SpringerLink
Log in

A novel approach to continuous CVE analysis on enterprise operating systems for system vulnerability assessment

  • Original Research
  • Published:
International Journal of Information Technology Aims and scope Submit manuscript

Abstract

Advances in information and technology have provided great opportunities and conveniences for human life. However, with this process, attackers have switched to cyberspace due to various factors such as anonymity, easy attack tools, and non-deterrent penalties. For this reason, various methods have been developed to protect systems from cyber-attacks. One of the most important methods is the continuity-based vulnerability analysis of the systems and the network created by the systems, even for emerging threats. In this study, the current and comprehensive list of vulnerabilities created by combining the data obtained from different CVE sources is compared with the packages on the operating system. In this way, it is possible to obtain information about the system’s current openness status and take precautions. The analyzes have been carried out on Ubuntu operating system; however, the study can be adapted to other operating systems and larger systems by following the implementation phases of the proposed method.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Price includes VAT (Germany)

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig.3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Yilmaz M (2017) The prediction of electrical vehicles’ growth rate and management of electrical energy demand in Turkey. In: 2017 Ninth annual IEEE green technologies conference (GreenTech), pp. 118–123, IEEE. DOI: https://doi.org/10.1109/GreenTech.2017.23

  2. Gokmen G, Akinci TÇ, Tektaş M, Onat N, Kocyigit G, Tektaş N (2010) Evaluation of student performance in laboratory applications using fuzzy logic. Proc Soc Behav Sci 2(2):902–909. https://doi.org/10.1016/j.sbspro.2010.03.124

    Article  Google Scholar 

  3. Yosifova V, Tasheva A, Trifonov R (2021) Predicting vulnerability type in common vulnerabilities and exposures (CVE) database with machine learning classifiers. In: 2021 12th National conference with ınternational participation (ELECTRONICA), pp. 1–6, IEEE. DOI: https://doi.org/10.1109/ELECTRONICA52725.2021.9513723

  4. Williams MA, Barranco RC, Naim SM, Dey S, Hossain MS, Akbar M (2020) A vulnerability analysis and prediction framework. Comput Secur 92:101751. https://doi.org/10.1016/j.cose.2020.101751

    Article  Google Scholar 

  5. Chang YY, Zavarsky P, Ruhl R, Lindskog D (2011) Trend analysis of the cve for software vulnerability management. In: 2011 IEEE third international conference on privacy, security, risk and trust and 2011 IEEE third international conference on social computing, pp. 1290–1293, IEEE. https://doi.org/10.1109/PASSAT/SocialCom.2011.184

  6. Syed R (2020) Cybersecurity vulnerability management: a conceptual ontology and cyber intelligence alert system. Inform Manag 57(6):103334. https://doi.org/10.1016/j.im.2020.103334

    Article  Google Scholar 

  7. Midtrapanon S, Wills G (2019) Linux patch management: with security assessment features. In: 4th International conference on ınternet of things, big data and security, IoTBDS 2019, Greece

  8. Pereira JDA (2020) Techniques and tools for advanced software vulnerability detection. In: 2020 IEEE International symposium on software reliability engineering workshops (ISSREW), pp. 123–126, IEEE, Coimbra, Portugal, https://doi.org/10.1109/ISSREW51248.2020.00049

  9. Lee M, Cho S, Jang C, Park H, Choi E (2006) A rule-based security auditing tool for software vulnerability detection. In: 2006 International Conference on Hybrid Information Technology, vol. 2, pp. 505–512, IEEE, Cheju, Korea (South), https://doi.org/10.1109/ICHIT.2006.253653

  10. Kumar M, Sharma A (2017) An integrated framework for software vulnerability detection, analysis and mitigation: an autonomic system. Sādhanā 42(9):1481–1493. https://doi.org/10.1007/s12046-017-0696-7

    Article  Google Scholar 

  11. Williams L, McGraw G, Migues S (2018) Engineering security vulnerability prevention, detection, and response. IEEE Softw 35(5):76–80. https://doi.org/10.1109/MS.2018.290110854

    Article  Google Scholar 

  12. Belair M, Laniepce S, Menaud J M (2021) SNAPPY: programmable kernel-level policies for containers. In Proceedings of the 36th Annual ACM Symposium on Applied Computing, pp. 1636–1645, Virtual Event Republic of Korea. https://doi.org/10.1145/3412841.3442037

  13. Preisler M (2016) Security compliance for containers and VMs with OpenSCAP. Red Hat Inc, Senior Software Engineer

    Google Scholar 

  14. Kashiwazaki H (2018) Personal information leak in a university, and its cleanup. In Proceedings of the 2018 ACM SIGUCCS Annual Conference, pp. 43–50, Orlando, Florida, USA. https://doi.org/10.1145/3235715.3235727

  15. Lukanta R, Asnar Y, Kistijantoro AI (2014) A vulnerability scanning tool for session management vulnerabilities. In: 2014 International conference on data and software engineering (ICODSE), pp. 1–6, IEEE, Bandung, Indonesia. DOI: https://doi.org/10.1109/ICODSE.2014.7062682

  16. Chen C, Khakzad N, Reniers G (2020) Dynamic vulnerability assessment of process plants with respect to vapor cloud explosions. Reliab Eng Syst Saf 200:106934. https://doi.org/10.1016/j.ress.2020.106934

    Article  Google Scholar 

  17. Mell P, Scarfone K, Romanosky S (2006) Common vulnerability scoring system. IEEE Secur Priv 4(6):85–89. https://doi.org/10.1109/MSP.2006.145

    Article  Google Scholar 

  18. Garg S, Singh RK, Mohapatra AK (2019) Analysis of software vulnerability classification based on different technical parameters. Inf Secur J Glob Perspect 28(1–2):1–19. https://doi.org/10.1080/19393555.2019.1628325

    Article  Google Scholar 

  19. Jeon S, Kim HK (2021) AutoVAS: An automated vulnerability analysis system with a deep learning approach. Comput Secur 106:102308. https://doi.org/10.1016/j.cose.2021.102308

    Article  Google Scholar 

  20. Wu X, Zheng W, Chen X, Wang F, Mu D (2020) CVE-assisted large-scale security bug report dataset construction method. J Syst Softw 160:110456. https://doi.org/10.1016/j.jss.2019.110456

    Article  Google Scholar 

  21. Davari M, Zulkernine M, Jaafar F (2017) An automatic software vulnerability classification framework. In: 2017 International Conference on Software Security and Assurance (ICSSA), pp. 44–49, IEEE, Altoona, PA, USA. DOI: https://doi.org/10.1109/ICSSA41729.2017

  22. Zeng P, Lin G, Pan L, Tai Y, Zhang J (2020) Software vulnerability analysis and discovery using deep learning techniques: a survey. IEEE Access. https://doi.org/10.1109/ACCESS.2020.3034766

    Article  Google Scholar 

  23. Grigoriadis X (2019) Identification and assessment of security attacks and vulnerabilities, utilizing CVE, CWE and CAPEC, Master's thesis dissertation, Department of Informatics, Piraeus Univ.

  24. Le THM, Sabir B, Babar MA (2019) Automated software vulnerability assessment with concept drift. In 2019 IEEE/ACM 16th International conference on mining software repositories (MSR), pp. 371–382, IEEE, Montreal, QC, Canada. DOI: https://doi.org/10.1109/MSR.2019.00063

  25. Vijayakumar K, Arun C (2017) Automated risk identification using NLP in cloud based development environments. J Ambient Intell Humaniz Comput. https://doi.org/10.1007/s12652-017-0503-7

    Article  Google Scholar 

  26. Sun H, Cui L, Li L, Ding Z, Hao Z, Cui J, Liu P (2021) VDSimilar: Vulnerability detection based on code similarity of vulnerabilities and patches. Comput Secur 110:102417. https://doi.org/10.1016/j.cose.2021.102417

    Article  Google Scholar 

  27. Dalessio M, Smith J, Shahid J et al (2019) US Patent No. 10,235,527, Washington, DC: US Patent and Trademark Office.

  28. Vijayakumar K, Arun C (2017) Analysis and selection of risk assessment frameworks for cloud based enterprise applications. Biomed Res (0970–938X), 28

  29. Durai KN, Subha R, Haldorai A (2021) A novel method to detect and prevent SQLIA using ontology to cloud web security. Wirel Pers Commun 117(4):2995–3014. https://doi.org/10.1007/s11277-020-07243-z

    Article  Google Scholar 

  30. Qazi R, Qureshi KN, Bashir F, Islam NU, Iqbal S, Arshad A (2021) Security protocol using elliptic curve cryptography algorithm for wireless sensor networks. J Ambient Intell Humaniz Comput 12(1):547–566. https://doi.org/10.1007/s12652-020-02020-z

    Article  Google Scholar 

  31. Amankwah R, Chen J, Kudjo PK, Agyemang BK, Amponsah AA (2020) An automated framework for evaluating open-source web scanner vulnerability severity. SOCA 14(4):297–307. https://doi.org/10.1007/s11761-020-00296-9

    Article  Google Scholar 

  32. Genge B, Enăchescu C (2016) ShoVAT: Shodan-based vulnerability assessment tool for Internet-facing services. Secur Commun Netw 9(15):2696–2714. https://doi.org/10.1002/sec.1262

    Article  Google Scholar 

  33. Donovan AA, Kernighan BW (2015) The Go programming language. Addison-Wesley Professional, Boston

    Google Scholar 

  34. Santos JC, Peruma A, Mirakhorli M, Galster M, Vidal JV, Sejfia A (2019) Understanding software vulnerabilities related to architectural security tactics. 1–10

  35. Zou Z, **e Y, Huang K, Xu G, Feng D, Long D (2019) A docker container anomaly monitoring system based on optimized isolation forest. IEEE Trans Cloud Comput. https://doi.org/10.1109/TCC.2019.2935724

    Article  Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Department of Computer Engineering, Istanbul Gelisim University, Istanbul, Turkey

    Yusuf Kocaman, Serkan Gönen & Mehmet Ali Barişkan

  2. Department of Forensics Sciencies, Hacettepe University, Ankara, Turkey

    Gökçe Karacayilmaz

  3. Department of Electrical Electronics Engineering, Gazi University, Ankara, Turkey

    Ercan Nurcan Yilmaz

Authors
  1. Yusuf Kocaman
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Serkan Gönen
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Mehmet Ali Barişkan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Gökçe Karacayilmaz
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Ercan Nurcan Yilmaz
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Serkan Gönen.

Ethics declarations

Conflict of interest

There is no conflict of interest in this study.

Rights and permissions

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Kocaman, Y., Gönen, S., Barişkan, M.A. et al. A novel approach to continuous CVE analysis on enterprise operating systems for system vulnerability assessment. Int. j. inf. tecnol. 14, 1433–1443 (2022). https://doi.org/10.1007/s41870-021-00840-6

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s41870-021-00840-6

Keywords

Search

Navigation