logo
allArticlesConferencesPresentations

Predictive Vulnerability Scoring System

Conference:  BlackHat USA 2019

2019-08-08

Summary

The presentation discusses the limitations of the Common Vulnerability Scoring System (CVSS) and proposes a Predictive Vulnerability Scoring System that uses machine learning to predict the probability of a vulnerability being exploited.
  • CVSS scores are not enough to effectively prioritize vulnerabilities
  • The Predictive Vulnerability Scoring System uses data from various sources to create a machine learning model for predicting the probability of a vulnerability being exploited
  • The new scoring system outperforms CVSS on every metric: accuracy, efficiency, and coverage
The speaker explains that too often, organizations make the mistake of taking the data given to them for granted, which can have disastrous consequences. They then go on to describe how they collected data from tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, and collecting data feeds to create a machine learning model for predicting the probability of a vulnerability being exploited. The new scoring system outperforms CVSS on every metric: accuracy, efficiency, and coverage.

Abstract

Effective prioritization of vulnerabilities is essential to staying ahead of your attackers. While your threat intelligence might expose a wealth of information about attackers and attack paths, integrating it into decision-making is no easy task. Too often, we make the mistake of taking the data given to us for granted – and this has disastrous consequences. We'll explain what we miss by trusting CVSS scores, and what should absolutely be taken into consideration to focus on the vulnerabilities posing the greatest risks to our organizations. We'll look at tens of thousands of vulnerabilities, CVSS scores, CVE, NVD, scraping mailing lists, collecting data feeds and ultimately end up with a few dozen data points that helped us understand the probability of a vulnerability being exploited. Finally, we'll use all that data as well as billions of in-the-wild events collected over 5 years in order to create a machine learning model for predicting the probability of a vulnerability being exploited, a scoring system which outperforms CVSS on every metric: accuracy, efficiency and coverage.
Materials:
Slides
Paper
Tags:

Post a comment

Related work

Effective Vulnerability Discovery with Machine Learning

Conference:  BlackHat EU 2020
Authors:
2020-12-10

Reversing the Root: Identifying the Exploited Vulnerability in 0-days Used In-The-Wild

Conference:  BlackHat USA 2020
Authors:
2020-08-05

Power Corrupts; Corrupt It Back! Hacking Power Management in Data Centers

Conference:  Defcon 31
Authors: Sam Quinn Sr. Security Researcher. Trellix Advanced Research Center, Jesse Chick Security Researcher. Trellix Advanced Research Center
2023-08-01

Return of Bleichenbacher's Oracle Threat (ROBOT)

Conference:  BlackHat USA 2018
Authors:
2018-08-09

Process Injection: Breaking All macOS Security Layers With a Single Vulnerability

Conference:  Black Hat USA 2022
Authors:
2022-08-11

Effective Usage Analysis: The Shortest Path Between a Developer and Accelerated Product Releases

Conference:  OWASP 20th Anniversary Event
Authors: Rami Elron
2021-09-24