Abstract
With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization’s requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users’ reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aggarwal, C.C.: Recommender Systems. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29659-3
Chen, L., Sycara, K.: WebMate: a personal agent for browsing and searching. In: Proceedings of the Second International Conference on Autonomous Agents, AGENTS 1998, pp. 132–139. ACM (1998)
Farris, K.A., Shah, A., Cybenko, G., Ganesan, R., Jajodia, S.: Vulcon: a system for vulnerability prioritization, mitigation, and management. ACM Trans. Priv. Secur. (TOPS) 21(4), 1–28 (2018)
First: Common vulnerability scoring system v3.0: Specification document. https://www.first.org/cvss/specification-document
Gadepally, V.N., et al.: Recommender systems for the department of defense and the intelligence community. MIT Lincoln Laboratory (2016)
Lee, Y., Shin, S.: Toward semantic assessment of vulnerability severity: a text mining approach. In: 1st International Workshop on EntitY REtrieval (EYRE 2018) (2018)
Liu, Q., Zhang, Y.: VRSS: a new system for rating and scoring vulnerabilities. Comput. Commun. 34, 264–273 (2011)
Mell, P.M., et al.: A complete guide to the common vulnerability scoring system version 2.0 (2007). https://www.nist.gov/publications/complete-guide-common-vulnerability-scoring-system-version-20
Van Meteren, R., Van Someren, M.: Using content-based filtering for recommendation. In: Proceedings of ECML 2000 Workshop: Machine Learning in Information Age, pp. 47–56 (2000)
MITRE Corporation: CVE details. https://www.cvedetails.com/
NIST: National vulnerability database. https://nvd.nist.gov/
Rapid7: Vulnerability and exploit database. https://www.rapid7.com/db
Smyth, B.: Case-based recommendation. In: Brusilovsky, P., Kobsa, A., Nejdl, W. (eds.) The Adaptive Web. LNCS, vol. 4321, pp. 342–376. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72079-9_11
Spanos, G., Sioziou, A., Angelis, L.: WIVSS: a new methodology for scoring information systems vulnerabilities. In: Proceedings of the 17th Panhellenic Conference on Informatics, PCI 2013, pp. 83–90. ACM, New York (2013)
Yao, Y.Y.: Measuring retrieval effectiveness based on user preference of documents. J. Am. Soc. Inf. Sci. 46(2), 133–145 (1995)
Acknowledgements
This work was partially supported by the Swedish Foundation for Strategic Research, grant RIT17-0035, and partially supported by the Wallenberg Autonomous Systems and Software Program (WASP) funded by Knut and Alice Wallenberg foundation.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Karlsson, L., Bideh, P.N., Hell, M. (2020). A Recommender System for User-Specific Vulnerability Scoring. In: Kallel, S., Cuppens, F., Cuppens-Boulahia, N., Hadj Kacem, A. (eds) Risks and Security of Internet and Systems. CRiSIS 2019. Lecture Notes in Computer Science(), vol 12026. Springer, Cham. https://doi.org/10.1007/978-3-030-41568-6_23
Download citation
DOI: https://doi.org/10.1007/978-3-030-41568-6_23
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-41567-9
Online ISBN: 978-3-030-41568-6
eBook Packages: Computer ScienceComputer Science (R0)