Predicting exploitation and clustering of vulnerabilities by means of text mining

Master thesis in the field of computer-software engineering

Abstract

Software vulnerabilities can lead to financial and information losses. Due to the limited financial and human resources, prioritizing the damages is very important. Before this research, a large number of researchers have classified vulnerabilities based on empirical and statistical knowledge. However, the variable nature of vulnerabilities makes it impossible to provide a ranking criterion for them.

Vulnerability reports are continuously recorded in various databases. The textual information of vulnerabilities is not fully exploited by existing automatic tools. This research showed that the information in the texts can be used to build predictive models. Text mining is a suitable tool for obtaining information that is effective in making important management decisions.

In the field of predicting utilization using text mining, only one research has been done so far. This research was presented at KDD2010, entitled "Beyond Heuristics: Training for Vulnerability Classification and Exploitation Prediction". This research has answered the following questions using text mining: Will the vulnerability be exploited? When will the vulnerability be exploited? This paper has achieved good results compared to CVSS (which is one of the famous vulnerability metrics). In this research, the above questions and the following new questions have been answered with high accuracy:

           If a system has been exploited, when did this exploitation begin? (Accuracy of answers between 94.5-84%)

           If a system is vulnerable, when will its fixed package be provided by the developers? (Accuracy of answers between 68-91%)

In the field of vulnerability clustering, a lot of research has been done so far. The OSVDB database has various categories for vulnerabilities, but none of these categories are based on the description of the vulnerabilities. In this research, vulnerabilities are clustered using their descriptions, and the resulting categories are: buffer overflow, denial of service, data manipulation, remote control, improper configuration, crack in password, unauthorized access to information, and unauthorized access to service. Manually assigning vulnerabilities to appropriate categories requires human experience and is very tedious. The classification presented in this research provides the possibility of creating software that can automatically assign vulnerabilities to appropriate categories.

In this research, two famous databases of vulnerabilities (OSVDB and CVE), and information on the history of vulnerabilities provided by Stephen Frey, have been used. To predict the use of support vector machine and random forest classifiers, and to perform clustering, the emerging self-organizing mapping method has been used.

Chapter One

Introduction

1-1- Vulnerability[1]

In computer security issues, a vulnerability is a weakness that allows an attacker to exploit It provides the information of a system. Every year, thousands of vulnerabilities are discovered and reported, and millions of dollars are spent all over the world to deal with vulnerabilities. In order to take advantage of the vulnerability of a system, three factors are generally needed: sensitivity or a flaw in the system, the attacker's access to the flaw, and the ability of the attacker to exploit the flaw (1). Among these definitions, the following can be mentioned:

ISO 27005: The weakness of an asset or a group of assets that can be exploited by an individual or a group of individuals (2). In this definition, an asset means anything of value to the organization, for example information resources supported by the organization.

IETF RFC 2828: A flaw or weakness in the design, implementation, operation, or management of a system, which can be exploited to violate the system's security policy (3).

United States National Security Systems Committee[2], in CNSS Instruction No. 4009, dated April 26, 2010, National Information Assurance Glossary: ??Vulnerability is a weakness in an IS, system security procedures, internal controls, or implementation, that can lead to exploitation (4). Compromise the network, program or protocol (5).

Open group[3]: A situation where the attacker's power is greater than the power to resist it (6).

Factor analysis of information risk[4] (FAIR): The probability that an asset will not be able to withstand the risk factors (7).

Data and computer security, a dictionary of concepts and standard terms, authors Dennis Langley[5] and Michael Sheen[6], Stockton Press[7], ISBN 0-935859-17-9:

In computer security, a weakness in the security function of automated systems, supervisor controls, Internet controls, etc., which can be disrupted by an attacker with unauthorized access to information, information processing.

In computer security, a weakness in the physical layer, organization, function, staff, management, supervision, hardware or software that could be exploited with the aim of damaging the system or activity.

In computer security, any weakness or defect in a system, attack, harmful event or access opportunity for a threatening agent, which provides the threat to the agent, is called a vulnerability.

1-1-2- Classification of vulnerabilities

Vulnerabilities are divided into the following categories based on the type of asset (2):

Hardware, for example: susceptibility to Humidity, sensitivity to dust, susceptibility to unprotected storage.

Software, for example: inadequate testing, lack of follow-up.

Network, for example: unprotected communication lines, insecure network architecture.

Employees, for example: inadequate onboarding process, inadequate security awareness.

Location, for example: flood-prone area, unreliable power source.

Organization, for example: lack of regular follow-up, lack of security awareness. Continuity of programs.

1-1-3- Causes of creating vulnerabilities

Some sources and causes of creating vulnerabilities are:

System complexity: the possibility of defects and unwanted access points in large complex systems is more (8). Famously, it increases the probability that an attacker can gain access to knowledge and tools in order to exploit existing defects (9).

Connection: physical connections, privileges[8], ports, protocols and more services and increasing the duration of each of them increases the accessibility to vulnerabilities (7).

Flaws in password management: computer users use weak passwords that can be discovered with little effort or save them in some programs, and These passwords are shared by many applications and web pages (8).

Design flaws in major operating systems: Operating system designers generally choose policies that involve the least user/administrator. For example, operating systems have policies such as the defaults of granting permission to each program and full access of users to the system (8). These defects of operating systems allow viruses and malware to execute commands from the administrator (1).

Browsing Internet websites: Some Internet websites contain spyware or dangerous advertisements, which can be automatically installed on computer systems. After visiting these websites, systems are infected, personal information is collected and sent to a third party (10).

Software bugs: There are exploitable bugs in many software programs. Software bugs may allow attackers to exploit the application (8).

Uncontrolled user input: Applications assume that all user input is secure. Programs that do not check the user's inputs, in fact, provide the possibility of directly executing unwanted commands and manipulating the database (8). Although existing software can provide a good overview of system vulnerabilities in some cases, they cannot replace human investigation of vulnerabilities.