Abstract
Advances in information and technology have provided great opportunities and conveniences for human life. However, with this process, attackers have switched to cyberspace due to various factors such as anonymity, easy attack tools, and non-deterrent penalties. For this reason, various methods have been developed to protect systems from cyber-attacks. One of the most important methods is the continuity-based vulnerability analysis of the systems and the network created by the systems, even for emerging threats. In this study, the current and comprehensive list of vulnerabilities created by combining the data obtained from different CVE sources is compared with the packages on the operating system. In this way, it is possible to obtain information about the system’s current openness status and take precautions. The analyzes have been carried out on Ubuntu operating system; however, the study can be adapted to other operating systems and larger systems by following the implementation phases of the proposed method.
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig1_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig2_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig3_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig4_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig5_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig6_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig7_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig8_HTML.png)
![](http://media.springernature.com/m312/springer-static/image/art%3A10.1007%2Fs41870-021-00840-6/MediaObjects/41870_2021_840_Fig9_HTML.png)
Similar content being viewed by others
References
Yilmaz M (2017) The prediction of electrical vehicles’ growth rate and management of electrical energy demand in Turkey. In: 2017 Ninth annual IEEE green technologies conference (GreenTech), pp. 118–123, IEEE. DOI: https://doi.org/10.1109/GreenTech.2017.23
Gokmen G, Akinci TÇ, Tektaş M, Onat N, Kocyigit G, Tektaş N (2010) Evaluation of student performance in laboratory applications using fuzzy logic. Proc Soc Behav Sci 2(2):902–909. https://doi.org/10.1016/j.sbspro.2010.03.124
Yosifova V, Tasheva A, Trifonov R (2021) Predicting vulnerability type in common vulnerabilities and exposures (CVE) database with machine learning classifiers. In: 2021 12th National conference with ınternational participation (ELECTRONICA), pp. 1–6, IEEE. DOI: https://doi.org/10.1109/ELECTRONICA52725.2021.9513723
Williams MA, Barranco RC, Naim SM, Dey S, Hossain MS, Akbar M (2020) A vulnerability analysis and prediction framework. Comput Secur 92:101751. https://doi.org/10.1016/j.cose.2020.101751
Chang YY, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the cve for software vulnerability management. In: 2011 IEEE third international conference on privacy, security, risk and trust and 2011 IEEE third international conference on social computing, pp. 1290–1293, IEEE. https://doi.org/10.1109/PASSAT/SocialCom.2011.184
Syed R (2020) Cybersecurity vulnerability management: a conceptual ontology and cyber intelligence alert system. Inform Manag 57(6):103334. https://doi.org/10.1016/j.im.2020.103334
Midtrapanon S, Wills G (2019) Linux patch management: with security assessment features. In: 4th International conference on ınternet of things, big data and security, IoTBDS 2019, Greece
Pereira JDA (2020) Techniques and tools for advanced software vulnerability detection. In: 2020 IEEE International symposium on software reliability engineering workshops (ISSREW), pp. 123–126, IEEE, Coimbra, Portugal, https://doi.org/10.1109/ISSREW51248.2020.00049
Lee M, Cho S, Jang C, Park H, Choi E (2006) A rule-based security auditing tool for software vulnerability detection. In: 2006 International Conference on Hybrid Information Technology, vol. 2, pp. 505–512, IEEE, Cheju, Korea (South), https://doi.org/10.1109/ICHIT.2006.253653
Kumar M, Sharma A (2017) An integrated framework for software vulnerability detection, analysis and mitigation: an autonomic system. Sādhanā 42(9):1481–1493. https://doi.org/10.1007/s12046-017-0696-7
Williams L, McGraw G, Migues S (2018) Engineering security vulnerability prevention, detection, and response. IEEE Softw 35(5):76–80. https://doi.org/10.1109/MS.2018.290110854
Belair M, Laniepce S, Menaud J M (2021) SNAPPY: programmable kernel-level policies for containers. In Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1636–1645, Virtual Event Republic of Korea. https://doi.org/10.1145/3412841.3442037
Preisler M (2016) Security compliance for containers and VMs with OpenSCAP. Red Hat Inc, Senior Software Engineer
Kashiwazaki H (2018) Personal information leak in a university, and its cleanup. In Proceedings of the 2018 ACM SIGUCCS Annual Conference, pp. 43–50, Orlando, Florida, USA. https://doi.org/10.1145/3235715.3235727
Lukanta R, Asnar Y, Kistijantoro AI (2014) A vulnerability scanning tool for session management vulnerabilities. In: 2014 International conference on data and software engineering (ICODSE), pp. 1–6, IEEE, Bandung, Indonesia. DOI: https://doi.org/10.1109/ICODSE.2014.7062682
Chen C, Khakzad N, Reniers G (2020) Dynamic vulnerability assessment of process plants with respect to vapor cloud explosions. Reliab Eng Syst Saf 200:106934. https://doi.org/10.1016/j.ress.2020.106934
Mell P, Scarfone K, Romanosky S (2006) Common vulnerability scoring system. IEEE Secur Priv 4(6):85–89. https://doi.org/10.1109/MSP.2006.145
Garg S, Singh RK, Mohapatra AK (2019) Analysis of software vulnerability classification based on different technical parameters. Inf Secur J Glob Perspect 28(1–2):1–19. https://doi.org/10.1080/19393555.2019.1628325
Jeon S, Kim HK (2021) AutoVAS: An automated vulnerability analysis system with a deep learning approach. Comput Secur 106:102308. https://doi.org/10.1016/j.cose.2021.102308
Wu X, Zheng W, Chen X, Wang F, Mu D (2020) CVE-assisted large-scale security bug report dataset construction method. J Syst Softw 160:110456. https://doi.org/10.1016/j.jss.2019.110456
Davari M, Zulkernine M, Jaafar F (2017) An automatic software vulnerability classification framework. In: 2017 International Conference on Software Security and Assurance (ICSSA), pp. 44–49, IEEE, Altoona, PA, USA. DOI: https://doi.org/10.1109/ICSSA41729.2017
Zeng P, Lin G, Pan L, Tai Y, Zhang J (2020) Software vulnerability analysis and discovery using deep learning techniques: a survey. IEEE Access. https://doi.org/10.1109/ACCESS.2020.3034766
Grigoriadis X (2019) Identification and assessment of security attacks and vulnerabilities, utilizing CVE, CWE and CAPEC, Master's thesis dissertation, Department of Informatics, Piraeus Univ.
Le THM, Sabir B, Babar MA (2019) Automated software vulnerability assessment with concept drift. In 2019 IEEE/ACM 16th International conference on mining software repositories (MSR), pp. 371–382, IEEE, Montreal, QC, Canada. DOI: https://doi.org/10.1109/MSR.2019.00063
Vijayakumar K, Arun C (2017) Automated risk identification using NLP in cloud based development environments. J Ambient Intell Humaniz Comput. https://doi.org/10.1007/s12652-017-0503-7
Sun H, Cui L, Li L, Ding Z, Hao Z, Cui J, Liu P (2021) VDSimilar: Vulnerability detection based on code similarity of vulnerabilities and patches. Comput Secur 110:102417. https://doi.org/10.1016/j.cose.2021.102417
Dalessio M, Smith J, Shahid J et al (2019) US Patent No. 10,235,527, Washington, DC: US Patent and Trademark Office.
Vijayakumar K, Arun C (2017) Analysis and selection of risk assessment frameworks for cloud based enterprise applications. Biomed Res (0970–938X), 28
Durai KN, Subha R, Haldorai A (2021) A novel method to detect and prevent SQLIA using ontology to cloud web security. Wirel Pers Commun 117(4):2995–3014. https://doi.org/10.1007/s11277-020-07243-z
Qazi R, Qureshi KN, Bashir F, Islam NU, Iqbal S, Arshad A (2021) Security protocol using elliptic curve cryptography algorithm for wireless sensor networks. J Ambient Intell Humaniz Comput 12(1):547–566. https://doi.org/10.1007/s12652-020-02020-z
Amankwah R, Chen J, Kudjo PK, Agyemang BK, Amponsah AA (2020) An automated framework for evaluating open-source web scanner vulnerability severity. SOCA 14(4):297–307. https://doi.org/10.1007/s11761-020-00296-9
Genge B, Enăchescu C (2016) ShoVAT: Shodan-based vulnerability assessment tool for Internet-facing services. Secur Commun Netw 9(15):2696–2714. https://doi.org/10.1002/sec.1262
Donovan AA, Kernighan BW (2015) The Go programming language. Addison-Wesley Professional, Boston
Santos JC, Peruma A, Mirakhorli M, Galster M, Vidal JV, Sejfia A (2019) Understanding software vulnerabilities related to architectural security tactics. 1–10
Zou Z, **e Y, Huang K, Xu G, Feng D, Long D (2019) A docker container anomaly monitoring system based on optimized isolation forest. IEEE Trans Cloud Comput. https://doi.org/10.1109/TCC.2019.2935724
Author information
Authors and Affiliations
Corresponding author
Ethics declarations
Conflict of interest
There is no conflict of interest in this study.
Rights and permissions
About this article
Cite this article
Kocaman, Y., Gönen, S., Barişkan, M.A. et al. A novel approach to continuous CVE analysis on enterprise operating systems for system vulnerability assessment. Int. j. inf. tecnol. 14, 1433–1443 (2022). https://doi.org/10.1007/s41870-021-00840-6
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s41870-021-00840-6