 24, 2008. https://www.securecoding.cert.org/confluence/ display/seccode/Vulnerability+Metric.Google Scholar
- R.-E. Fan, K.-W. Chang, C.-J. Hsieh, X.-R. Wang, and C.-J. Lin. LIBLINEAR -- A Library for Large Linear Classification. http://www.csie.ntu.edu.tw/~cjlin/liblinear/. Google ScholarDigital Library
- Forum of Incident Response and Security Teams (FIRST). Common Vulnerabilities Scoring System (CVSS). http://www.first.org/cvss/.Google Scholar
- S. Frei, D. Schatzmann, B. Plattner, and B. Trammel. Modeling the Security Ecosystem - The Dynamics of (In)Security. In Proc. of the Workshop on the Economics of Information Security (WEIS), June 2009.Google Scholar
- IBM. IBM Internet Security Systems X-Force 2008 Trend and Risk Report. White paper, Jan. 2009. http://www-935.ibm.com/services/us/iss/xforce/trendreports/xforce-2008-annual-report.pdf.Google Scholar
- D. Lewis. Naive (Bayes) at Forty: The Independence Assumption in Information Retrieval. In Proceedings of ECML-98, the 10th European Conference on Machine Learning, pages 4--15, 1998. Google ScholarDigital Library
- P. Mell, K. Scarfone, and S. Romanosky. A complete guide to the common vulnerability scoring system version 2.0, June, 2007. http://www.first.org/cvss/cvss-guide.html.Google Scholar
- Microsoft TechNet Security Team. Microsoft Security Bulletin. http://www.microsoft.com/technet/security/current.aspx.Google Scholar
- D. Moore, C. Shannon, and k. claffy. Code-red: a case study on the spread and victims of an internet worm. In Proceedings of the 2nd ACM SIGCOMM Workshop on Internet measurement, pages 273--284, 2002. Google ScholarDigital Library
- D. Nizovtsev and M. Thursby. Economic analysis of incentives to disclose software vulnerabilities. In Proc. of the Workshop on the Economics of Information Security, 2005.Google Scholar
- OSVDB. The Open Source Vulnerability Database. http://osvdb.org/.Google Scholar
- A. Ozment. The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In Proc. of the Workshop on the Economics of Information Security, 2005.Google Scholar
- E. Rescorla. Security holes... who cares? In Proc. of the 12th conference on USENIX Security Symposium, 2003. Google ScholarDigital Library
- Secunia Corporation. Secunia Advisories. http://secunia.com.Google Scholar
- Symantec Corporation. Security Focus. http://www.securityfocus.com.Google Scholar
- V. Vapnik. Statistical Learning Theory. John Wiley & Sons, New York, NY, 1998.Google ScholarDigital Library
Index Terms
- Beyond heuristics: learning to classify vulnerabilities and predict exploits
Recommendations
A threat pattern for the "cross-site scripting (XSS)" attack
PLoP '15: Proceedings of the 22nd Conference on Pattern Languages of ProgramsWe present a threat pattern that describes cross-site scripting (XSS) attacks. In this attack attackers insert scripts in web applications that will lead to misuses in a target web application. Cross-Site Scripting is listed as number three risk on the ...
Two threat patterns that exploit "security misconfiguration" and "sensitive data exposure" vulnerabilities
EuroPLoP '15: Proceedings of the 20th European Conference on Pattern Languages of ProgramsWe present threat patterns that describe attacks against applications that take advantage of security misconfigurations in the application stack and applications that expose sensitive data. These patterns provide insight on how to build and configure ...
It's a TRaP: Table Randomization and Protection against Function-Reuse Attacks
CCS '15: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications SecurityCode-reuse attacks continue to evolve and remain a severe threat to modern software. Recent research has proposed a variety of defenses with differing security, efficiency, and practicality characteristics. Whereas the majority of these solutions focus ...
Comments