FRAPE: A Framework for Risk Assessment, Prioritization and Explainability of vulnerabilities in cybersecurity

Abstract

Inadequate Vulnerability Management (VM) techniques, relying solely on metrics such as the Common Vulnerability Scoring System (CVSS), may lead to overestimating the risk of vulnerability exploitation. This work presents FRAPE, a novel Risk-Based Vulnerability Management (RBVM) framework designed to help analysts classify and prioritize the remediation of security flaws. FRAPE combines a labeling technique called Active Learning (AL) with a Supervised Learning approach to create a Machine Learning model capable of emulating the experience of security experts in assessing vulnerability risk. The framework includes four main modules: Data Collection, which gathers essential information for risk assessment; Vulnerability Labeling, where vulnerabilities are labeled via AL based on significant characteristics; Classification and Prioritization, which categorizes vulnerabilities and prioritizes them for remediation based on the estimated risk; and Explainability of Results, which offers a detailed analysis of why vulnerabilities are considered critical. Additionally, we implemented a computer network simulator capable of comparing the effectiveness of different VM classification and prioritization techniques. The performed experiments indicate that FRAPE outperforms the use of CVSS in VM and correctly classifies 88% of critical vulnerabilities, which is comparable to the performance obtained by security analysts.