Proactive identification of exploits in the wild through vulnerability mentions online

Mohammed Almukaynizi; Eric Nunes; Krishna Dharaiya; Manoj Senguttuvan; Jana Shakarian; Paulo Shakarian

doi:10.1109/CYCONUS.2017.8167501

Proactive identification of exploits in the wild through vulnerability mentions online

Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, Paulo Shakarian

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

26 Scopus citations

Abstract

The number of software vulnerabilities discovered and publicly disclosed is increasing every year; however, only a small fraction of them is exploited in real-world attacks. With limitations on time and skilled resources, organizations often look at ways to identify threatened vulnerabilities for patch prioritization. In this paper, we present an exploit prediction model that predicts whether a vulnerability will be exploited. Our proposed model leverages data from a variety of online data sources (white-hat community, vulnerability researchers community, and darkweb/deepweb sites) with vulnerability mentions. Compared to the standard scoring system (CVSS base score), our model outperforms the baseline models with an F1 measure of 0.40 on the minority class (266% improvement over CVSS base score) and also achieves high True Positive Rate at low False Positive Rate (90%, 13%, respectively). The results demonstrate that the model is highly effective as an early predictor of exploits that could appear in the wild. We also present a qualitative and quantitative study regarding the increase in the likelihood of exploitation incurred when a vulnerability is mentioned in each of the data sources we examine.

Original language	English (US)
Title of host publication	2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings
Editors	Edward Sobiesk, Daniel Bennett, Paul Maxwell
Publisher	Institute of Electrical and Electronics Engineers Inc.
Pages	82-88
Number of pages	7
ISBN (Electronic)	9781538623794
DOIs	https://doi.org/10.1109/CYCONUS.2017.8167501
State	Published - Dec 5 2017
Event	2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Washington, United States Duration: Nov 7 2017 → Nov 8 2017

Publication series

Name	2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings
Volume	2017-December

Other

Other	2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017
Country/Territory	United States
City	Washington
Period	11/7/17 → 11/8/17

Keywords

adversarial machine learning
darkweb analysis
online vulnerability mentions
vulnerability exploit prediction

ASJC Scopus subject areas

Safety, Risk, Reliability and Quality
Political Science and International Relations
Computer Networks and Communications
Law

Access to Document

10.1109/CYCONUS.2017.8167501

Cite this

Almukaynizi, M., Nunes, E., Dharaiya, K., Senguttuvan, M., Shakarian, J., & Shakarian, P. (2017). Proactive identification of exploits in the wild through vulnerability mentions online. In E. Sobiesk, D. Bennett, & P. Maxwell (Eds.), 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings (pp. 82-88). (2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings; Vol. 2017-December). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/CYCONUS.2017.8167501

Proactive identification of exploits in the wild through vulnerability mentions online. / Almukaynizi, Mohammed; Nunes, Eric; Dharaiya, Krishna; Senguttuvan, Manoj; Shakarian, Jana; Shakarian, Paulo.

2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings. ed. / Edward Sobiesk; Daniel Bennett; Paul Maxwell. Institute of Electrical and Electronics Engineers Inc., 2017. p. 82-88 (2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings; Vol. 2017-December).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Almukaynizi, M, Nunes, E, Dharaiya, K, Senguttuvan, M, Shakarian, J & Shakarian, P 2017, Proactive identification of exploits in the wild through vulnerability mentions online. in E Sobiesk, D Bennett & P Maxwell (eds), 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings. 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings, vol. 2017-December, Institute of Electrical and Electronics Engineers Inc., pp. 82-88, 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017, Washington, United States, 11/7/17. https://doi.org/10.1109/CYCONUS.2017.8167501

Almukaynizi M, Nunes E, Dharaiya K, Senguttuvan M, Shakarian J, Shakarian P. Proactive identification of exploits in the wild through vulnerability mentions online. In Sobiesk E, Bennett D, Maxwell P, editors, 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2017. p. 82-88. (2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings). https://doi.org/10.1109/CYCONUS.2017.8167501

Almukaynizi, Mohammed ; Nunes, Eric ; Dharaiya, Krishna ; Senguttuvan, Manoj ; Shakarian, Jana ; Shakarian, Paulo. / Proactive identification of exploits in the wild through vulnerability mentions online. 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings. editor / Edward Sobiesk ; Daniel Bennett ; Paul Maxwell. Institute of Electrical and Electronics Engineers Inc., 2017. pp. 82-88 (2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings).

@inproceedings{18d0bb511b3541c49add59b64e486334,

title = "Proactive identification of exploits in the wild through vulnerability mentions online",

abstract = "The number of software vulnerabilities discovered and publicly disclosed is increasing every year; however, only a small fraction of them is exploited in real-world attacks. With limitations on time and skilled resources, organizations often look at ways to identify threatened vulnerabilities for patch prioritization. In this paper, we present an exploit prediction model that predicts whether a vulnerability will be exploited. Our proposed model leverages data from a variety of online data sources (white-hat community, vulnerability researchers community, and darkweb/deepweb sites) with vulnerability mentions. Compared to the standard scoring system (CVSS base score), our model outperforms the baseline models with an F1 measure of 0.40 on the minority class (266% improvement over CVSS base score) and also achieves high True Positive Rate at low False Positive Rate (90%, 13%, respectively). The results demonstrate that the model is highly effective as an early predictor of exploits that could appear in the wild. We also present a qualitative and quantitative study regarding the increase in the likelihood of exploitation incurred when a vulnerability is mentioned in each of the data sources we examine.",

keywords = "adversarial machine learning, darkweb analysis, online vulnerability mentions, vulnerability exploit prediction",

author = "Mohammed Almukaynizi and Eric Nunes and Krishna Dharaiya and Manoj Senguttuvan and Jana Shakarian and Paulo Shakarian",

note = "Funding Information: ACKNOWLEDGMENT Some of the authors were supported by the Office of Naval Research (ONR) contract N00014-15-1-2742, the Office of Naval Research (ONR) Neptune program and the ASU Global Security Initiative (GSI). Paulo Shakarian and Jana Shakarian are supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0112. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government. Publisher Copyright: {\textcopyright} 2017 IEEE.; 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 ; Conference date: 07-11-2017 Through 08-11-2017",

year = "2017",

month = dec,

day = "5",

doi = "10.1109/CYCONUS.2017.8167501",

language = "English (US)",

series = "2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

pages = "82--88",

editor = "Edward Sobiesk and Daniel Bennett and Paul Maxwell",

booktitle = "2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings",

}

TY - GEN

T1 - Proactive identification of exploits in the wild through vulnerability mentions online

AU - Almukaynizi, Mohammed

AU - Nunes, Eric

AU - Dharaiya, Krishna

AU - Senguttuvan, Manoj

AU - Shakarian, Jana

AU - Shakarian, Paulo

N1 - Funding Information: ACKNOWLEDGMENT Some of the authors were supported by the Office of Naval Research (ONR) contract N00014-15-1-2742, the Office of Naval Research (ONR) Neptune program and the ASU Global Security Initiative (GSI). Paulo Shakarian and Jana Shakarian are supported by the Office of the Director of National Intelligence (ODNI) and the Intelligence Advanced Research Projects Activity (IARPA) via the Air Force Research Laboratory (AFRL) contract number FA8750-16-C-0112. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of ODNI, IARPA, AFRL, or the U.S. Government. Publisher Copyright: © 2017 IEEE.

PY - 2017/12/5

Y1 - 2017/12/5

N2 - The number of software vulnerabilities discovered and publicly disclosed is increasing every year; however, only a small fraction of them is exploited in real-world attacks. With limitations on time and skilled resources, organizations often look at ways to identify threatened vulnerabilities for patch prioritization. In this paper, we present an exploit prediction model that predicts whether a vulnerability will be exploited. Our proposed model leverages data from a variety of online data sources (white-hat community, vulnerability researchers community, and darkweb/deepweb sites) with vulnerability mentions. Compared to the standard scoring system (CVSS base score), our model outperforms the baseline models with an F1 measure of 0.40 on the minority class (266% improvement over CVSS base score) and also achieves high True Positive Rate at low False Positive Rate (90%, 13%, respectively). The results demonstrate that the model is highly effective as an early predictor of exploits that could appear in the wild. We also present a qualitative and quantitative study regarding the increase in the likelihood of exploitation incurred when a vulnerability is mentioned in each of the data sources we examine.

AB - The number of software vulnerabilities discovered and publicly disclosed is increasing every year; however, only a small fraction of them is exploited in real-world attacks. With limitations on time and skilled resources, organizations often look at ways to identify threatened vulnerabilities for patch prioritization. In this paper, we present an exploit prediction model that predicts whether a vulnerability will be exploited. Our proposed model leverages data from a variety of online data sources (white-hat community, vulnerability researchers community, and darkweb/deepweb sites) with vulnerability mentions. Compared to the standard scoring system (CVSS base score), our model outperforms the baseline models with an F1 measure of 0.40 on the minority class (266% improvement over CVSS base score) and also achieves high True Positive Rate at low False Positive Rate (90%, 13%, respectively). The results demonstrate that the model is highly effective as an early predictor of exploits that could appear in the wild. We also present a qualitative and quantitative study regarding the increase in the likelihood of exploitation incurred when a vulnerability is mentioned in each of the data sources we examine.

KW - adversarial machine learning

KW - darkweb analysis

KW - online vulnerability mentions

KW - vulnerability exploit prediction

UR - http://www.scopus.com/inward/record.url?scp=85045989630&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85045989630&partnerID=8YFLogxK

U2 - 10.1109/CYCONUS.2017.8167501

DO - 10.1109/CYCONUS.2017.8167501

M3 - Conference contribution

AN - SCOPUS:85045989630

T3 - 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings

SP - 82

EP - 88

BT - 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017 - Proceedings

A2 - Sobiesk, Edward

A2 - Bennett, Daniel

A2 - Maxwell, Paul

PB - Institute of Electrical and Electronics Engineers Inc.

T2 - 2017 IEEE International Conference on Cyber Conflict U.S., CyCon U.S. 2017

Y2 - 7 November 2017 through 8 November 2017

ER -

Proactive identification of exploits in the wild through vulnerability mentions online

Abstract

Publication series

Other

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this