CPE and CVE based Technique for Software Security Risk Assessment

• Published in: 2021 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS) Vol. 1; pp. 353 - 356
• Main Authors: Ushakov, Roman, Doynikova, Elena, Novikova, Evgenia, Kotenko, Igor
• Format: Conference Proceeding
• Language: English
• Published: IEEE 22.09.2021
• Subjects: Conferences; CPE; CVE; cybersecurity; Data acquisition; Hardware; Information security; mapping; products; risk assessment; Software; Software algorithms; vulnerabilities
• ISBN: 1665442093; 9781665442091
• ISSN: 2770-4254
• DOI: 10.1109/IDAACS53288.2021.9660968

Currently, a lot of work has been done in the area of detection, scoring, and inventory of software and hardware vulnerabilities. Known vulnerabilities are listed in the open databases. It is essential to continuously monitor that information system doesn't contain severe vulnerabilities to ensure its information security. Applicability of open vulnerability databases is limited by the challenges occurring due to automated mapping the software product names in the analyzed system logs to their product names in the open sources (to extract relevant vulnerabilities from them). The paper proposes the technique incorporating an algorithm for mapping the software products names in the analyzed system logs to the relevant Common Platform Enumeration entries in open vulnerability databases based on the Ratcliff/Obershelp algorithm, identification of known vulnerabilities for the detected entries, and security risk assessment of the analysed system. The technique is implemented and tested using Windows computers software and has shown an accuracy of 79% on average.