1 / 2100%
Datai seti description:
Thei NVDi isi nearlyi 180,000i recordsi ofi vulnerabilitiesi publishedi fori
nearlyi 20i years.i Overi thei years,i thei datai definitionsi andi fieldsi havei
changedi multiplei timesi fori examplei scoring.i Thei currenti scoringi
systemi isi upi toi versioni 3.i Eachi recordi containsi overi 35i differenti datai
pointsi includingi bothi versioni 2i scoringi andi versioni 3i scoringi andi isi
identifiedi byi ai uniquei CVEi number.i Thisi makesi iti easyi toi joini
complimentingi informationi suchi asi EPSSi scoresi fori eachi vulnerability.i
Thei CVSSi Basei Metricsi hasi threei sub-groupings,i exploitabilityi
metrics,i impacti metrics,i andi scope.i However,i mosti vulnerabilitiesi onlyi
includei thei basei exploitabilityi andi impacti assessments.i Wheni lookingi
upi ai CVSSi scorei fori ai vulnerabilityi ini thei NVD,i thei reportedi scorei isi
almosti alwaysi thei CVSSi basei score.i
Thei Exploiti Predictioni Scoringi Systemi (EPSS)i isi thei secondi seti usedi toi
complementi thei CVEi dictionary.i Thei EPSSi isi ani open-sourcei
collaborationi thati usesi machinei learningi toi estimatei thei likelihoodi
thati ai vulnerabilityi willi bei exploitedi ini thei wild.i Thei EPSSi modeli scoresi
vulnerabilitiesi betweeni 0i andi 1.i Thei higheri thei score,i thei greateri thei
probabilityi thati ai vulnerabilityi willi bei exploited.i (Thei EPSSi Model,i
2022)i Everyi vulnerabilityi ini thei CVEi dictionaryi isi scored.i Thei EPSSi
scorei willi bei joinedi togetheri withi thei CVEi numberi ini thei CVEi
dictionary.
Lastly,i thei listi ofi Commoni Weaknessi Enumerationi (CWE)i dataseti willi
bei usedi toi matchi vulnerabilitiesi toi weaknesses.i Thei CWEi dataseti
containsi 926i softwarei andi hardwarei weaknesses.i Softwarei
weaknessesi containi 40i higheri leveli categoricali weaknesses.i Hardwarei
weaknessesi similarlyi containi 12i higheri leveli categoricali weaknesses.i
Somei weaknessesi arei alreadyi combinedi withi thei vulnerabilities.i
CWEsi willi bei combinedi usingi thei matchedi weaknessesi asi supervisedi
learningi toi predicti thei likelihoodi ofi ai match.i i
Challenges:i Availablei buti noti usedi isi thei Commoni Platformi
Enumerationi (CPE).i Manyi peoplei havei alreadyi reportedi oni CVEsi byi
platforms.i However,i therei arei manyi problemsi withi usingi thei
platformsi fori analytics.i First,i participationi ini thei NVDi isi voluntaryi fori
manufacturers.i Microsofti isi ani activei participanti withi ai wholei rangei ofi
productsi thati arei widelyi usedi aroundi thei world.i Trackingi
vulnerabilitiesi byi CPEi skewsi thei resultsi towardsi activei participantsi
andi thei mosti widelyi usedi products.i Thisi cani bei ani areai fori furtheri
explorationi byi otheri analysts.
Students also viewed