When a new vulnerability is discovered, a Common Vulnerability and Exposure (CVE) number is publicly assigned to it. The vulnerability is then analyzed by the US National Institute of Standards and Technology (NIST) whose Common Vulnerability Scoring System (CVSS) evaluates a severity score that ranges from 0 to 10 for the vulnerability. On average, NIST takes 132.7 days for this - but early knowledge of the CVSS score is critical for enterprise security managers to take defensive actions (e.g. patch prioritization). We present VASE (Vulnerability Analysis and Scoring Engine) that uses Twitter discussions about CVEs to predict CVSS scores before the official assessments from NIST. In order to leverage the intrinsic correlations between different vulnerabilities, VASE adopts a graph convolutional network (GCN) model in which nodes correspond to CVEs. In addition, we propose a novel attention-based input embedding method to extract useful latent features for each CVE node. We show on real-world data that VASE obtains a mean absolute error (MAE) of 1.255 for predicting the CVSS score using only three days of Twitter discussion data after the date a vulnerability is first mentioned on Twitter. VASE can provide predictions for the CVSS scores for 37.85% of the CVEs at least one week earlier than the official assessments by NIST.
|Title of host publication||Proceedings - 19th IEEE International Conference on Data Mining, ICDM 2019|
|Editors||Jianyong Wang, Kyuseok Shim, Xindong Wu|
|Publisher||Institute of Electrical and Electronics Engineers Inc.|
|Number of pages||6|
|Publication status||Published - 2019 Nov|
|Event||19th IEEE International Conference on Data Mining, ICDM 2019 - Beijing, China|
Duration: 2019 Nov 8 → 2019 Nov 11
|Name||Proceedings - IEEE International Conference on Data Mining, ICDM|
|Conference||19th IEEE International Conference on Data Mining, ICDM 2019|
|Period||19/11/8 → 19/11/11|
Bibliographical noteFunding Information:
This work is supported by ONR grants N00014-18-1-2670 and N00014-16-1-2896 and ARO grant W911NF-13-1-0421.
© 2019 IEEE.
All Science Journal Classification (ASJC) codes