Machine Learning Algorithms for Conversion of CVSS Base Score from 2.0 to 3.x

Nowak, Maciej; Walkowski, Michał; Sujecki, S.

doi:10.1007/978-3-030-77967-2_21

Cited by 5 publications

(7 citation statements)

References 14 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Namely, for each class corresponding to a particular value of the CVSS 3.x

vector component, one has a widely varying number of CVSS 2.0

vectors that map onto it. For instance, to the CVSS 3.x

vector AV component class N map 841 CVSS 2.0

vectors, while to class P 53732 CVSS 2.0

vectors [ 37 ].…”

Section: Research Conceptmentioning

confidence: 99%

“…Therefore, a proprietary undersampling method as described in [ 37 ] was used to obtain a more balanced training set. Using the undersampling method, a common training set was created from the extended CVSS 2.0 vectors, assuming that, for each class of the CVSS 3.x

vector component, we selected only 80 corresponding CVSS 2.0

vectors.…”

Section: Research Conceptmentioning

confidence: 99%

“…Then, for each CVSS 3.x class, the set that provided better performance was selected and was used consistently in the simulations described in Section 3 . The selection procedure is describe in more detail in Section 2.4 and in [ 37 ]. Table 4 provides the information on the selection of the specific CVSS 2.0 extended vector set for each component of the CVSS 3.x vector.…”

Section: Research Conceptmentioning

confidence: 99%

“…Compared to our previous publication [ 37 ], we extended the scope of the basic research with two ML algorithms—SIMCA and PNN. The use of a wide range of ML algorithms allows one to match the most-appropriate method to the specific problem.…”

Section: Research Conceptmentioning

confidence: 99%

See 3 more Smart Citations

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

Nowak

Walkowski

Sujecki

2023

Sensors

View full text Add to dashboard Cite

COVID-19 forced a number of changes in many areas of life, which resulted in an increase in human activity in cyberspace. Furthermore, the number of cyberattacks has increased. In such circumstances, detection, accurate prioritisation, and timely removal of critical vulnerabilities is of key importance for ensuring the security of various organisations. One of the most-commonly used vulnerability assessment standards is the Common Vulnerability Scoring System (CVSS), which allows for assessing the degree of vulnerability criticality on a scale from 0 to 10. Unfortunately, not all detected vulnerabilities have defined CVSS base scores, or if they do, they are not always expressed using the latest standard (CVSS 3.x). In this work, we propose using machine learning algorithms to convert the CVSS vector from Version 2.0 to 3.x. We discuss in detail the individual steps of the conversion procedure, starting from data acquisition using vulnerability databases and Natural Language Processing (NLP) algorithms, to the vector mapping process based on the optimisation of ML algorithm parameters, and finally, the application of machine learning to calculate the CVSS 3.x vector components. The calculated example results showed the effectiveness of the proposed method for the conversion of the CVSS 2.0 vector to the CVSS 3.x standard.

show abstract

“…Namely, for each class corresponding to a particular value of the CVSS 3.x

vector component, one has a widely varying number of CVSS 2.0

vectors that map onto it. For instance, to the CVSS 3.x

vector AV component class N map 841 CVSS 2.0

vectors, while to class P 53732 CVSS 2.0

vectors [ 37 ].…”

Section: Research Conceptmentioning

confidence: 99%

vector component, we selected only 80 corresponding CVSS 2.0

vectors.…”

Section: Research Conceptmentioning

confidence: 99%

Section: Research Conceptmentioning

confidence: 99%

Section: Research Conceptmentioning

confidence: 99%

See 2 more Smart Citations

Support for the Vulnerability Management Process Using Conversion CVSS Base Score 2.0 to 3.x

Nowak

Walkowski

Sujecki

2023

Sensors

View full text Add to dashboard Cite

show abstract

“…The Common Vulnerability Scoring System (CVSS) classifies the severity of disclosed vulnerabilities [5]. Nowadays, CVSS has undergone three revisions: (i) v1 in 2004 [24], (ii) v2, which includes the CVSS score metric [25], and (iii) v3.1 was published in 2015 for enhancing the process of establishing vulnerability criticality [26]. On the other hand, CWE is a community-developed project to classify security bugs as a list of common software and hardware weaknesses.…”

Section: Introductionmentioning

confidence: 99%

Security vulnerabilities in healthcare: an analysis of medical devices and software

Mejía-Granda,

Fernández-Alemán,

Carrillo-de-Gea

et al. 2023

Med Biol Eng Comput

View full text Add to dashboard Cite

The integration of IoT in healthcare has introduced vulnerabilities in medical devices and software, posing risks to patient safety and system integrity. This study aims to bridge the research gap and provide valuable insights for addressing healthcare vulnerabilities and their mitigation mechanisms. Software vulnerabilities related to health systems from 2001 to 2022 were collected from the National Vulnerability Database (NVD) systematized by software developed by the researchers and assessed by a medical specialist for their impact on patient well-being. The analysis revealed electronic health records, wireless infusion pumps, endoscope cameras, and radiology information systems as the most vulnerable. In addition, critical vulnerabilities were identified, including poor credential management and hard-coded credentials. The investigation provides some insights into the consequences of vulnerabilities in health software products, projecting future security issues by 2025, offers mitigation suggestions, and highlights trends in attacks on life support and health systems are also provided. The healthcare industry needs significant improvements in protecting medical devices from cyberattacks. Securing communication channels and network schema and adopting secure software practices is necessary. In addition, collaboration, regulatory adherence, and continuous security monitoring are crucial. Industries, researchers, and stakeholders can utilize these findings to enhance security and safeguard patient safety. Graphical abstract

show abstract