A New Vulnerability Reporting Framework for Software Vulnerability Databases

Full Text (PDF, 417KB), PP.11-19

Views: 0 Downloads: 0

Author(s)

Hakan Kekul 1,* Burhan Ergen 2 Halil ARSLAN 3

1. University of Fırat, Institute of Science, Elazığ Turkey. Sivas Information Technology Technical High School, Diriliş Mahallesi Rüzgarli Sokak No 21 Sivas, Turkey

2. University of Fırat, Faculty of Engineering, Computer Engineering Department, Elazığ Turkey

3. University of Sivas Cumhuriyet, Faculty of Engineering, Computer Engineering Department, Sivas Turkey

* Corresponding author.

DOI: https://doi.org/10.5815/ijeme.2021.03.02

Received: 7 Jan. 2021 / Revised: 19 Feb. 2021 / Accepted: 7 Mar. 2021 / Published: 8 Jun. 2021

Index Terms

Software Security, Software Vulnerability, Vulnerability Databases, Cyber Security, Information Security.

Abstract

Cyber security is one of the fundamental research areas of software engineering. The systems that make up today's information systems infrastructure have been developed largely with software support. Security vulnerabilities in the software used in these systems may cause undesirable results. It is very important to manage software vulnerabilities correctly. In addition, an effective communication mechanism and certain standards should be established among those working in this field. The importance of the subject has been understood in recent years and the studies in this area have gradually increased. The use of machine learning algorithms is increasing in recent studies in this area. Although there is a large data set accumulated in vulnerability databases, there is often the problem of unstructured data. Vulnerability databases and security reports are created in natural language that people can understand and interpret. These reports are difficult to read and understand by machines. Our study focuses on the difficulties of this unstructured and natural language system. In order to investigate this problem, firstly, up-to-date and accessible databases used in scientific research were examined and evaluated. Then, a three-stage security framework was proposed, consisting of the use of vulnerabilities by machines to assist experts from the notification stage to the reporting stage. The rules and flow charts of each stage are defined. In order to increase the usability of different databases in their own systems, the framework rules are defined as a guideline containing flexible directions, not rigid items. The point of consideration is not the methods and tools used, but the definition of outputs as common and similar attributes.

Cite This Paper

Hakan Kekül, Burhan Ergen, Halil Arslan, " A New Vulnerability Reporting Framework for Software Vulnerability Databases", International Journal of Education and Management Engineering (IJEME), Vol.11, No.3, pp. 11-19, 2021. DOI: 10.5815/ijeme.2021.03.02

Reference

[1]D. Craigen, N. Diakun-Thibault, and R. Purse, “Defining cybersecurity,” Technol. Innov. Manag. Rev., vol. 4, no. 10, 2014.

[2]F. Chang, “Guest Editor’s Column,” Next Wave, vol. 4, no. 19, pp. 1–2, 2012.

[3]B. S. Cruz and M. de Oliveira Dias, “CRASHED BOEING 737-MAX: FATALITIES OR MALPRACTICE?,” GSJ, vol. 8, no. 1, pp. 2615–2624, 2020.

[4]M. M. A. Muhammad Noman Khalid, Muhammad iqbal, Kamran Rasheed, “Web Vulnerability Finder (WVF): Automated Black- Box Web Vulnerability Scanner,” Int. J. Inf. Technol. Comput. Sci., vol. 12, no. 4, pp. 38–46, 2020.

[5]C. P. T. Pubudu K. Hitigala Kaluarachchilage, Champike Attanayake, Sasith Rajasooriya, “An Analytical Approach to Assess and Compare the Vulnerability Risk of Operating Systems,” Int. J. Comput. Netw. Inf. Secur., vol. 12, no. 2, pp. 1–10, 2020.

[6]S. Zhang, X. Ou, and D. Caragea, “Predicting Cyber Risks through National Vulnerability Database,” Inf. Secur. J. A Glob. Perspect., vol. 24, no. 4–6, pp. 194–206, 2015.

[7]J. Ruohonen, “A look at the time delays in CVSS vulnerability scoring,” Appl. Comput. Informatics, vol. 15, no. 2, pp. 129–135, 2019.

[8]A. Kuehn and M. Mueller, “Shifts in the cybersecurity paradigm: Zero-day exploits, discourse, and emerging institutions,” in Proceedings of the 2014 New Security Paradigms Workshop, 2014, pp. 63–68.

[9]O. Bozoklu and C. Z. Çil, “Yazılım Güvenlik Açığı Ekosistemi Ve Türkiye’deki Durum Değerlendirmesi,” Uluslararası Bilgi Güvenliği Mühendisliği Derg., vol. 3, no. 1, pp. 6–26, 2017.

[10]C. W. Samuel Ndichu, Sylvester McOyowo, Henry Okoyo, “A Remote Access Security Model based on Vulnerability Management,” Int. J. Inf. Technol. Comput. Sci., vol. 12, no. 5, pp. 38–51, 2020.

[11]“Mitre Corporation,” 2020. [Online]. Available: https://www.mitre.org. [Accessed: 25-Jul-2020].

[12]CVE, “CVE,” Common Vulnerabilities and Exposures, 2020. [Online]. Available: https://cve.mitre.org. [Accessed: 25-Jul-2020].

[13]G. Schryen, “Security of open source and closed source software: An empirical comparison of published vulnerabilities,” AMCIS 2009 Proc., p. 387, 2009.

[14]G. Schryen, “Is Open Source Security a Myth?,” Commun. ACM, vol. 54, no. 5, pp. 130–140, May 2011.

[15]NVD, “NVD,” National Vulnerability Database, 2020. [Online]. Available: https://nvd.nist.gov. [Accessed: 25-Jul-2020].

[16]Y. Fang, Y. Liu, C. Huang, and L. Liu, “Fastembed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm,” PLoS One, vol. 15, no. 2, pp. 1–28, 2020.

[17]ExploitDB, “Exploit Database,” 2020. [Online]. Available: https://www.exploit-db.com. [Accessed: 25-Jul-2020].

[18]SecurityFocus, “SecurityFocus,” 2020. [Online]. Available: https://www.securityfocus.com. [Accessed: 25-Jul-2020].

[19]Rapid7, “Rapid7,” 2020. [Online]. Available: https://www.rapid7.com/db/. [Accessed: 25-Jul-2020].

[20]Snyk, “Snyk,” 2020. [Online]. Available: https://snyk.io. [Accessed: 25-Jul-2020].

[21]SARD, “SARD-Software Assurance Reference Dataset Project,” 2020. [Online]. Available: https://samate.nist.gov. [Accessed: 25-Jul-2020].

[22]T. W. Moore, C. W. Probst, K. Rannenberg, and M. van Eeten, “Assessing ICT Security Risks in Socio-Technical Systems (Dagstuhl Seminar 16461),” Dagstuhl Reports, vol. 6, no. 11, pp. 63–89, 2017.

[23]L. P. Kobek, “The State of Cybersecurity in Mexico: An Overview,” Wilson Centre’s Mex. Institute, Jan, 2017.

[24]E. R. Russo, A. Di Sorbo, C. A. Visaggio, and G. Canfora, “Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities,” J. Syst. Softw., vol. 156, pp. 84–99, 2019.

[25]C. Theisen and L. Williams, “Better together: Comparing vulnerability prediction models,” Inf. Softw. Technol., vol. 119, no. August 2019, 2020.

[26]S. M. Ghaffarian and H. R. Shahriari, “Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey,” ACM Comput. Surv., vol. 50, no. 4, 2017.

[27]G. Spanos and L. Angelis, “A multi-target approach to estimate software vulnerability characteristics and severity scores,” J. Syst. Softw., vol. 146, pp. 152–166, 2018.

[28]“Description Summary Word Frequency,” 2021. [Online]. Available: https://nvd.nist.gov/general/visualizations/vulnerability-visualizations/vuln-description-summary-word-frequency. [Accessed: 02-Jan-2021].

[29]G. Spanos, A. Sioziou, and L. Angelis, “WIVSS: A New Methodology for Scoring Information Systems Vulnerabilities,” in Proceedings of the 17th Panhellenic Conference on Informatics, 2013, pp. 83–90.