Predicting Cyber Risks through National Vulnerability Database

Su Zhang1, Xinming Ou2, and Doina Caragea3 1Cloud Platform Engineering, Symantec Corporation, Mountain View, California, USA 2Department of Computer Science and Engineering, University of South Florida, Tampa, Florida, USA 3Department of Computing and Information Sciences, Kansas State University, Manhattan, Kansas, USA ABSTRACT Software vulnerabilities are the major cause of cyber security problems. The National Vulnerability Database (NVD) is a public data source that maintains standardized information about reported software vulnerabilities. Since its inception in 1997, NVD has published information about more than 43,000 software vulnerabilities affecting more than 17,000 software applications. This information is potentially valuable in understanding trends and patterns in software vulnerabilities so that one can better manage the security of computer systems that are pestered by the ubiquitous software security flaws. In particular, one would like to be able to predict the likelihood that a piece of software contains a yet-to-be-discovered vulnerability, which must be taken into account in security management due to the increasing trend in zero-day attacks. We conducted an empirical study on applying data-mining techniques on NVD data with the objective of predicting the time to next vulnerability for a given software application. We experimented with various features constructed using the information available in NVD and applied various machine learning algorithms to examine the predictive power of the data. Our results show that the data in NVD generally have poor prediction capability, with the exception of a few vendors and software applications. We suggest possible reasons for why the NVD data have not produced a reasonable prediction model for time to next vulnerability with our current approach, and suggest alternative ways in which the data in NVD can be used for the purpose of risk estimation.