Automatically Locating Mitigation Information for Security Vulnerabilities

Software vulnerabilities pose significant security risks to systems. Usually patching can fix vulnerabilities, but patches are not always available, and in many cases patching is not preferred due to high overhead and potential service interruptions which is especially true for the electric industry. Then, other mitigation strategies are needed to mitigate security vulnerabilities. Information about mitigation strategies can be difficult to find and is typically only reported on vendor or third-party websites. In the current practice, such information is manually located by security operators, which induces high delays and operation cost. We consider this problem within the electric industry, which has particular importance and challenges because of its regulatory requirements. We propose that providing electric utilities with automatically-located mitigation information will help them overcome the time burden and mitigate vulnerabilities more timely. In particular, we develop three methods for automatically retrieving mitigation information from vendor or third-party websites. Experiment results show high performance with all the three methods.

[1]  Guillermo L. Grinblat,et al.  Toward Large-Scale Vulnerability Discovery using Machine Learning , 2016, CODASPY.

[2]  GhaffarianSeyed Mohammad,et al.  Software Vulnerability Analysis and Discovery Using Machine-Learning and Data-Mining Techniques , 2017 .

[3]  Tudor Dumitras,et al.  From Patching Delays to Infection Symptoms: Using Risk Profiles for an Early Discovery of Vulnerabilities Exploited in the Wild , 2018, USENIX Security Symposium.

[4]  Leyla Bilge,et al.  The Attack of the Clones: A Study of the Impact of Shared Code on Vulnerability Patching , 2015, 2015 IEEE Symposium on Security and Privacy.

[5]  Ramayya Krishnan,et al.  An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure , 2010, Inf. Syst. Res..

[6]  Twittie Senivongse,et al.  Security vulnerability assessment for software version upgrade , 2017, 2017 18th IEEE/ACIS International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing (SNPD).

[7]  Wenhui Hu,et al.  Improvement on OTP authentication and a possession-based authentication framework , 2018, Int. J. Multim. Intell. Secur..

[8]  Qinghua Li,et al.  A Machine Learning-based Approach for Automated Vulnerability Remediation Analysis , 2020, 2020 IEEE Conference on Communications and Network Security (CNS).

[9]  Fengli Zhang,et al.  Security Vulnerability and Patch Management in Electric Utilities: A Data-Driven Analysis , 2018 .

[10]  Qinghua Li,et al.  Dynamic Risk-Aware Patch Scheduling , 2020, 2020 IEEE Conference on Communications and Network Security (CNS).