Journal of the Korea Institute of Information and Communication Engineering (한국정보통신학회논문지)

The Korea Institute of Information and Commucation Engineering (한국정보통신학회)
권호 표지
DOI QR코드

DOI QR Code

3-Step Security Vulnerability Risk Scoring considering CVE Trends

CVE 동향을 반영한 3-Step 보안 취약점 위험도 스코어링

  • Jihye, Lim (Department of Convergence Security, Chung-Ang University) ;
  • Jaewoo, Lee (Department of Industrial Security, Chung-Ang University)
  • Received : 2022.10.19
  • Accepted : 2022.11.07
  • Published : 2023.01.31
Download PDF
⟨ Previous Next ⟩

Abstract

As the number of security vulnerabilities increases yearly, security threats continue to occur, and the vulnerability risk is also important. We devise a security threat score calculation reflecting trends to determine the risk of security vulnerabilities. The three stages considered key elements such as attack type, supplier, vulnerability trend, and current attack methods and techniques. First, it reflects the results of checking the relevance of the attack type, supplier, and CVE. Secondly, it considers the characteristics of the topic group and CVE identified through the LDA algorithm by the Jaccard similarity technique. Third, the latest version of the MITER ATT&CK framework attack method, technology trend, and relevance between CVE are considered. We used the data within overseas sites provide reliable security information to review the usability of the proposed final formula CTRS. The scoring formula makes it possible to fast patch and respond to related information by identifying vulnerabilities with high relevance and risk only with some particular phrase.

보안 취약점 수가 해마다 증가함에 따라 보안 위협이 지속해서 발생하고 있으며 취약점 위험도의 중요성이 대두되고 있다. 본 논문에서는 보안 취약점 위험도 판단을 위해 동향을 반영한 보안 위협 스코어링 산출식을 고안하였다. 세 단계에 따라 공격 유형과 공급업체, 취약점 동향, 최근 공격 방식과 기법 등의 핵심 항목 요소를 고려하였다. 첫째로는 공격 유형, 공급업체와 CVE 데이터의 관련성 확인 결과를 반영한다. 둘째로는 LDA 알고리즘으로 확인된 토픽 그룹과 CVE 데이터 간 유사성 확인을 위해 자카드 유사도 기법을 사용한다. 셋째로는 최신 버전 MITRE ATT&CK 프레임워크의 공격 방법, 기술 항목 동향과 CVE 간의 관련성 확인 결과를 반영한다. 최종 보안 취약점 위협 산출식 CTRS의 활용성 검토를 위해 공신력 높은 취약점 정보 제공 해외 사이트 내 데이터에 제안한 스코어링 방식을 적용하였다. 본 연구에서 제안한 산출식을 통하여 취약점과 관련된 일부 설명만으로도 관련성과 위험도가 높은 취약점을 확인하여 신속하게 관련 정보를 인지하고 대응할 수 있다.

Keywords

References

  1. CVE Details. Browse Vulnerabilities By Date [Internet]. Available: https://www.cvedetails.com/browse-by-date.php.
  2. MITRE ATT&CK. Enterprise tactics [Internet]. Available: https://attack.mitre.org/tactics/enterprise/.
  3. Towards Data Science. Topic Modeling in Python: Latent Dirichlet Allocation (LDA) [Internet]. Available: https://towardsdatascience.com/end-to-end-topic-modelingin-python-latent-dirichlet-allocation-lda-35ce4ed6b3e0.
  4. LearnDataSci. Jaccard Similarity [Internet]. Available: https://www.learndatasci.com/glossary/jaccard-similarity/.
  5. H. Chen, J. Liu, R. Liu, N. Park, and V. S. Subrahmanian, "VEST: A System for Vulnerability Exploit Scoring & Timing," in Proceeding of the Twenty-Eighth International Joint Conference on Artificial Intelligence, Macao, China, pp. 6503-6505, 2019. DOI: 10.24963/ijcai.2019/937.
  6. M. C. Kim, S. Oh, H. Kang, J. Kim, and H. K. Kim, "Risk Scoring System for Software Vulnerability Using Public Vulnerability Information," Journal of the Korea Institute of Information Security & Cryptology, vol. 28, no. 6, pp. 1449-1461, Dec. 2018. DOI: 10.13089/JKIISC.2018.28.6.1449.
  7. H. H. Jin and H. K. Kim, "A Study on Web Vulnerability Risk Assessment Model Based on Attack Results: Focused on Cyber Kill Chain," Journal of the Korea Institute of Information Security & Cryptology, vol. 31, no. 4, pp. 779-791, Aug. 2021. DOI: 10.13089/JKIISC.2021.31.4.779.
  8. C. Park, "Vulnerability Risk Computation method for Attack Graph Generation," in Proceedings of the Korean Institute of Communication Sciences Conference, Jeju, Korea, pp. 123-124, 2016. DOI: 10.17662/ksdim.2020.16.1.079.
  9. H. -G. Chae, G. -H. Lee, and J. -Y. Lee, "Analysis of Domestic and Foreign Financial Security Research Activities and Trends through Topic Modeling Analysis," Journal of the Korea Industrial Information Systems Research, vol. 26, no. 1, pp. 83-95, Feb. 2021. DOI: 10.9723/jksiis.2021.26.1.083.
  10. S. U. Lee and J. Lee, "Topic Modeling to Identify Cloud Security Trends using news Data Before and After the COVID-19 Pandemic," Convergence Security Journal, vol. 22, no. 2, pp. 67-75, Jun. 2022. DOI: 10.33778/kcsa.2022.22.1.067.
  11. H. S. Choi, W. S. Lee, and S. Y. Sohn, "Analyzing Research Trends in Personal Information Privacy Using Topic Modeling," Computers & Security, vol. 67, pp. 244-253, Jun. 2017. DOI: 10.1016/j.cose.2017.03.007Get rights and content.
  12. The MITRE Corp. Download CVE List [Internet]. Available: https://cve.mitre.org/data/downloads/index.html.
  13. Pythonspot. NLTK stop words [Internet]. Available: https://pythonspot.com/nltk-stop-words/.
  14. S. Cho, Y. Park, K. Lee, C. Choi, C. Shin, and K. Lee, "An APT Attack Scoring Method Using MITRE ATT&CK," Journal of the Korea Institute of Information Security & Cryptology, vol. 32, no. 4, pp. 673-689, Aug. 2022. DOI: 10.13089/JKIISC.2022.32.4.673.
  15. The Hacker News. CISA Warns of Hackers Exploiting Recent Zoho ManageEngine Vulnerability [Internet]. Available: https://thehackernews.com/2022/09/cisa-warns-of-hackersexploiting-recent.html.
  16. The Hacker News. Unpatched Java Spring Framework 0-Day RCE Bug Threatens Enterprise Web Apps Security [Internet]. Available: https://thehackernews.com/2022/03/unpatched-java-spring-framework-0-day.html.
  17. The Hacker News. Hackers Exploiting Unpatched Critical Atlassian Confluence Zero-Day Vulnerability [Internet]. Available: https://thehackernews.com/2022/06/hackersexploiting-unpatched-critical.html.
  18. The Hacker News. Critical VMware Workspace ONE Access Flaw Under Active Exploitation in the Wild [Internet]. Available: https://thehackernews.com/2022/04/vmware-releases-patches-for-critical.html.
  19. The Hacker News. CISA Orders Federal Agencies to Patch Actively Exploited Windows Vulnerability [Internet]. Available: https://thehackernews.com/2022/02/cisa-ordersfederal-agencies-to-patch.html.