Risk-ranking matrix for security patching of exploitable vulnerabilities

Mohammad Shamsul Hoque; Norziana Jamil; Nowshad Amin; Muhamad Mansor

doi:10.1063/5.0134560

Risk-ranking matrix for security patching of exploitable vulnerabilities

Mohammad Shamsul Hoque, Norziana Jamil, Nowshad Amin, Muhamad Mansor

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

A vulnerability in cybersecurity can be any weakness within a software or hardware of any information systems, internal controls, network or system processes that can be exploited to cause damage, or allow an attacker to manipulate the system in some way. Since the late 1980s cyberattacks through exploiting vulnerabilities started to evolve and increasingly becoming sophisticated and dangerous. Successful cyber-attacks are primarily takes place through the exploitation of vulnerabilities. Although thousands of vulnerabilities are being detected and registered each year it has been observed that only few of them get exploited by threat actors. Hence, there is a need to utilize machine learning to develop a model to predict the highly exploitable vulnerabilities by the threat actors and a model to predict the number of future vulnerability to support a cost-effective cyber security management. Subsequently, the predicted exploitable vulnerabilities need to be ranked to understand their severity impact, if the exploitation is realized. The literature reviews show that all the existing machine learning models primarily have utilized United States (U.S) vulnerability database, the largest in its kind, as the source of vulnerability data. The literature review shows that there are existing research works with machine learning approaches to forecast the number of future vulnerabilities and to predict the highly exploitable vulnerabilities, but the literature shows that a risk ranking matrix is missing in this domain. Hence, the need to fill up this gap is of urgent need. The aim of this research is to develop a novel risk matrix that ranks the severity impact of highly exploitable vulnerabilities. To achieve this scope we have developed machine learning based model to predict the highly exploitable vulnerabilities to work as background engines to find the most exploitable vulnerabilities out of published known vulnerabilities. Unlike few existing research works, our proposed risk ranking matrix for most exploitable vulnerabilities aggregated all the relevant attributes for base CVSS scoring and the CVSS score itself, the proposed algorithm has ten risk levels which are highly granular and flexible. Furthermore, those risk levels can be redefined and scaled to meet any specific security needs. Finally, a proof of concept tool is also developed to demonstrate the proposed vulnerability prediction framework. The proposed risk ranking matrix can significantly support the security patching management in a proactive and cost-effective way. Moreover, the proposed models need much less computational resources and time, making it suitable for the usage of any scale.

Original language	English
Title of host publication	Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society
Editors	Nor Azlinah Md Lazam, Salwani Mohd Daud, Mohd Helmy Abd Wahab
Publisher	American Institute of Physics Inc.
ISBN (Electronic)	9780735444898
DOIs	https://doi.org/10.1063/5.0134560
Publication status	Published - May 22 2023
Externally published	Yes
Event	1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society, ICDiTS 2021 - Virtual, Online Duration: Jan 26 2022 → Jan 27 2022

Publication series

Name	AIP Conference Proceedings
Volume	2808
ISSN (Print)	0094-243X
ISSN (Electronic)	1551-7616

Conference

Conference	1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society, ICDiTS 2021
City	Virtual, Online
Period	1/26/22 → 1/27/22

ASJC Scopus subject areas

General Physics and Astronomy

Access to Document

10.1063/5.0134560

Cite this

Hoque, M. S., Jamil, N., Amin, N., & Mansor, M. (2023). Risk-ranking matrix for security patching of exploitable vulnerabilities. In N. A. Md Lazam, S. M. Daud, & M. H. A. Wahab (Eds.), Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society Article 050004 (AIP Conference Proceedings; Vol. 2808). American Institute of Physics Inc.. https://doi.org/10.1063/5.0134560

Risk-ranking matrix for security patching of exploitable vulnerabilities. / Hoque, Mohammad Shamsul; Jamil, Norziana; Amin, Nowshad et al.
Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society. ed. / Nor Azlinah Md Lazam; Salwani Mohd Daud; Mohd Helmy Abd Wahab. American Institute of Physics Inc., 2023. 050004 (AIP Conference Proceedings; Vol. 2808).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Hoque, MS, Jamil, N, Amin, N & Mansor, M 2023, Risk-ranking matrix for security patching of exploitable vulnerabilities. in NA Md Lazam, SM Daud & MHA Wahab (eds), Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society., 050004, AIP Conference Proceedings, vol. 2808, American Institute of Physics Inc., 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society, ICDiTS 2021, Virtual, Online, 1/26/22. https://doi.org/10.1063/5.0134560

Hoque MS, Jamil N, Amin N, Mansor M. Risk-ranking matrix for security patching of exploitable vulnerabilities. In Md Lazam NA, Daud SM, Wahab MHA, editors, Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society. American Institute of Physics Inc. 2023. 050004. (AIP Conference Proceedings). doi: 10.1063/5.0134560

Hoque, Mohammad Shamsul ; Jamil, Norziana ; Amin, Nowshad et al. / Risk-ranking matrix for security patching of exploitable vulnerabilities. Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society. editor / Nor Azlinah Md Lazam ; Salwani Mohd Daud ; Mohd Helmy Abd Wahab. American Institute of Physics Inc., 2023. (AIP Conference Proceedings).

@inproceedings{44bf8ed80caa4564b413f52f0dd1e7bd,

title = "Risk-ranking matrix for security patching of exploitable vulnerabilities",

abstract = "A vulnerability in cybersecurity can be any weakness within a software or hardware of any information systems, internal controls, network or system processes that can be exploited to cause damage, or allow an attacker to manipulate the system in some way. Since the late 1980s cyberattacks through exploiting vulnerabilities started to evolve and increasingly becoming sophisticated and dangerous. Successful cyber-attacks are primarily takes place through the exploitation of vulnerabilities. Although thousands of vulnerabilities are being detected and registered each year it has been observed that only few of them get exploited by threat actors. Hence, there is a need to utilize machine learning to develop a model to predict the highly exploitable vulnerabilities by the threat actors and a model to predict the number of future vulnerability to support a cost-effective cyber security management. Subsequently, the predicted exploitable vulnerabilities need to be ranked to understand their severity impact, if the exploitation is realized. The literature reviews show that all the existing machine learning models primarily have utilized United States (U.S) vulnerability database, the largest in its kind, as the source of vulnerability data. The literature review shows that there are existing research works with machine learning approaches to forecast the number of future vulnerabilities and to predict the highly exploitable vulnerabilities, but the literature shows that a risk ranking matrix is missing in this domain. Hence, the need to fill up this gap is of urgent need. The aim of this research is to develop a novel risk matrix that ranks the severity impact of highly exploitable vulnerabilities. To achieve this scope we have developed machine learning based model to predict the highly exploitable vulnerabilities to work as background engines to find the most exploitable vulnerabilities out of published known vulnerabilities. Unlike few existing research works, our proposed risk ranking matrix for most exploitable vulnerabilities aggregated all the relevant attributes for base CVSS scoring and the CVSS score itself, the proposed algorithm has ten risk levels which are highly granular and flexible. Furthermore, those risk levels can be redefined and scaled to meet any specific security needs. Finally, a proof of concept tool is also developed to demonstrate the proposed vulnerability prediction framework. The proposed risk ranking matrix can significantly support the security patching management in a proactive and cost-effective way. Moreover, the proposed models need much less computational resources and time, making it suitable for the usage of any scale.",

author = "Hoque, \{Mohammad Shamsul\} and Norziana Jamil and Nowshad Amin and Muhamad Mansor",

note = "Publisher Copyright: {\textcopyright} 2023 Author(s).; 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society, ICDiTS 2021 ; Conference date: 26-01-2022 Through 27-01-2022",

year = "2023",

month = may,

day = "22",

doi = "10.1063/5.0134560",

language = "English",

series = "AIP Conference Proceedings",

publisher = "American Institute of Physics Inc.",

editor = "\{Md Lazam\}, \{Nor Azlinah\} and Daud, \{Salwani Mohd\} and Wahab, \{Mohd Helmy Abd\}",

booktitle = "Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society",

}

TY - GEN

T1 - Risk-ranking matrix for security patching of exploitable vulnerabilities

AU - Hoque, Mohammad Shamsul

AU - Jamil, Norziana

AU - Amin, Nowshad

AU - Mansor, Muhamad

PY - 2023/5/22

Y1 - 2023/5/22

N2 - A vulnerability in cybersecurity can be any weakness within a software or hardware of any information systems, internal controls, network or system processes that can be exploited to cause damage, or allow an attacker to manipulate the system in some way. Since the late 1980s cyberattacks through exploiting vulnerabilities started to evolve and increasingly becoming sophisticated and dangerous. Successful cyber-attacks are primarily takes place through the exploitation of vulnerabilities. Although thousands of vulnerabilities are being detected and registered each year it has been observed that only few of them get exploited by threat actors. Hence, there is a need to utilize machine learning to develop a model to predict the highly exploitable vulnerabilities by the threat actors and a model to predict the number of future vulnerability to support a cost-effective cyber security management. Subsequently, the predicted exploitable vulnerabilities need to be ranked to understand their severity impact, if the exploitation is realized. The literature reviews show that all the existing machine learning models primarily have utilized United States (U.S) vulnerability database, the largest in its kind, as the source of vulnerability data. The literature review shows that there are existing research works with machine learning approaches to forecast the number of future vulnerabilities and to predict the highly exploitable vulnerabilities, but the literature shows that a risk ranking matrix is missing in this domain. Hence, the need to fill up this gap is of urgent need. The aim of this research is to develop a novel risk matrix that ranks the severity impact of highly exploitable vulnerabilities. To achieve this scope we have developed machine learning based model to predict the highly exploitable vulnerabilities to work as background engines to find the most exploitable vulnerabilities out of published known vulnerabilities. Unlike few existing research works, our proposed risk ranking matrix for most exploitable vulnerabilities aggregated all the relevant attributes for base CVSS scoring and the CVSS score itself, the proposed algorithm has ten risk levels which are highly granular and flexible. Furthermore, those risk levels can be redefined and scaled to meet any specific security needs. Finally, a proof of concept tool is also developed to demonstrate the proposed vulnerability prediction framework. The proposed risk ranking matrix can significantly support the security patching management in a proactive and cost-effective way. Moreover, the proposed models need much less computational resources and time, making it suitable for the usage of any scale.

AB - A vulnerability in cybersecurity can be any weakness within a software or hardware of any information systems, internal controls, network or system processes that can be exploited to cause damage, or allow an attacker to manipulate the system in some way. Since the late 1980s cyberattacks through exploiting vulnerabilities started to evolve and increasingly becoming sophisticated and dangerous. Successful cyber-attacks are primarily takes place through the exploitation of vulnerabilities. Although thousands of vulnerabilities are being detected and registered each year it has been observed that only few of them get exploited by threat actors. Hence, there is a need to utilize machine learning to develop a model to predict the highly exploitable vulnerabilities by the threat actors and a model to predict the number of future vulnerability to support a cost-effective cyber security management. Subsequently, the predicted exploitable vulnerabilities need to be ranked to understand their severity impact, if the exploitation is realized. The literature reviews show that all the existing machine learning models primarily have utilized United States (U.S) vulnerability database, the largest in its kind, as the source of vulnerability data. The literature review shows that there are existing research works with machine learning approaches to forecast the number of future vulnerabilities and to predict the highly exploitable vulnerabilities, but the literature shows that a risk ranking matrix is missing in this domain. Hence, the need to fill up this gap is of urgent need. The aim of this research is to develop a novel risk matrix that ranks the severity impact of highly exploitable vulnerabilities. To achieve this scope we have developed machine learning based model to predict the highly exploitable vulnerabilities to work as background engines to find the most exploitable vulnerabilities out of published known vulnerabilities. Unlike few existing research works, our proposed risk ranking matrix for most exploitable vulnerabilities aggregated all the relevant attributes for base CVSS scoring and the CVSS score itself, the proposed algorithm has ten risk levels which are highly granular and flexible. Furthermore, those risk levels can be redefined and scaled to meet any specific security needs. Finally, a proof of concept tool is also developed to demonstrate the proposed vulnerability prediction framework. The proposed risk ranking matrix can significantly support the security patching management in a proactive and cost-effective way. Moreover, the proposed models need much less computational resources and time, making it suitable for the usage of any scale.

UR - https://www.scopus.com/pages/publications/85161482298

UR - https://www.scopus.com/inward/citedby.url?scp=85161482298&partnerID=8YFLogxK

U2 - 10.1063/5.0134560

DO - 10.1063/5.0134560

M3 - Conference contribution

AN - SCOPUS:85161482298

T3 - AIP Conference Proceedings

BT - Proceedings of the 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society

A2 - Md Lazam, Nor Azlinah

A2 - Daud, Salwani Mohd

A2 - Wahab, Mohd Helmy Abd

PB - American Institute of Physics Inc.

T2 - 1st International Conference on Frontiers of Digital Technology Towards a Sustainable Society, ICDiTS 2021

Y2 - 26 January 2022 through 27 January 2022

ER -

Risk-ranking matrix for security patching of exploitable vulnerabilities

Abstract

Publication series

Conference

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this