Latent feature vulnerability ranking of CVSS vectors.

The Common Vulnerability Scoring System (CVSS) has been widely used to provide a score measuring the severity of software vulnerabilities. Analysts determine ordinal label assignments of subcategories relating to ease and impact of exploitation; the CVSS Version 2 (CVSS v2) score is computed formulaically using the labels. These scores have been directly used to prioritize vulnerability mitigation strategies. However, Allodi and Massacci found that CVSS scores are not strongly linked to exploit emergence and that cyber defenders can become overwhelmed by the volume of vulnerabilities that are nearly indistinguishable by their high scores. To improve the tactical use of information provided from the CVSS, data-driven statistics that probe the relationship between the existence of cyber exploits with CVSS scores are provided. Using databases of known exploits, a stand-in for threat assessment, initial results indicate a roughly power-law relationship between CVSS scores and exploit existence. To improve upon the CVSS score ranking, the latent feature space described by a Jaccard similarity metric on CVSS vector values from the National Vulnerability Database (NVD) is explored. Using spectral clustering in this latent feature space, known exploits emerged in the clusters in far from random distributions, allowing a vulnerability ranking that outperforms CVSS scoring. Further, in temporal testing, new exploits emerged in the clusters with nearly the same distribution as the learned model, allowing the system some ability to predict which vulnerabilities may be most likely to develop exploits over time. These results help cyber defenders better direct mitigation efforts towards vulnerabilities more strongly associated with exploits.