NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management

Q1 Computer Science IEEE Cloud Computing Pub Date : 2021-09-01 DOI:10.1109/CLOUD53861.2021.00073

Muhammed Fatih Bulut, Jinho Hwang

{"title":"NL2Vul: Natural Language to Standard Vulnerability Score for Cloud Security Posture Management","authors":"Muhammed Fatih Bulut, Jinho Hwang","doi":"10.1109/CLOUD53861.2021.00073","DOIUrl":null,"url":null,"abstract":"Cloud Security Posture Management (CSPM) tools have been gaining popularity to automate, monitor and visualize the security posture of multi-cloud environments. The foundation to assess the risk lies on being able to analyze each vulnerability and quantify its risk. However, the number of vulnerabilities in National Vulnerability Database (NVD) has skyrocketed in recent years and surpassed 144K as of late 2020. The current standard vulnerability tracking system relies mostly on human-driven efforts. Besides, open-source libraries do not necessarily follow the standards of vulnerability reporting set by CVE and NIST, but rather use Github issues for reporting. In this paper, we propose a framework, NL2Vul, to measure score of vulnerabilities with minimal human efforts. NL2Vul makes use of deep neural networks to train on descriptions of software vulnerabilities from NVD and predicts vulnerability scores. To flexibly expand the trained NVD model for different data sources that are being used to evaluate the risk posture in CSPM, NL2Vul uses transfer learning for quick re-training. We have evaluated NL2Vul with vanilla NVD, public Github issues of open source projects, and compliance technology specification documents.","PeriodicalId":54281,"journal":{"name":"IEEE Cloud Computing","volume":"25 1","pages":"566-571"},"PeriodicalIF":0.0000,"publicationDate":"2021-09-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Cloud Computing","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/CLOUD53861.2021.00073","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"Computer Science","Score":null,"Total":0}

引用次数: 0

Abstract

Cloud Security Posture Management (CSPM) tools have been gaining popularity to automate, monitor and visualize the security posture of multi-cloud environments. The foundation to assess the risk lies on being able to analyze each vulnerability and quantify its risk. However, the number of vulnerabilities in National Vulnerability Database (NVD) has skyrocketed in recent years and surpassed 144K as of late 2020. The current standard vulnerability tracking system relies mostly on human-driven efforts. Besides, open-source libraries do not necessarily follow the standards of vulnerability reporting set by CVE and NIST, but rather use Github issues for reporting. In this paper, we propose a framework, NL2Vul, to measure score of vulnerabilities with minimal human efforts. NL2Vul makes use of deep neural networks to train on descriptions of software vulnerabilities from NVD and predicts vulnerability scores. To flexibly expand the trained NVD model for different data sources that are being used to evaluate the risk posture in CSPM, NL2Vul uses transfer learning for quick re-training. We have evaluated NL2Vul with vanilla NVD, public Github issues of open source projects, and compliance technology specification documents.

查看原文

微信好友朋友圈 QQ好友复制链接

本刊更多论文

NL2Vul:云安全态势管理的自然语言到标准漏洞评分

云安全态势管理(CSPM)工具在自动化、监控和可视化多云环境的安全态势方面越来越受欢迎。评估风险的基础在于能够分析每个漏洞并量化其风险。然而，国家漏洞数据库(NVD)中的漏洞数量近年来急剧增加，截至2020年底已超过144K。目前标准的漏洞跟踪系统主要依赖于人为驱动的努力。此外，开源库并不一定遵循CVE和NIST设置的漏洞报告标准，而是使用Github问题进行报告。在本文中，我们提出了一个框架NL2Vul，以最少的人力来衡量漏洞得分。NL2Vul利用深度神经网络对来自NVD的软件漏洞描述进行训练，并预测漏洞得分。为了灵活扩展已训练的NVD模型，使其适用于CSPM中用于评估风险态势的不同数据源，NL2Vul使用迁移学习进行快速再训练。我们使用vanilla NVD、开源项目的公共Github问题和遵从性技术规范文档对NL2Vul进行了评估。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文去求助

来源期刊

IEEE Cloud Computing Computer Science-Computer Networks and Communications

CiteScore

11.20

自引率

0.00%

发文量

期刊介绍： Cessation. IEEE Cloud Computing is committed to the timely publication of peer-reviewed articles that provide innovative research ideas, applications results, and case studies in all areas of cloud computing. Topics relating to novel theory, algorithms, performance analyses and applications of techniques are covered. More specifically: Cloud software, Cloud security, Trade-offs between privacy and utility of cloud, Cloud in the business environment, Cloud economics, Cloud governance, Migrating to the cloud, Cloud standards, Development tools, Backup and recovery, Interoperability, Applications management, Data analytics, Communications protocols, Mobile cloud, Private clouds, Liability issues for data loss on clouds, Data integration, Big data, Cloud education, Cloud skill sets, Cloud energy consumption, The architecture of cloud computing, Applications in commerce, education, and industry, Infrastructure as a Service (IaaS), Platform as a Service (PaaS), Software as a Service (SaaS), Business Process as a Service (BPaaS)