FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity

IF 3.8 2区 计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS
F.R. Parente, Emanuel B. Rodrigues, César L.C. Mattos
{"title":"FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity","authors":"F.R. Parente,&nbsp;Emanuel B. Rodrigues,&nbsp;César L.C. Mattos","doi":"10.1016/j.jisa.2025.103971","DOIUrl":null,"url":null,"abstract":"<div><div>Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.</div></div>","PeriodicalId":48638,"journal":{"name":"Journal of Information Security and Applications","volume":"89 ","pages":"Article 103971"},"PeriodicalIF":3.8000,"publicationDate":"2025-01-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Journal of Information Security and Applications","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2214212625000092","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0

Abstract

Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.
FRAPE:网络安全漏洞风险评估、优先排序和可解释性框架
不充分的漏洞管理(VM)技术,仅仅依赖于诸如通用漏洞评分系统(CVSS)之类的度量,可能导致高估漏洞利用的风险。这项工作提出了FRAPE,一种新的基于风险的漏洞管理(RBVM)框架,旨在帮助分析师对安全漏洞的修复进行分类和优先排序。FRAPE将一种称为主动学习(AL)的标记技术与监督学习方法相结合,创建了一个能够模仿安全专家评估漏洞风险经验的机器学习模型。该框架包括四个主要模块:数据收集,收集用于风险评估的基本信息;漏洞标记,通过人工智能根据重要特征对漏洞进行标记;分类和优先级,对漏洞进行分类,并根据估计的风险对它们进行优先级修复;以及结果的可解释性,其中详细分析了为什么漏洞被认为是关键的。此外,我们实现了一个计算机网络模拟器,能够比较不同VM分类和优先级技术的有效性。实验表明,FRAPE优于CVSS在VM中的使用,并正确分类了88%的关键漏洞,这与安全分析师获得的性能相当。
本文章由计算机程序翻译,如有差异,请以英文原文为准。
求助全文
约1分钟内获得全文 求助全文
来源期刊
Journal of Information Security and Applications
Journal of Information Security and Applications Computer Science-Computer Networks and Communications
CiteScore
10.90
自引率
5.40%
发文量
206
审稿时长
56 days
期刊介绍: Journal of Information Security and Applications (JISA) focuses on the original research and practice-driven applications with relevance to information security and applications. JISA provides a common linkage between a vibrant scientific and research community and industry professionals by offering a clear view on modern problems and challenges in information security, as well as identifying promising scientific and "best-practice" solutions. JISA issues offer a balance between original research work and innovative industrial approaches by internationally renowned information security experts and researchers.
×
引用
GB/T 7714-2015
复制
MLA
复制
APA
复制
导出至
BibTeX EndNote RefMan NoteFirst NoteExpress
×
提示
您的信息不完整,为了账户安全,请先补充。
现在去补充
×
提示
您因"违规操作"
具体请查看互助需知
我知道了
×
提示
确定
请完成安全验证×
copy
已复制链接
快去分享给好友吧!
我知道了
右上角分享
点击右上角分享
0
联系我们:info@booksci.cn Book学术提供免费学术资源搜索服务,方便国内外学者检索中英文文献。致力于提供最便捷和优质的服务体验。 Copyright © 2023 布克学术 All rights reserved.
京ICP备2023020795号-1
ghs 京公网安备 11010802042870号
Book学术文献互助
Book学术文献互助群
群 号:481959085
Book学术官方微信