More Web Proxy on the site http://driver.im/

research-article

Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories

Authors:

Manfred Jeusfeld,

Jianguo DingAuthors Info & Claims

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

Article No.: 86, Pages 1 - 10

https://doi.org/10.1145/3465481.3470093

Published: 17 August 2021 Publication History

Abstract

Modern security practices promote quantitative methods to provide prioritisation insights and support predictive analysis, which is supported by open-source cybersecurity databases such as the Common Vulnerabilities and Exposures (CVE), the National Vulnerability Database (NVD), CERT, and vendor websites. These public repositories provide a way to standardise and share up-to-date vulnerability information, with the purpose to enhance cybersecurity awareness. However, data quality issues of these vulnerability repositories may lead to incorrect prioritisation and misemployment of resources. In this paper, we aim to empirically analyse the data quality impact of vulnerability repositories for actual information technology (IT) and operating technology (OT) systems, especially on data inconsistency. Our case study shows that data inconsistency may misdirect investment of cybersecurity resources. Instead, correlated vulnerability repositories and trustworthiness data verification bring substantial benefits for vulnerability management.

References

[1]

Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, and David Mohaisen. 2020. Cleaning the NVD: Comprehensive Quality Assessment, Improvements, and Analyses. arXiv preprint arXiv:2006.15074(2020).

[2]

Terje Aven, Yakov Ben-Haim, H Boje Andersen, Tony Cox, Enrique López Droguett, Michael Greenberg, Seth Guikema, Wolfgang Kröger, Ortwin Renn, Kimberly M Thompson, and others. 2018. Society for risk analysis glossary. Society for Risk Analysis, August(2018).

[3]

Oscar Chaparro, Jing Lu, Fiorella Zampetti, Laura Moreno, Massimiliano Di Penta, Andrian Marcus, Gabriele Bavota, and Vincent Ng. 2017. Detecting missing information in bug descriptions. In Proceedings of the 2017 11th Joint Meeting on Foundations of Software Engineering. 396–407.

Digital Library

[4]

Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In 28th {USENIX} Security Symposium ({USENIX} Security 19). 869–885.

[5]

Sadegh Farhang, Mehmet Bahadir Kirdan, Aron Laszka, and Jens Grossklags. 2020. An Empirical Study of Android Security Bulletins in Different Vendors. In WWW ’20: The Web Conference 2020, Taipei, Taiwan, April 20-24, 2020, Yennun Huang, Irwin King, Tie-Yan Liu, and Maarten van Steen (Eds.). ACM / IW3C2, 3063–3069. http://dx.doi.org/10.1145/3366423.3380078

Digital Library

[6]

Allen D Householder, Garret Wassermann, Art Manion, and Chris King. 2017. The cert guide to coordinated vulnerability disclosure. Technical Report. Carnegie-Mellon Univ Pittsburgh Pa Pittsburgh United States.

[7]

Matthias Jarke, Manfred A Jeusfeld, Christoph Quix, and Panos Vassiliadis. 1999. Architecture and quality in data warehouses: An extended repository approach. Information Systems 24, 3 (1999), 229–253.

[8]

Yuning Jiang, Yacine Atif, and Jianguo Ding. 2020. Cyber-Physical Systems Security Based on a Cross-Linked and Correlated Vulnerability Database. In Critical Information Infrastructures Security, Simin Nadjm-Tehrani (Ed.). Springer International Publishing, Cham, 71–82.

[9]

Hyeonseong Jo, Jinwoo Kim, Phillip Porras, Vinod Yegneswaran, and Seungwon Shin. 2020. GapFinder: Finding Inconsistency of Security Information From Unstructured Text. IEEE Transactions on Information Forensics and Security 16 (2020), 86–99.

[10]

Xiaojing Liao, Kan Yuan, XiaoFeng Wang, Zhou Li, Luyi Xing, and Raheem Beyah. 2016. Acing the ioc game: Toward automatic discovery and analysis of open-source cyber threat intelligence. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 755–766.

Digital Library

[11]

David Loshin. 2010. Master data management. Morgan Kaufmann.

[12]

Syed Shariyar Murtaza, Wael Khreich, Abdelwahab Hamou-Lhadj, and Ayse Basar Bener. 2016. Mining trends and patterns of software vulnerabilities. Journal of Systems and Software 117 (2016), 218–228.

Digital Library

[13]

Antonio Nappa, Richard Johnson, Leyla Bilge, Juan Caballero, and Tudor Dumitras. 2015. The attack of the clones: A study of the impact of shared code on vulnerability patching. In 2015 IEEE symposium on security and privacy. IEEE, 692–708.

Digital Library

[14]

Viet Hung Nguyen and Fabio Massacci. 2013. The (un) reliability of nvd vulnerable versions data: An empirical experiment on google chrome vulnerabilities. In Proceedings of the 8th ACM SIGSAC symposium on Information, computer and communications security. 493–498.

Digital Library

[15]

MingJian Tang, Mamoun Alazab, and Yuxiu Luo. 2017. Big data for cybersecurity: Vulnerability disclosure trends and dependencies. IEEE Transactions on Big Data 5, 3 (2017), 317–329.

[16]

Zhilin Yang, Ruslan Salakhutdinov, and William W Cohen. 2017. Transfer learning for sequence tagging with hierarchical recurrent networks. arXiv preprint arXiv:1703.06345(2017).

[17]

Xiaoxin Yin, Jiawei Han, and S Yu Philip. 2008. Truth discovery with multiple conflicting information providers on the web. IEEE Transactions on Knowledge and Data Engineering 20, 6(2008), 796–808.

Digital Library

[18]

Ziyun Zhu and Tudor Dumitraş. 2016. Featuresmith: Automatically engineering features for malware detection by mining the security literature. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security. 767–778.

Digital Library

[19]

Ziyun Zhu and Tudor Dumitras. 2018. Chainsmith: Automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 458–472.

Cited By

Sacchetti TBognar MDe Meulemeester JGierlichs BPiessens FBezsmertnyi VMolteni MCristalli SGringiani AThomas OAntonioli D(2024)AttackDefense Framework (ADF): Enhancing IoT Devices and Lifecycles Threat ModelingACM Transactions on Embedded Computing Systems10.1145/3698396Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3698396
Hemberg ETurner MRutar NO’reilly U(2024)Enhancements to Threat, Vulnerability, and Mitigation Knowledge for Cyber Analytics, Hunting, and SimulationsDigital Threats: Research and Practice10.1145/36156685:1(1-33)Online publication date: 21-Mar-2024
https://dl.acm.org/doi/10.1145/3615668
Hashmat FAljaali ZShen MMachiry A(2024)Insights from Running 24 Static Analysis Tools on Open Source Software RepositoriesInformation Systems Security10.1007/978-3-031-80020-7_13(225-245)Online publication date: 15-Dec-2024
https://doi.org/10.1007/978-3-031-80020-7_13
Show More Cited By

Index Terms

Evaluating the Data Inconsistency of Open-Source Vulnerability Repositories

Index terms have been assigned to the content through auto-classification.

Recommendations

An automated framework for evaluating open-source web scanner vulnerability severity
Abstract
The inevitable use of web applications has resulted in increased exposure to security vulnerabilities which are exploited by attackers each passing day. Fixing these vulnerabilities requires a great deal of effort and time, hence developers need ...
Neutralizing Cross-Site Scripting Attacks Using Open Source Technologies
ICTCS '16: Proceedings of the Second International Conference on Information and Communication Technology for Competitive Strategies

Exploiting the security vulnerabilities in web browsers, web applications and firewalls is a fundamental trait of cross-site scripting (XSS) attacks. Majority of web population with basic web awareness are vulnerable and even expert web users may not ...
Demo: Large Scale Analysis on Vulnerability Remediation in Open-source JavaScript Projects
CCS '21: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security

Given the widespread prevalence of vulnerabilities, remediation is a critical phase that every software project has to go through. When comparing the studies on understanding the security vulnerabilities in software, such as vulnerability discovery and ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Other conferences

ARES '21: Proceedings of the 16th International Conference on Availability, Reliability and Security

August 2021

1447 pages

ISBN:9781450390514

DOI:10.1145/3465481

Copyright © 2021 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 17 August 2021

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tag

Cybersecurity Data Inconsistency Vulnerability Analysis.

Qualifiers

Research-article
Research
Refereed limited

Conference

ARES 2021

ARES 2021: The 16th International Conference on Availability, Reliability and Security

August 17 - 20, 2021

Vienna, Austria

Acceptance Rates

Overall Acceptance Rate 228 of 451 submissions, 51%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
295
Total Downloads

Downloads (Last 12 months)102
Downloads (Last 6 weeks)3

Reflects downloads up to 17 Jan 2025

Other Metrics

View Author Metrics

Citations

Cited By

Sacchetti TBognar MDe Meulemeester JGierlichs BPiessens FBezsmertnyi VMolteni MCristalli SGringiani AThomas OAntonioli D(2024)AttackDefense Framework (ADF): Enhancing IoT Devices and Lifecycles Threat ModelingACM Transactions on Embedded Computing Systems10.1145/3698396Online publication date: 8-Oct-2024
https://dl.acm.org/doi/10.1145/3698396
Hemberg ETurner MRutar NO’reilly U(2024)Enhancements to Threat, Vulnerability, and Mitigation Knowledge for Cyber Analytics, Hunting, and SimulationsDigital Threats: Research and Practice10.1145/36156685:1(1-33)Online publication date: 21-Mar-2024
https://dl.acm.org/doi/10.1145/3615668
Hashmat FAljaali ZShen MMachiry A(2024)Insights from Running 24 Static Analysis Tools on Open Source Software RepositoriesInformation Systems Security10.1007/978-3-031-80020-7_13(225-245)Online publication date: 15-Dec-2024
https://doi.org/10.1007/978-3-031-80020-7_13
Maunero NDe Rosa FPrinetto P(2023)Towards Cybersecurity Risk Assessment Automation: an Ontological Approach2023 IEEE Intl Conf on Dependable, Autonomic and Secure Computing, Intl Conf on Pervasive Intelligence and Computing, Intl Conf on Cloud and Big Data Computing, Intl Conf on Cyber Science and Technology Congress (DASC/PiCom/CBDCom/CyberSciTech)10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456(0628-0635)Online publication date: 14-Nov-2023
https://doi.org/10.1109/DASC/PiCom/CBDCom/Cy59711.2023.10361456
Cai YJiang XLi YHe XLin C(2023)Resolving Power Equipment Data Inconsistency via Heterogeneous Network AlignmentIEEE Access10.1109/ACCESS.2023.325351811(23980-23988)Online publication date: 2023
https://doi.org/10.1109/ACCESS.2023.3253518
Li XMoreschini SZhang ZPalomba FTaibi D(2023)The anatomy of a vulnerability databaseJournal of Systems and Software10.1016/j.jss.2023.111679201:COnline publication date: 1-Jul-2023
https://dl.acm.org/doi/10.1016/j.jss.2023.111679
Rashid AAhmed MUllah A(2023)Cyber Safe Data RepositoriesCybersecurity for Smart Cities10.1007/978-3-031-24946-4_7(87-103)Online publication date: 30-Mar-2023
https://doi.org/10.1007/978-3-031-24946-4_7
Forain Ide Oliveira Albuquerque Rde Sousa Junior R(2022)Towards System Security: What a Comparison of National Vulnerability Databases Reveals2022 17th Iberian Conference on Information Systems and Technologies (CISTI)10.23919/CISTI54924.2022.9820232(1-6)Online publication date: 22-Jun-2022
https://doi.org/10.23919/CISTI54924.2022.9820232

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View Table of Contents