Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure

Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure

연구 분야: Strategies

학회: ARES '20: Proceedings of the 15th International Conference on Availability, Reliability and Security

The Common Vulnerability Scoring System (CVSS) is the industry standard for describing the characteristics of a software vulnerability and measuring its severity. However, during the first days after a vulnerability disclosure, the initial human readable description of the vulnerability is not available as a machine readable CVSS vector yet. This situation creates a period of time when only expensive manual analysis can be used to react to new vulnerabilities because no data is available for cheaper automated analysis yet. We present a new technique based on linear regression to automatically predict the CVSS vector of newly disclosed vulnerabilities using only their human readable descriptions, with a strong emphasis on decision explicability. Our experimental results suggest real world applicability.