Predictive vulnerability scoring in the context of insufficient information availability

Multiple databases and repositories exist for collecting known vulnerabilities for different systems and on different levels. However, it is not unusual that extensive time elapses, in some cases more than a year, in order to collect all information needed to perform/publish vulnerability scoring calculations for security management groups to assess and prioritize vulnerabilities for remediation. Scoring a vulnerability also requires broad knowledge about its characteristics, which is not always provided. As an alternative, this paper targets the quantitative understanding of security vulnerabilities in the context of insufficient vulnerability information. We propose a novel approach for the predictive assessment of security vulnerabilities, taking into consideration the relevant scenarios, e.g., zero day vulnerabilities, for which there is limited or no information to perform a typical vulnerability scoring. We propose a new analytical model, the Vulnerability Assessment Model (VAM), which is inspired by the Linear Discriminant Analysis and uses publicly available vulnerability databases such as the National Vulnerability Database (NVD) as a training data set. To demonstrate the applicability of our approach, we have developed a publicly available web application, the VAM Calculator. The experimental results obtained using real-world vulnerability data from the three most widely used Internet browsers show that by reducing the amount of required vulnerability information by around 50%, we can maintain the misclassification rate at approximately 5%.