At the endless booths of this week's RSA security trade show in San Francisco, an overflowing industry of vendors will offer any visitor an ad nauseam array of "threat intelligence" and "vulnerability management" systems. But it turns out that there's already a decent, free feed of vulnerability information that can tell systems administrators what bugs they really need to patch, updated 24/7: Twitter. And one group of researchers has not only measured the value of Twitter's stream of bug data but is also building a piece of free software that automatically tracks it to pull out hackable software flaws and rate their severity. Researchers at Ohio State University, the security company FireEye, and research firm Leidos last week published a paper describing a new system that reads millions of tweets for mentions of software security vulnerabilities, and then, using their machine-learning-trained algorithm, assessed how much of a threat they represent based on how they're described. They found that Twitter can not only predict the majority of security flaws that will show up days later on the National Vulnerability Database--the official register of security vulnerabilities tracked by the National Institute of Standards and Technology--but that they could also use natural language processing to roughly predict which of those vulnerabilities will be given a "high" or "critical" severity rating with better than 80 percent accuracy.
Relying on CVSS scores to estimate the risk to security may be placing individuals and the enterprise at greater risk than believed, researchers say. The Common Vulnerability Scoring System (CVSS) is a way to document and measure a software vulnerability's risk factors. CVSS has undergone a number of evolutions with the latest being CVSS V3 -- which includes some contextual data -- but many businesses still rely on the system's base score, which only includes a severity rating based on the technical details of the flaw. However, without additional data, IT staff may not be addressing a vulnerability's true scope and risk, and therefore, patching priorities may be affected. After evaluating over a million unique vulnerabilities and more than 76,000 vulnerabilities contained in the National Vulnerability Database over a 20-year-period, researchers from NopSec concluded that CVSS scores are simply "not enough" to evaluate today's threats properly, and the enterprise must take contexual information into account to prevent future data breaches and successful cyberattacks based on software flaws.
Each year, thousands of software vulnerabilities are discovered and reported to the public. Unpatched known vulnerabilities are a significant security risk. It is imperative that software vendors quickly provide patches once vulnerabilities are known and users quickly install those patches as soon as they are available. However, most vulnerabilities are never actually exploited. Since writing, testing, and installing software patches can involve considerable resources, it would be desirable to prioritize the remediation of vulnerabilities that are likely to be exploited. Several published research studies have reported moderate success in applying machine learning techniques to the task of predicting whether a vulnerability will be exploited. These approaches typically use features derived from vulnerability databases (such as the summary text describing the vulnerability) or social media posts that mention the vulnerability by name. However, these prior studies share multiple methodological shortcomings that inflate predictive power of these approaches. We replicate key portions of the prior work, compare their approaches, and show how selection of training and test data critically affect the estimated performance of predictive models. The results of this study point to important methodological considerations that should be taken into account so that results reflect real-world utility.
Tavabi, Nazgol (USC Information Sciences Institute) | Goyal, Palash (USC Information Sciences Institute) | Almukaynizi, Mohammed (Arizona State University) | Shakarian, Paulo (Arizona State University) | Lerman, Kristina (USC Information Sciences Institute)
Software vulnerabilities can expose computer systems to attacks by malicious actors. With the number of vulnerabilities discovered in the recent years surging, creating timely patches for every vulnerability is not always feasible. At the same time, not every vulnerability will be exploited by attackers; hence, prioritizing vulnerabilities by assessing the likelihood they will be exploited has become an important research problem. Recent works used machine learning techniques to predict exploited vulnerabilities by analyzing discussions about vulnerabilities on social media. These methods relied on traditional text processing techniques, which represent statistical features of words, but fail to capture their context. To address this challenge, we propose DarkEmbed, a neural language modeling approach that learns low dimensional distributed representations, i.e., embeddings, of darkweb/deepweb discussions to predict whether vulnerabilities will be exploited. By capturing linguistic regularities of human language, such as syntactic, semantic similarity and logic analogy, the learned embeddings are better able to classify discussions about exploited vulnerabilities than traditional text analysis methods. Evaluations demonstrate the efficacy of learned embeddings on both structured text (such as security blog posts) and unstructured text (darkweb/deepweb posts). DarkEmbed outperforms state-of-the-art approaches on the exploit prediction task with an F1-score of 0.74.