A Recommender System for User-Specific Vulnerability Scoring

Forskningsoutput: Kapitel i bok/rapport/Conference proceedingKonferenspaper i proceeding

Abstract

With the inclusion of external software components in their software, vendors also need to identify and evaluate vulnerabilities in the components they use. A growing number of external components makes this process more time-consuming, as vendors need to evaluate the severity and applicability of published vulnerabilities. The CVSS score is used to rank the severity of a vulnerability, but in its simplest form, it fails to take user properties into account. The CVSS also defines an environmental metric, allowing organizations to manually define individual impact requirements. However, it is limited to explicitly defined user information and only a subset of vulnerability properties is used in the metric. In this paper we address these shortcomings by presenting a recommender system specifically targeting software vulnerabilities. The recommender considers both user history, explicit user properties, and domain based knowledge. It provides a utility metric for each vulnerability, targeting the specific organization's requirements and needs. An initial evaluation with industry participants shows that the recommender can generate a metric closer to the users' reference rankings, based on predictive and rank accuracy metrics, compared to using CVSS environmental score.

Detaljer

Författare
Enheter & grupper
Forskningsområden

Ämnesklassifikation (UKÄ) – OBLIGATORISK

  • Systemvetenskap, informationssystem och informatik
Originalspråkengelska
Titel på värdpublikationCRiSIS 2019: Risks and Security of Internet and Systems
FörlagSpringer
Sidor 355-364
ISBN (elektroniskt)978-3-030-41568-6
StatusPublished - 2020
PublikationskategoriForskning
Peer review utfördJa
Evenemang14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019 - Hammamet, Tunisien
Varaktighet: 2019 okt 292019 okt 31

Publikationsserier

Namn Lecture Notes in Computer Science
FörlagSpringer
Volym12026
ISSN (tryckt)0302-9743
ISSN (elektroniskt)1611-3349

Konferens

Konferens14th International Conference on Risk and Security of Internet and Systems, CRISIS 2019
LandTunisien
OrtHammamet
Period2019/10/292019/10/31

Nedladdningar

Ingen tillgänglig data

Relaterad forskningsoutput

Linus Karlsson, 2019 sep 30, Department of Electrical and Information Technology, Lund University. 205 s.

Forskningsoutput: AvhandlingDoktorsavhandling (sammanläggning)

Visa alla (1)

Related projects

Visa alla (1)