Exportação concluída — 

FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities

Detalhes bibliográficos
Ano de defesa: 2023
Autor(a) principal: Ponte, Francisco Rodrigo Parente da
Orientador(a): Rodrigues, Emanuel Bezerra
Banca de defesa: Não Informado pela instituição
Tipo de documento: Tese
Tipo de acesso: Acesso aberto
Idioma: por
Instituição de defesa: Não Informado pela instituição
Programa de Pós-Graduação: Não Informado pela instituição
Departamento: Não Informado pela instituição
País: Não Informado pela instituição
Área do conhecimento CNPq:
CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO
Link de acesso: http://repositorio.ufc.br/handle/riufc/76691
Resumo: Inadequate security practices, such as using single metrics, for instance, considering only the Common Vulnerability Scoring System (CVSS) in the Vulnerability Management (VM) process, can lead to an overestimation of the risk of asset exploitation. Ideally, security analysts should use vulnerability information, threat intelligence, and context to assess the likelihood and risk of exploiting security flaws. The lack of specialized tools makes this task complex and error-prone, as analysts must manually correlate information from multiple security sources with the thousands of assets present in the organization. Although Machine Learning (ML) can help in this task, researchers haven’t thoroughly explored its application in the VM process. Given this context, this thesis proposes FRAPE, a Risk-Based Vulnerability Management (RBVM) framework. FRAPE uses a data labeling technique called Active Learning (AL) combined with a Supervised Learning approach to create an ML model capable of emulating the experience of security experts in analyzing and assessing the risk of exploiting vulnerabilities. FRAPE is composed of 4 modules which are: (i) Data Collection, responsible for aggregating the necessary information for risk assessment; (ii) Vulnerability Labeling, where active learning is used to label vulnerabilities with the most significant characteristics; (iii) Classification and Prioritization of Vulnerabilities, where security flaws will be classified and consequently prioritized for correction considering their risks; and finally, (iv) Results Interpretation, where we provide a detailed analysis of why the vulnerabilities were considered critical. Thus, this work seeks to develop a solution capable of helping security analysts identify the most critical vulnerabilities so that they can defend themselves from potential attacks by malicious users.
id UFC-7_6dbdb0b9b2112f1efb350922f05b6e61
oai_identifier_str oai:repositorio.ufc.br:riufc/76691
network_acronym_str UFC-7
network_name_str Repositório Institucional da Universidade Federal do Ceará (UFC)
repository_id_str
spelling Ponte, Francisco Rodrigo Parente daMattos, César Lincoln CavalcanteRodrigues, Emanuel Bezerra2024-03-26T19:46:03Z2024-03-26T19:46:03Z2023PONTE, Francisco Rodrigo Parente da. FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities. 2023. 179 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2023.http://repositorio.ufc.br/handle/riufc/76691Inadequate security practices, such as using single metrics, for instance, considering only the Common Vulnerability Scoring System (CVSS) in the Vulnerability Management (VM) process, can lead to an overestimation of the risk of asset exploitation. Ideally, security analysts should use vulnerability information, threat intelligence, and context to assess the likelihood and risk of exploiting security flaws. The lack of specialized tools makes this task complex and error-prone, as analysts must manually correlate information from multiple security sources with the thousands of assets present in the organization. Although Machine Learning (ML) can help in this task, researchers haven’t thoroughly explored its application in the VM process. Given this context, this thesis proposes FRAPE, a Risk-Based Vulnerability Management (RBVM) framework. FRAPE uses a data labeling technique called Active Learning (AL) combined with a Supervised Learning approach to create an ML model capable of emulating the experience of security experts in analyzing and assessing the risk of exploiting vulnerabilities. FRAPE is composed of 4 modules which are: (i) Data Collection, responsible for aggregating the necessary information for risk assessment; (ii) Vulnerability Labeling, where active learning is used to label vulnerabilities with the most significant characteristics; (iii) Classification and Prioritization of Vulnerabilities, where security flaws will be classified and consequently prioritized for correction considering their risks; and finally, (iv) Results Interpretation, where we provide a detailed analysis of why the vulnerabilities were considered critical. Thus, this work seeks to develop a solution capable of helping security analysts identify the most critical vulnerabilities so that they can defend themselves from potential attacks by malicious users.Práticas inadequadas de segurança, como o uso de métricas únicas, por exemplo, considerar apenas o Sistema Comum de Pontuação de Vulnerabilidades – Common Vulnerability Scoring System (CVSS) – no processo de Gestão de Vulnerabilidades – Vulnerability Management (VM) –, podem causar a superestimação do risco de exploração dos ativos. Idealmente, os analistas devem usar informações sobre a vulnerabilidade, inteligência de ameaças e contexto para avaliar a probabilidade e o risco de exploração de falhas de segurança. A falta de ferramentas especializadas torna essa tarefa complexa e passível de erros, pois os analistas precisam correlacionar manualmente as informações de diversas fontes de segurança com os milhares de ativos presentes na organização. Embora o Aprendizado de Máquina – Machine Learning (ML) – possa auxiliar nessa tarefa, sua aplicação na área de VM tem sido pouco explorada na literatura. Diante deste contexto, essa tese propõe o FRAPE, um framework de Gestão de Vulnerabilidades Baseada no Risco – Risk-Based Vulnerability Management (RBVM) – que utiliza uma técnica de rotulação de dados chamada de Aprendizado Ativo – Active Learning (AL) – em conjunto com a técnica de aprendizado supervisionado para criar um modelo de ML capaz de emular a experiência de especialistas de segurança na análise e avaliação do risco de exploração das vulnerabilidades. FRAPE é composto por 4 módulos que são: (i) Coleta de Dados, responsável por agregar as informações necessárias para a avaliação do risco; (ii) Rotulação das Vulnerabilidades, onde o aprendizado ativo será utilizado para rotular as vulnerabilidades com as características mais significativas; (iii) Classificação e Priorização das Vulnerabilidades, onde as falhas de segurança serão classificados e consequentemente, priorizadas para correção considerando os seus riscos; e por fim, (iv) Interpretação dos Resultados, onde oferecemos uma visão detalhada do porquê as vulnerabilidades foram selecionadas. Assim, este trabalho desenvolverá uma solução que consiga auxiliar os analistas de segurança a identificar as vulnerabilidades mais críticas da empresa e com isso, possam se defender de potenciais ataques de usuários mal-intencionados.FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of VulnerabilitiesFRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilitiesinfo:eu-repo/semantics/publishedVersioninfo:eu-repo/semantics/doctoralThesisCibersegurançaGestão de RiscoAprendizado AtivoAprendizado de MáquinaCybersecurityRisk AssessmentActive LearningMachine LearningCNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAOinfo:eu-repo/semantics/openAccessporreponame:Repositório Institucional da Universidade Federal do Ceará (UFC)instname:Universidade Federal do Ceará (UFC)instacron:UFChttp://lattes.cnpq.br/9517780344573467http://lattes.cnpq.br/0597956911969596http://lattes.cnpq.br/2445571161029337LICENSElicense.txtlicense.txttext/plain; charset=utf-81748http://repositorio.ufc.br/bitstream/riufc/76691/4/license.txt8a4605be74aa9ea9d79846c1fba20a33MD54ORIGINAL2023_tese_frpponte.pdf2023_tese_frpponte.pdfapplication/pdf2482004http://repositorio.ufc.br/bitstream/riufc/76691/3/2023_tese_frpponte.pdfee9935cea48cb71f2036595820a988c5MD53riufc/766912024-03-26 16:46:04.31oai:repositorio.ufc.br:riufc/76691Tk9URTogUExBQ0UgWU9VUiBPV04gTElDRU5TRSBIRVJFClRoaXMgc2FtcGxlIGxpY2Vuc2UgaXMgcHJvdmlkZWQgZm9yIGluZm9ybWF0aW9uYWwgcHVycG9zZXMgb25seS4KCk5PTi1FWENMVVNJVkUgRElTVFJJQlVUSU9OIExJQ0VOU0UKCkJ5IHNpZ25pbmcgYW5kIHN1Ym1pdHRpbmcgdGhpcyBsaWNlbnNlLCB5b3UgKHRoZSBhdXRob3Iocykgb3IgY29weXJpZ2h0Cm93bmVyKSBncmFudHMgdG8gRFNwYWNlIFVuaXZlcnNpdHkgKERTVSkgdGhlIG5vbi1leGNsdXNpdmUgcmlnaHQgdG8gcmVwcm9kdWNlLAp0cmFuc2xhdGUgKGFzIGRlZmluZWQgYmVsb3cpLCBhbmQvb3IgZGlzdHJpYnV0ZSB5b3VyIHN1Ym1pc3Npb24gKGluY2x1ZGluZwp0aGUgYWJzdHJhY3QpIHdvcmxkd2lkZSBpbiBwcmludCBhbmQgZWxlY3Ryb25pYyBmb3JtYXQgYW5kIGluIGFueSBtZWRpdW0sCmluY2x1ZGluZyBidXQgbm90IGxpbWl0ZWQgdG8gYXVkaW8gb3IgdmlkZW8uCgpZb3UgYWdyZWUgdGhhdCBEU1UgbWF5LCB3aXRob3V0IGNoYW5naW5nIHRoZSBjb250ZW50LCB0cmFuc2xhdGUgdGhlCnN1Ym1pc3Npb24gdG8gYW55IG1lZGl1bSBvciBmb3JtYXQgZm9yIHRoZSBwdXJwb3NlIG9mIHByZXNlcnZhdGlvbi4KCllvdSBhbHNvIGFncmVlIHRoYXQgRFNVIG1heSBrZWVwIG1vcmUgdGhhbiBvbmUgY29weSBvZiB0aGlzIHN1Ym1pc3Npb24gZm9yCnB1cnBvc2VzIG9mIHNlY3VyaXR5LCBiYWNrLXVwIGFuZCBwcmVzZXJ2YXRpb24uCgpZb3UgcmVwcmVzZW50IHRoYXQgdGhlIHN1Ym1pc3Npb24gaXMgeW91ciBvcmlnaW5hbCB3b3JrLCBhbmQgdGhhdCB5b3UgaGF2ZQp0aGUgcmlnaHQgdG8gZ3JhbnQgdGhlIHJpZ2h0cyBjb250YWluZWQgaW4gdGhpcyBsaWNlbnNlLiBZb3UgYWxzbyByZXByZXNlbnQKdGhhdCB5b3VyIHN1Ym1pc3Npb24gZG9lcyBub3QsIHRvIHRoZSBiZXN0IG9mIHlvdXIga25vd2xlZGdlLCBpbmZyaW5nZSB1cG9uCmFueW9uZSdzIGNvcHlyaWdodC4KCklmIHRoZSBzdWJtaXNzaW9uIGNvbnRhaW5zIG1hdGVyaWFsIGZvciB3aGljaCB5b3UgZG8gbm90IGhvbGQgY29weXJpZ2h0LAp5b3UgcmVwcmVzZW50IHRoYXQgeW91IGhhdmUgb2J0YWluZWQgdGhlIHVucmVzdHJpY3RlZCBwZXJtaXNzaW9uIG9mIHRoZQpjb3B5cmlnaHQgb3duZXIgdG8gZ3JhbnQgRFNVIHRoZSByaWdodHMgcmVxdWlyZWQgYnkgdGhpcyBsaWNlbnNlLCBhbmQgdGhhdApzdWNoIHRoaXJkLXBhcnR5IG93bmVkIG1hdGVyaWFsIGlzIGNsZWFybHkgaWRlbnRpZmllZCBhbmQgYWNrbm93bGVkZ2VkCndpdGhpbiB0aGUgdGV4dCBvciBjb250ZW50IG9mIHRoZSBzdWJtaXNzaW9uLgoKSUYgVEhFIFNVQk1JU1NJT04gSVMgQkFTRUQgVVBPTiBXT1JLIFRIQVQgSEFTIEJFRU4gU1BPTlNPUkVEIE9SIFNVUFBPUlRFRApCWSBBTiBBR0VOQ1kgT1IgT1JHQU5JWkFUSU9OIE9USEVSIFRIQU4gRFNVLCBZT1UgUkVQUkVTRU5UIFRIQVQgWU9VIEhBVkUKRlVMRklMTEVEIEFOWSBSSUdIVCBPRiBSRVZJRVcgT1IgT1RIRVIgT0JMSUdBVElPTlMgUkVRVUlSRUQgQlkgU1VDSApDT05UUkFDVCBPUiBBR1JFRU1FTlQuCgpEU1Ugd2lsbCBjbGVhcmx5IGlkZW50aWZ5IHlvdXIgbmFtZShzKSBhcyB0aGUgYXV0aG9yKHMpIG9yIG93bmVyKHMpIG9mIHRoZQpzdWJtaXNzaW9uLCBhbmQgd2lsbCBub3QgbWFrZSBhbnkgYWx0ZXJhdGlvbiwgb3RoZXIgdGhhbiBhcyBhbGxvd2VkIGJ5IHRoaXMKbGljZW5zZSwgdG8geW91ciBzdWJtaXNzaW9uLgo=Repositório InstitucionalPUBhttp://www.repositorio.ufc.br/ri-oai/requestbu@ufc.br || repositorio@ufc.bropendoar:2024-03-26T19:46:04Repositório Institucional da Universidade Federal do Ceará (UFC) - Universidade Federal do Ceará (UFC)false
dc.title.pt_BR.fl_str_mv FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
dc.title.en.pt_BR.fl_str_mv FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
title FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
spellingShingle FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
Ponte, Francisco Rodrigo Parente da
CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO
Cibersegurança
Gestão de Risco
Aprendizado Ativo
Aprendizado de Máquina
Cybersecurity
Risk Assessment
Active Learning
Machine Learning
title_short FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
title_full FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
title_fullStr FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
title_full_unstemmed FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
title_sort FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities
author Ponte, Francisco Rodrigo Parente da
author_facet Ponte, Francisco Rodrigo Parente da
author_role author
dc.contributor.co-advisor.none.fl_str_mv Mattos, César Lincoln Cavalcante
dc.contributor.author.fl_str_mv Ponte, Francisco Rodrigo Parente da
dc.contributor.advisor1.fl_str_mv Rodrigues, Emanuel Bezerra
contributor_str_mv Rodrigues, Emanuel Bezerra
dc.subject.cnpq.fl_str_mv CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO
topic CNPQ::CIENCIAS EXATAS E DA TERRA::CIENCIA DA COMPUTACAO
Cibersegurança
Gestão de Risco
Aprendizado Ativo
Aprendizado de Máquina
Cybersecurity
Risk Assessment
Active Learning
Machine Learning
dc.subject.ptbr.pt_BR.fl_str_mv Cibersegurança
Gestão de Risco
Aprendizado Ativo
Aprendizado de Máquina
dc.subject.en.pt_BR.fl_str_mv Cybersecurity
Risk Assessment
Active Learning
Machine Learning
description Inadequate security practices, such as using single metrics, for instance, considering only the Common Vulnerability Scoring System (CVSS) in the Vulnerability Management (VM) process, can lead to an overestimation of the risk of asset exploitation. Ideally, security analysts should use vulnerability information, threat intelligence, and context to assess the likelihood and risk of exploiting security flaws. The lack of specialized tools makes this task complex and error-prone, as analysts must manually correlate information from multiple security sources with the thousands of assets present in the organization. Although Machine Learning (ML) can help in this task, researchers haven’t thoroughly explored its application in the VM process. Given this context, this thesis proposes FRAPE, a Risk-Based Vulnerability Management (RBVM) framework. FRAPE uses a data labeling technique called Active Learning (AL) combined with a Supervised Learning approach to create an ML model capable of emulating the experience of security experts in analyzing and assessing the risk of exploiting vulnerabilities. FRAPE is composed of 4 modules which are: (i) Data Collection, responsible for aggregating the necessary information for risk assessment; (ii) Vulnerability Labeling, where active learning is used to label vulnerabilities with the most significant characteristics; (iii) Classification and Prioritization of Vulnerabilities, where security flaws will be classified and consequently prioritized for correction considering their risks; and finally, (iv) Results Interpretation, where we provide a detailed analysis of why the vulnerabilities were considered critical. Thus, this work seeks to develop a solution capable of helping security analysts identify the most critical vulnerabilities so that they can defend themselves from potential attacks by malicious users.
publishDate 2023
dc.date.issued.fl_str_mv 2023
dc.date.accessioned.fl_str_mv 2024-03-26T19:46:03Z
dc.date.available.fl_str_mv 2024-03-26T19:46:03Z
dc.type.status.fl_str_mv info:eu-repo/semantics/publishedVersion
dc.type.driver.fl_str_mv info:eu-repo/semantics/doctoralThesis
format doctoralThesis
status_str publishedVersion
dc.identifier.citation.fl_str_mv PONTE, Francisco Rodrigo Parente da. FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities. 2023. 179 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2023.
dc.identifier.uri.fl_str_mv http://repositorio.ufc.br/handle/riufc/76691
identifier_str_mv PONTE, Francisco Rodrigo Parente da. FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of Vulnerabilities. 2023. 179 f. Tese (Doutorado em Ciência da Computação) - Universidade Federal do Ceará, Fortaleza, 2023.
url http://repositorio.ufc.br/handle/riufc/76691
dc.language.iso.fl_str_mv por
language por
dc.rights.driver.fl_str_mv info:eu-repo/semantics/openAccess
eu_rights_str_mv openAccess
dc.source.none.fl_str_mv reponame:Repositório Institucional da Universidade Federal do Ceará (UFC)
instname:Universidade Federal do Ceará (UFC)
instacron:UFC
instname_str Universidade Federal do Ceará (UFC)
instacron_str UFC
institution UFC
reponame_str Repositório Institucional da Universidade Federal do Ceará (UFC)
collection Repositório Institucional da Universidade Federal do Ceará (UFC)
bitstream.url.fl_str_mv http://repositorio.ufc.br/bitstream/riufc/76691/4/license.txt
http://repositorio.ufc.br/bitstream/riufc/76691/3/2023_tese_frpponte.pdf
bitstream.checksum.fl_str_mv 8a4605be74aa9ea9d79846c1fba20a33
ee9935cea48cb71f2036595820a988c5
bitstream.checksumAlgorithm.fl_str_mv MD5
MD5
repository.name.fl_str_mv Repositório Institucional da Universidade Federal do Ceará (UFC) - Universidade Federal do Ceará (UFC)
repository.mail.fl_str_mv bu@ufc.br || repositorio@ufc.br
_version_ 1847793310604722176

Registros relacionados