Análise temporal de risco de sistemas computacionais via modelagem de séries de eventos associados a vulnerabilidades
Resumo
Em segurança da informação, vulnerabilidades de software e hardware são cada vez mais frequentes às custas dos avanços tecnológicos atuais. Neste trabalho apresentamos uma análise de séries temporais sobre o ciclo de vida de vulnerabilidades, buscando as tendências do setor de segurança da informação. Também apresentamos um modelo de aprendizado de máquina para prever a ocorrência de exploits. O processo de treinamento foi feito usando aproximadamente 26.000 amostras de dados de vulnerabilidades e 132 features, resultando num modelo com uma precisão inicial de 60% para prever o primeiro exploit. Depois de ajustar os parâmetros do algoritmo usando grid search, um aumento na acurácia para 67% foi alcançado usando métricas de erro como erro absoluto médio e erro quadrático médio.
Palavras-chave:
vulnerabilidades de software, ciclo de vida de vulnerabilidades, National Vulnerability Database, Análise de risco
Referências
Bilge, L. and Dumitras, T. (2012). Before we knew it: an empirical study of zero-day attacks in the real world. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 833–844. ACM.
Bozorgi, M., Saul, L. K., Savage, S., and Voelker, G. M. (2010). Beyond heuristics: learning to classify vulnerabilities and predict exploits. In SIGKDD, pages 105–114.
Chen, T., He, T., Benesty, M., et al. (2015). Xgboost: extreme gradient boosting. R package version 0.4-2, pages 1–4.
First (2007). Common vulnerability scoring system. https://www.first.org/cvss/v2/guide. [Online; accessed 01-May-2019].
Frei, S., May, M., Fiedler, U., and Plattner, B. (2006). Large-scale vulnerability analysis. In Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, pages 131–138. ACM.
Keras (2019). The python deep learning library. [Online; accessed 13-May-2019].
Mell, P., Scarfone, K., and Romanosky, S. (2006). Common vulnerability scoring system. IEEE Security & Privacy, 4(6):85–89.
MITRE (2018). Common vulnerabilities and exposures (cve). [Online; accessed 01-May-2019]. NIST (2018). National vulnerability database. [Online; accessed 01-May-2019].
Petraityte, M., Dehghantanha, A., and Epiphaniou, G. (2018). A model for android and ios applications risk calculation: Cvss analysis and enhancement using case-control studies. Cyber Threat Intelligence, pages 219–237.
Sabottke, C., Suciu, O., and Dumitras, T. (2015). Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In USENIX Security Symposium, pages 1041–1056.
Scarfone, K. and Mell, P. (2009). An analysis of cvss version 2 vulnerability scoring. In Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pages 516–525. IEEE Computer Society.
Security, O. (2018). Exploit database. [Online; accessed 01-May-2019].
Shahzad, M., Shafiq, M. Z., and Liu, A. X. (2012). A large scale exploratory analysis of software vulnera- bility life cycles. In ICSE, pages 771–781. IEEE.
Spark, C. (2017). Hyperparameter tuning. https://blog.cambridgespark.com/ hyperparameter-tuning-in-xgboost-4ff9100a3b2f.
Wang, L., Islam, T., Long, T., Singhal, A., and Jajodia, S. (2008). An attack graph-based probabilistic security metric. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 283–296. Springer.
Bozorgi, M., Saul, L. K., Savage, S., and Voelker, G. M. (2010). Beyond heuristics: learning to classify vulnerabilities and predict exploits. In SIGKDD, pages 105–114.
Chen, T., He, T., Benesty, M., et al. (2015). Xgboost: extreme gradient boosting. R package version 0.4-2, pages 1–4.
First (2007). Common vulnerability scoring system. https://www.first.org/cvss/v2/guide. [Online; accessed 01-May-2019].
Frei, S., May, M., Fiedler, U., and Plattner, B. (2006). Large-scale vulnerability analysis. In Proceedings of the 2006 SIGCOMM workshop on Large-scale attack defense, pages 131–138. ACM.
Keras (2019). The python deep learning library. [Online; accessed 13-May-2019].
Mell, P., Scarfone, K., and Romanosky, S. (2006). Common vulnerability scoring system. IEEE Security & Privacy, 4(6):85–89.
MITRE (2018). Common vulnerabilities and exposures (cve). [Online; accessed 01-May-2019]. NIST (2018). National vulnerability database. [Online; accessed 01-May-2019].
Petraityte, M., Dehghantanha, A., and Epiphaniou, G. (2018). A model for android and ios applications risk calculation: Cvss analysis and enhancement using case-control studies. Cyber Threat Intelligence, pages 219–237.
Sabottke, C., Suciu, O., and Dumitras, T. (2015). Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In USENIX Security Symposium, pages 1041–1056.
Scarfone, K. and Mell, P. (2009). An analysis of cvss version 2 vulnerability scoring. In Proceedings of the 2009 3rd International Symposium on Empirical Software Engineering and Measurement, pages 516–525. IEEE Computer Society.
Security, O. (2018). Exploit database. [Online; accessed 01-May-2019].
Shahzad, M., Shafiq, M. Z., and Liu, A. X. (2012). A large scale exploratory analysis of software vulnera- bility life cycles. In ICSE, pages 771–781. IEEE.
Spark, C. (2017). Hyperparameter tuning. https://blog.cambridgespark.com/ hyperparameter-tuning-in-xgboost-4ff9100a3b2f.
Wang, L., Islam, T., Long, T., Singhal, A., and Jajodia, S. (2008). An attack graph-based probabilistic security metric. In IFIP Annual Conference on Data and Applications Security and Privacy, pages 283–296. Springer.
Publicado
08/07/2019
Como Citar
MARTINS, Matheus; BICUDO, Miguel A.; MENASCHÉ, Daniel ; DE AGUIAR, Leandro P..
Análise temporal de risco de sistemas computacionais via modelagem de séries de eventos associados a vulnerabilidades. In: WORKSHOP EM DESEMPENHO DE SISTEMAS COMPUTACIONAIS E DE COMUNICAÇÃO (WPERFORMANCE), 2019. , 2019, Belém.
Anais [...].
Porto Alegre: Sociedade Brasileira de Computação,
2019
.
ISSN 2595-6167.
DOI: https://doi.org/10.5753/wperformance.2019.6465.
