A vulnerability in cybersecurity can be any weakness within a software or hardware of any information systems, internal controls, network or system processes that can be exploited to cause damage, or allow an attacker to manipulate the system in some way. Since the late 1980s cyberattacks through exploiting vulnerabilities started to evolve and increasingly becoming sophisticated and dangerous. Successful cyber-attacks are primarily takes place through the exploitation of vulnerabilities. Although thousands of vulnerabilities are being detected and registered each year it has been observed that only few of them get exploited by threat actors. Hence, there is a need to utilize machine learning to develop a model to predict the highly exploitable vulnerabilities by the threat actors and a model to predict the number of future vulnerability to support a cost-effective cyber security management. Subsequently, the predicted exploitable vulnerabilities need to be ranked to understand their severity impact, if the exploitation is realized. The literature reviews show that all the existing machine learning models primarily have utilized United States (U.S) vulnerability database, the largest in its kind, as the source of vulnerability data. The literature review shows that there are existing research works with machine learning approaches to forecast the number of future vulnerabilities and to predict the highly exploitable vulnerabilities, but the literature shows that a risk ranking matrix is missing in this domain. Hence, the need to fill up this gap is of urgent need. The aim of this research is to develop a novel risk matrix that ranks the severity impact of highly exploitable vulnerabilities. To achieve this scope we have developed machine learning based model to predict the highly exploitable vulnerabilities to work as background engines to find the most exploitable vulnerabilities out of published known vulnerabilities. Unlike few existing research works, our proposed risk ranking matrix for most exploitable vulnerabilities aggregated all the relevant attributes for base CVSS scoring and the CVSS score itself, the proposed algorithm has ten risk levels which are highly granular and flexible. Furthermore, those risk levels can be redefined and scaled to meet any specific security needs. Finally, a proof of concept tool is also developed to demonstrate the proposed vulnerability prediction framework. The proposed risk ranking matrix can significantly support the security patching management in a proactive and cost-effective way. Moreover, the proposed models need much less computational resources and time, making it suitable for the usage of any scale.

1.
C.
Sabottke
,
O.
Suciu
, and
T.
Dumitra
,
Vulnerability disclosure in the age of social media: exploiting Twitter for predicting real-world exploits
, in
Proceedings of the 24th USENIX Security Symposium.
(
2015
). pp.
1041
1056
.
2.
J.
Kim
,
Y.K
.
Malaiya
,
I
.
Ray
, “
Vulnerability Discovery in Multi-Version Software Systems
”,
10th IEEE High Assurance Systems Engineering Symposium
7
,
141
148
(
2007
).
3.
Y.
Shin
,
A.
Meneely
,
L.
Williams
,
J.
Osborne
, “
Evaluating complexity, code churn, and developer activity metrics as indicators of software vulnerabilities
”,
IEEE Trans. Softw. Eng.
37
,
772
787
(
2011
).
4.
H.
Venter
,
J.H.
Eloff
, “
Vulnerability forecasting – a conceptual model
”,
Comput. Secur.
23
,
489
497
(
2004
).
5.
J.
Walden
,
J.
Stuckman
,
R.
Scandariato
,
“Predicting vulnerable components: software metrics vs text mining”, In O'Conner, L
. (Ed.),
Proceedings of the Twenty-Fifth IEEE International Symposium on Software Reliability Engineering. IEEE Computer Society
, November 3–6,
Naples
. (
2014
). Italy, pp.
23
33
.
6.
S.
Raschka
,
Predictive modeling, supervised machine learning, and pattern classification
2014
, available at: https://sebastianraschka.com/Articles/2014_intro_supervised_learning.html
7.
Expert Systems, Machine Learning Definition
,
2017
, available at: https://expertsystem.com/machine-learning-definition/
8.
TDS, Time Series Machine Learning Regression Framework
,
2019
, available atl: https://towardsdatascience.com/time-series-machine-learning-regression-framework-9ea33929009a
9.
M.
Almukaynizi
,
E.
Nunes
,
K.
Dharaiya
,
M.
Senguttuvan
,
J.
Shakarian
and
P.
Shakarian
, "
Proactive identification of exploits in the wild through vulnerability mentions online
,"
2017 International Conference on Cyber Conflict (CyCon U.S.)
,
2017
, pp.
82
88
, doi: .
10.
N.
Tavabi
,
P.
Goyal
,
M.
Almukaynizi
,
A.
Shakarian
,
K.
Lerman
, “
DarkEmbed: Exploit Prediction with Neural Language Models, USC Information Sciences Institute
”,
The Thirtieth AAAI Conference on Innovative Applications of Artificial Intelligence
32
, (
2018
).
11.
M.
Edkrantz
, and
A.
Said
, “
Predicting cyber vulnerability exploits with machine learning
”, In
S.
Nowaczyk
, editor
,
Thirteenth Scandinavian Conference on Artificial Intelligence
57
, p.
48
. (
2015
).
12.
A.
Reinthal
,
E.
Filippakis
, and
M.
Almgren
,
Data Modelling for Predicting Exploits
(
Chalmers University of Technology
,
Gothenburg, Sweden
,
2018
).
13.
B.L.
Bullough
,
A.K.
Yanchenko
,
C.L.
Smith
, and
J.R.
Zipkin
, “
Predicting exploitation of disclosed software vulnerabilities using open-source data
”, In
Proceedings of the 3rd ACM on International Workshop on Security AndPrivacy Analytics, IWSPA ’17
, pp.
45
53
.
14.
A.
Queiroz
,
B.
Keegan
, and
F.
Mtenzi
,
“Predicting software vulnerability using security discussion in social media‚
,
European Conference on Information Warfare and Security
,
ECCWS
, (
2017
).
15.
J.
Jacobs
,
S.
Romanosky
,
I.
Adjerid
, and
W.
Baker
,
Improving Vulnerability Remediation Through Better Exploit Predictio.
(
2019
). available at: https://weis2019.econinfosec.org/wpcontent/uploads/sites/6/2019/05/WEIS_2019_paper_53.pdf
16.
S.
Zhang
,
D.
Caragea
, and
X.
Ou
, “
An empirical study on using the national vulnerability database to predict software vulnerabilities
”, In
Database and Expert Systems Applications 22nd International Conference.
(
2011
). pp.
217
231
.
17.
HPE, HP Identifies Top Enterprise Security Threats 2019
, available at https://www8.hp.com/us/en/hp-news/pressrelease.html?id=1571359
18.
RBS-RISK, More than 10000 vulnerabilities disclosed so far in 2018 over 3000 you may not know about 2018
, available at https://www.riskbasedsecurity.com/2018/08/13/more-than-10000-vulnerabilities-disclosed-so-far-in-2018-over-3000-you-may-not-know-about/
19.
M.
Bozorgi
,
L.K.
Saul
,
S.
Savage
, and
G.M.
Voelker
,
“Beyond heuristics: learning to classify vulnerabilities and predict exploits
, In
Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining.
(
2010
). pp.
105
113
.
20.
K.K.
Natarajan
, and
T.
Rahul
, “
Market for Software Vulnerabilities? Think Again
”,
Management Science
51
. (
2005
). SSRN: https://ssrn.com/abstract=867025
21.
R.
Sam
,
M.
Sabyasachi
, and
R.
Jon
, "
Are Markets for Vulnerabilities Effective?
,"
MIS Quarterly
36,
pp.
43
64
, (
2012
).
22.
H.
Cavusoglu
, and
S.
Raghunathan
, “
Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge
”,
IEEE Transactions on Software Engineering
,
33
(
3
), pp.
171
185
, (
2007
).
23.
A.
Arora
,
R.
Telang
, and
H.
Xu
, "
Optimal Policy for Software Vulnerability Disclosure
,"
Management Science, Informs
,
54
, pp.
642
656
, (April
2008
).
24.
A.
Terrence
, and
T.I.
Tunca
, “
Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions
.”
Information Systems Research
19
, pp.
48
70
. (
2008
). http://www.jstor.org/stable/23015421.
25.
A.
Terrence
, and
T.I.
Tunca
, “
Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments
”,
Management Science
57
, pp.
934
959
. (
2011
).
26.
A.
Terrence
,
D.
Dao
,
K.
Kim
, “
Market Segmentation and Software Security: Pricing Patching Rights
”,
Management Science
65,
pp.
4575
4597
. (
2019
).
27.
D.
Dey
,
A.
Lahiri
,
G.
Zhang
,
Optimal Policies for Security Patch Management
.
Informs Journal on Computing
27
, pp.
462
477
. (
2015
).
28.
B.
Steve
,
A.
Seth
,
C.
Crispin
,
W.
Perry
, and
W.
Chris
, “
Timing the Application of Security Patches for Optimal Uptime
”,
The Proceedings of LISA: Sixteenth Systems Administration Conference
2
, pp.
233
242
, (
2003
).
29.
L.
Allodi
,
F.
Massacci
, “
Comparing vulnerability severity and exploits using case-control studies
”,
ACM Transactions on Information and System Security
17
, pp.
1
20
. (
2014
).
30.
J.
Jacobs
,
S.
Romanosky
,
I.
Adjerid
, and
W.
Baker
,
Improving Vulnerability Remediation Through Better Exploit Predictio.
(
2019
). Available at: https://weis2019.econinfosec.org/wpcontent/uploads/sites/6/2019/05/WEIS_2019_paper_53.pdf
31.
M.S.
Hoque
,
N.
Jamil
,
N.
Amin
,
K.Y.
Lam
, “
An Improved Vulnerability Exploitation Prediction Model with Novel Cost Function and Custom Trained Word Vector Embedding
”,
Sensors
21
, p.
4220
. (
2021
).
32.
M.
Edkrantz
, and
A.
Said
, “
Predicting cyber vulnerability exploits with machine learning
”, In
S.
Nowaczyk
, editor,
Thirteenth Scandinavian Conference on Artificial Intelligence.
(
2015
).pp.
48
57
.
This content is only available via PDF.
You do not currently have access to this content.