Transferir como PDF, PPTX
Carregado porMichael Roytman
Predicting Exploitability
The document discusses strategies for predicting the exploitability of vulnerabilities, focusing on retrospective, real-time, and predictive methodologies. It highlights the use of machine learning models to assess various factors influencing vulnerability management, such as vulnerability prevalence and existing patches. Future work aims to refine these models and predict breaches rather than exploits while integrating data from numerous sources.
Predicting Exploitability
- 1.
- 2. “Prediction is verydifficult, especially about the future.” -Neils Bohr
- 3. 3 Types of“Data-Driven”
- 4. Too many vulnerabilities. Howdo we derive risk from vulnerability in a data-driven manner? PROBLEM
- 5.
- 6.
- 7. Analyst Input Vulnerability Management ProgramsAugmenting Data Retrospective Temporal Score Estimation Vulnerability Researchers
- 8.
- 9.
- 10. 0 5 1015 20 25 30 35 CVSS*10 EDB MSP EDB+MSP Breach*Probability*(%) Positive Predictive Value of remediating a vulnerability with property X:
- 12. DATA OF FUTUREPAST Q: “Of my current vulnerabilities, which ones should I remediate?” A: Old ones with stable, weaponized exploits
- 13. FUTURE OF DATAPAST Q: “A new vulnerability was just released. Do we scramble?” A:
- 14.
- 15.
- 17.
- 18. 70% Training, 30%Evaluation Split N = 81303 All Models: L2 regularizer 1 gb 100 passes over the data Receiver operating characteristics for comparisons
- 19. Model 1: Baseline -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date
- 20.
- 21.
- 22. Model 2: Patches -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists
- 23. Model 3: AffectedSoftware -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products
- 24. Model 4: Words! -CVSSBase -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5
- 25. Model 5: VulnerabilityPrevalence -CVSS Base -CVSS Temporal -Remote Code Execution -Availability -Integrity -Confidentiality -Authentication -Access Complexity -Access Vector -Publication Date -Patch Exists -Vendors -Products -Description, Ngrams 1-5 -Vulnerability Prevalence -Number of References
- 26.
- 27.
- 28.
- 29. -Track Predictions vs. RealExploits -Integrate 20+ BlackHat Exploit Kits - FP reduction? -Find better vulnerability descriptions - mine advisories for content? FN reduction? Future Work -Predict Breaches, not Exploits -Attempt Models by Vendor -There are probably two exploitation processes here.
- 31.