Automated Severity Driven Patch Management

Carlos Eduardo de Schuller Banjar; Miguel Angelo Santos Bicudo; Lucas Miranda; Cainã Figueiredo Pereira; Lucas Senos Coutinho; Daniel Sadoc Menasche; Gaurav Kumar Srivastava; Enrico Lovat; Anton Kocheturov; Matheus Martins; Leandro Pfleger de Aguiar

Carlos Eduardo de Schuller Banjar UFRJ
Miguel Angelo Santos Bicudo UFRJ
Lucas Miranda UFRJ
Cainã Figueiredo Pereira UFRJ
Lucas Senos Coutinho UFRJ
Daniel Sadoc Menasche UFRJ
Gaurav Kumar Srivastava Siemens
Enrico Lovat Siemens
Anton Kocheturov Siemens
Matheus Martins Siemens
Leandro Pfleger de Aguiar Siemens

Abstract

We present a method for assessing the temporal severity associated with software vulnerabilities by analyzing reported vulnerability data. Data from various platforms is collected and curated to define specific vulnerability features and historical vulnerability event data. When a vulnerability is specified, the system identifies its vulnerability class using a classifier based on the predefined features. Historical event data is then processed to generate a predictive severity curve, which estimates the evolution of a temporal severity score, parameterized by the occurrence of key vulnerability events. This curve predicts the time of weaponization and/or exploitation events, along with the corresponding severity score for the specified vulnerability. Our approach aims to support automated decision-making in software patch management by enabling accurate tracking and prediction of vulnerability severity over time.

Keywords: Severity assessment, vulnerabilities, exploits, CVSS