Common Vulnerability Research Articles

Severity prediction of software vulnerabilities using convolutional neural networks

Purpose The continuous influx of software vulnerabilities poses a significant challenge to organizations, necessitating effective resource allocation for threat mitigation. A key factor in this process is assessing the severity of vulnerabilities to prioritize which issues require immediate attention. This paper aims to automate the prediction of common vulnerability scoring system (CVSS) metrics from textual descriptions of vulnerabilities, reducing the reliance on manual expert analysis. Design/methodology/approach This study applies machine learning and natural language processing techniques, particularly convolutional neural networks (CNNs), to predict CVSS base metrics such as attack vectors, attack complexity and required privileges. The CNN models are trained on vulnerability descriptions and evaluated for their accuracy in predicting these metrics, which are then used to compute overall severity base scores. Findings The CNN models demonstrated high accuracy in predicting CVSS base metrics from textual descriptions. The predicted severity base scores closely align with those provided by human experts, showing the model’s potential to streamline the vulnerability assessment process. Practical implications Automating CVSS metric prediction could significantly reduce the time and effort required for vulnerability severity assessment. This would enable security teams to quickly identify and prioritize critical vulnerabilities, improving response times in cybersecurity management. Originality/value This research provides an innovative approach to vulnerability management by automating CVSS metric prediction, reducing the need for manual expert analysis and therefore accelerating security assessments.

AndroCom: A Real-World Android Applications’ Vulnerability Dataset to Assist with Automatically Detecting Vulnerabilities

In the realm of software development, quality reigns supreme, but the ever-present danger of vulnerabilities threatens to undermine this fundamental principle. Insufficient early vulnerability identification is a key factor in releasing numerous apps with compromised security measures. The most effective solution could be using machine learning models trained on labeled datasets; however, existing datasets still struggle to meet this need fully. Our research constructs a vulnerability dataset for Android application source code, primarily based on the Common Vulnerabilities and Exposures (CVE) system, using data derived from real-world developers’ vulnerability-fixing commits. This dataset was obtained by systematically searching such commits on GitHub using well-designed keywords. This study created the dataset using vulnerable code snippets from 366,231 out of 2.9 million analyzed repositories. All scripts used for data collection, processing, and refinement and the generated dataset are publicly available on GitHub. Experimental results demonstrate that fine-tuned Support Vector Machine and Logistic Regression models trained on this dataset achieve an accuracy of 98.71%, highlighting their effectiveness in vulnerability detection.

An automated framework for detecting and mitigating memory safety vulnerabilities in uefi firmware

An automated framework for detecting and mitigating memory safety vulnerabilities in uefi firmware

Expert system for assessing the status of the access control system to the information environment of smart factory

It is considered the topical issues of access control systems risk assessment of a single information environment of the smart production management system in connection with the risks that arise as a result of using the Internet of things (IoT) as an integral part of the Industry 4.0 concept. The author considered the properties of the IoT architecture from the point of view of its information security when integrated with a production management system. The methodology for building an access control system using fuzzy logic, developed in the authorʼs previous research, in which the author proposed and substantiated ideas for integrating various monitoring and intrusion detection systems in order to build an expert system, also found further practical development. In the paper, the information system is been considered from the point of view of system analysis as the interaction of subjects and objects of the system, the relationships between which are described by access control policies. This approach allows considering the real state of objects based on the system architecture and its vulnerability, changes in the system state over time, and to adjust access policies based on the level of risks assessed using the specified data. The methodology involves the use of modern tools and software, such as intrusion detection systems (IDS), fuzzy testing, user and entity behavior analytics (UEBA), user activity monitoring (UAM), software bill of material (SBOM), and machine learning approaches. Relevant libraries and databases: CIS benchmark, common vulnerabilities and exposures (CVEs), common platform enumeration (CPE) dictionary and common vulnerability scoring system (CVSS) are an integral part of the methodology, ensuring standardization and integration of the methodology with other approaches and methods of controlling and monitoring information systems. Particular attention has been paid to the issue of identifying vulnerabilities of robotic equipment and assessing their impact on production processes as a whole.

Automated broken object-level authorization attack detection in REST APIs through OpenAPI to colored petri nets transformation

The representational state transfer architectural style (REST) specifies a set of rules for creating web services. In REST, data and functionality are considered resources, accessed, and manipulated using a uniform, well-defined set of rules. RESTful web services are web services that follow the REST architectural style and are exposed to the Internet using RESTful APIs. Most of them are described by OpenAPI, a standard language-independent interface for RESTful APIs. RESTful APIs are continuously available on the Internet and are therefore a common target for cyberattacks. To prevent vulnerabilities and reduce risks in web systems, there are several security guidelines available, such as those provided by the Open Web Application Security Project (OWASP) foundation. A common vulnerability in web services is broken object level authorization (BOLA), which allows an attacker to modify or delete data or perform actions intended only for authorized users. For example, an attacker can change an order status, delete a user account, or add unauthorized data to the server. In this paper, we propose a transformation from OpenAPI to Petri nets, which enables formal modeling and analysis of REST APIs using existing Petri net analysis techniques to detect potential security risks directly from the analysis of web server logs. In addition, we also provide a tool, named Links2CPN, which automatically performs model transformation (taking the OpenAPI specification as input) and BOLA attack detection by analyzing web server execution traces. We apply it to a case study of a vulnerable web application to demonstrate its applicability. Our results show that it is capable of detecting BOLA attacks with an accuracy greater than 95% in the proposed scenarios.

Three Step Password Protection

In an era where digital security is paramount, traditional password systems remain vulnerable to sophisticated cyberattacks. This research presents a Three- Step Password Protection System aimed at significantly enhancing authentication security. The proposed model integrates three independent layers of authentication: (1) a Phrase Password, (2) Face Recognition, and (3) Graphical Authentication. Each step progressively strengthens security, ensuring that even if one layer is compromised, unauthorized access remains improbable. The system is designed to balance robust security with user convenience, addressing common vulnerabilities such as brute force, phishing, and bot attacks. By leveraging biometric verification and graphical interactions, the model reduces reliance on conventional text- based authentication while enhancing accessibility. The results suggest that this multi-layered approach provides improved resilience against unauthorized access, making it a viable solution for sensitive and high-security environments.

Mitigating Default Password Risks in CCTV: A Qualitative Study to Guide Recommendations for Device Makers

The rapid growth of Internet of Things (IoT) devices has brought unmatched convenience, connectivity, and significant cybersecurity issues. One of IoT devices' predominant security risks is default passwords, making them vulnerable to various attacks and exploits. CCTV is highly susceptible to security breaches due to the reliance on default passwords. This paper identifies the risks associated with default passwords in CCTV and explores how they can be mitigated. Qualitative research was conducted to achieve this. Qualitative data was gathered through interviews with security experts, manufacturers, and CCTV end-users, and thematic analysis was subsequently analyzed. Through the research, the authors identified common security vulnerabilities and risks linked to default passwords in CCTV and employed password policies and authentication protocols. They recommended best practices to mitigate these risks. The results of this study have significant consequences for the area of IoT security, offering a broad understanding of the risks linked to default passwords in IoT devices, identifying optimal practices for mitigating them, and contributing valuable observations to more comprehensive discussions on IoT security. Eventually, the overarching goal of this study is to increase the safety and privacy of both individuals' and organizations' IoT devices and promote liable and ethical use of this technology.

Applying the health capability profile: an analytical study of leading causes of death in the USA and of pressing public health issues

Public health problems are complex; investigating them requires a framework that both accounts for multiple interactions among individuals and their intermediate and broader environment and also integrates equity concerns. Incorporating...

Uncovering multi-step attacks with threat knowledge graph reasoning

The rapid advancement of information technologies has significantly intensified the focus on cyberspace security across various sectors. In this evolving landscape, attackers deploy many techniques- including exploits, weakness identification, and complex multi-step attacks- to gain unauthorized access to systems. Conversely, defenders harness insights from a variety of sources to pinpoint potential threats. Prominent public cybersecurity databases such as the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), Common Attack Pattern Enumeration and Classification (CAPEC), Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) provide extensive data on security entities and their interrelations, playing a pivotal role in enriching the understanding of cybersecurity challenges and assisting in comprehensive defensive analyses. However, the semantic cross-analysis of these databases, crucial for identifying obscure threat patterns, remains underexploited. In this study, we amalgamate data from these disparate sources into a cohesive threat knowledge graph and introduce a novel knowledge representation learning approach, A4CKGE (ATT&CK-CAPEC-CWE-CVE-CPE Knowledge Graph Embedding). This method utilizes advanced structural and textual analytics to predict interactions among security entities such as products, vulnerabilities, weaknesses, and multi-step attack sequences, employing complex attack templates generated through a Large Language Model (LLM). Our extensive experiments demonstrate that this approach significantly outperforms existing state-of-the-art methods in effectively predicting these relationships. The findings validate the efficacy of our threat knowledge graph in unveiling hidden connections, thereby highlighting its potential to strengthen cybersecurity defenses substantially.

VulnScan GPT: a new framework for smart contract vulnerability detection combining vector database and GPT model

With the rapid development of blockchain technology and smart contracts, the security issues of smart contracts have become increasingly serious. To address the significant limitations of traditional detection methods in handling the complexity and scale of smart contracts, a new framework for smart contract vulnerability detection that combines a vector database and a generative pre-trained transformer (GPT) model — VulnScan GPT — has been proposed. This framework comprises three main components: function signature extraction, vector database storage and retrieval, and GPT-based vulnerability detection. The framework uses the solc tool to generate an abstract syntax tree from smart contracts, extract function signatures, and vectorize the code for storage. By integrating the GPT model, the framework can preliminarily analyze and filter key functions based on common vulnerability scenarios and then retrieve relevant implementations from the vector database for in-depth assessment. This method gradually optimizes function analysis through an iterative detection mechanism, leveraging the efficient storage and retrieval capabilities of the vector database, combined with the deep natural language processing abilities of the GPT model, enhancing the accuracy and comprehensiveness of vulnerability detection. In the experimental evaluation, tests were conducted on various datasets to detect automated market maker price manipulation and initial risk deposit vulnerabilities, demonstrating that VulnScan GPT not only improves the accuracy of vulnerability detection, but also significantly reduces operational costs by optimizing token usage, resulting in an efficient and cost-effective detection solution.

Modeling Android Security Vulnerabilities: Insights from Statistical Distributions

Android operating system is a mobile operating system that supports multimedia features. Android offers a wide range of applications and integrated features for playing, recording, editing and sharing audio, video, images and other multimedia content. Most Android devices include cameras, speakers, microphones, and other multimedia components. In software security, vulnerabilities are critical concerns that often emerge during software development. Predicting these vulnerabilities post-release is essential for risk assessment and mitigation. While various models have been explored, the Android operating system remains relatively uncharted. This study delves into modeling Android security vulnerabilities using different statistical distributions, comparing their suitability to the widely-used Alhazmi-Malaiya Logistic (AML) model. Data from the National Vulnerability Database (NVD) spanning 2016 to 2018, along with Common Vulnerability Scoring System (CVSS) scores, was analyzed. The study evaluates several distribution models, including Logistic, Weibull, Nakagami, Gamma, and Log-logistic, for monthly vulnerability counts and average monthly impact values. Goodness-of-fit tests and information criteria were applied for model robustness assessment. The findings offer valuable insights for researchers and Android software developers, aiding prediction, risk assessment, resource allocation, and research direction. Logistic and Nakagami distributions emerged as the best-fit models for average monthly impact values and monthly vulnerability counts, respectively. Finally, statistical methods perform better against known artificial intelligence methods for small data sets or more clearly defined data due to their flexible features such as comprehensibility, amount of data, need for calculation, and data independence.

Investigation of Certain Cognitive and Metacognitive Factors Affecting Anxiety and Depression Symptoms Through Parallel Serial Mediation Models

Objective: This study aims to investigate the parallel serial mediating effects of cognitive flexibility, attentional control, and worry in the relationship between rumination—which has been repeatedly proven to persist in the etiology of depression—and the symptoms of depression. This model will also be tested with anxiety symptoms. Method: The study involved 832 university students, all emerging adults. The Personal Information Form, Ruminative Thought Style Questionnaire, Penn State Worry Questionnaire, Cognitive Flexibility Inventory, Attentional Control Scale, and Depression, Anxiety, and Stress Scale Short Form were used. Results: In two separate parallel serial mediation analyses, where gender was included as a control variable and depression and anxiety symptoms were included as dependent variables, the findings of the significant models were consistent. Accordingly, in both models in which both depression and anxiety are predicted, while the parallel serial mediation effect of cognitive flexibility and worry was significant (respectively; B=.003, SE=.001, %95 BCa CI [.001, .005]; B=.004, SE=.001, %95 BCa CI [.003, .007]), the parallel serial mediation effect of cognitive flexibility and attentional control was not significant (respectively; B=.000, SE=.000, %95 BCa CI [-.001, .001]; B=.00, SE=.00, %95 BCa CI [-.001, .001]). Conclusion: The findings of models that include certain cognitive and metacognitive factors seem to support the idea proposed by the transdiagnostic approach that there are common vulnerability factors in the explanation of disorders.

Comparative Analysis of Machine Learning Models to Predict Common Vulnerabilities and Exposure

Predicting Common Vulnerabilities and Exposures (CVE) is a challenging task due to the increasing complexity of cyberattacks and the vast amount of threat data available. Effective prediction models are crucial for enabling cybersecurity teams to respond quickly and prevent potential exploits. This study aims to provide a comparative analysis of machine learning techniques for CVE prediction to enhance proactive vulnerability management and strengthening cybersecurity practices. The supervised machine learning model which is Gaussian Naive Bayes and unsupervised machine learning models that utilize clustering algorithms which are K-means and DBSCAN were employed for the predictive modelling. The performance of these models was compared using performance metrics such as accuracy, precision, recall, and F1-score. Among these models, the Gaussian Naive Bayes achieved an accuracy rate of 99.79%, and outperformed the clustering-based machine learning models in effectively determining the class labels or results of the data it was trained on or tested against. The outcome of this study will provide a proof of concept to Cybersecurity Malaysia, offering insights into the CVE model.

Common Security Vulnerabilities in Android Apps: a Comprehensive Guide

Common Security Vulnerabilities in Android Apps: a Comprehensive Guide

Cybersecurity strategies for non-profit organizations

The paper explores effective cybersecurity strategies tailored for non-profit organizations, addressing their unique challenges of limited resources and sensitive data handling. It examines the current threat landscape, highlighting common vulnerabilities such as phishing attacks, ransomware, and data breaches. The research presents key cybersecurity strategies, including risk assessment and management, employee training and awareness, implementation of technical controls, data protection and privacy measures, and third-party risk management. Cost-effective solutions are emphasized, focusing on open-source security tools, cloud-based services, and collaborative information-sharing networks. The study concludes that by adopting a holistic approach encompassing people, processes, and technology, non-profits can significantly enhance their security posture and resilience against cyber threats, ensuring the continuity of their critical missions while operating within resource constraints.

Decision Making in the Searching Weakness Process of Server Side Web Application.

The vulnerability search process consists of three stages. At the first stage, the weakness of software and firmware components is identified and their suitability for exploitation. The second stage is devoted to choosing an existing or developing a new exploit for the identified weakness. The third stage configures the usability and reliability of the exploit for the identified vulnerability. The vulnerability of the system of the cyber protection object to negative technical impact is always based on the exploitation of its defects. Weakness identification with applicability assessment is a multi-stage process of choosing solutions under conditions of uncertainty. The efficiency of the weakness search process can be improved by using decision making theory. The idea is to reduce uncertainty by using an information model to search for weakness and to make it possible to process it quantitative analysis. For quantitative analysis, classical criteria for choosing solutions under uncertainty conditions were used. The information model is a hierarchy, has four levels and includes four types of elements. First level consists a techniques of Initial Access. First level consists a techniques of Initial Access, second – of category wekness Web Application. The third and fourth levels of assessment, respectively, of weaknesses and vulnerabilities. The expediency, rationality and reasonableness of solutions for finding defects is based on the application of proven sources of world-class expert experience. Thus, Adversarial Tactics, Techniques & Common Knowledge (ATT&CK) defines Server-side Web Application class systems as an attractive attack target for hackers with the highest average number of potential defects in at least three components: Web Server, Web Application Server, DBMS Server. To find out the distribution of Server-side Web Application defects by characteristic classes, it is necessary to use the Open Worldwide Application Security Project (OWASP), for a detailed study of them - Common Weakness Enumeration (CWE). The application of the National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) complements the evaluation of the found defect.

Developmental milestones and terrorism: age-linked variations in risk assessment

PurposeAgainst a backdrop of an increasingly younger terrorist cohort within His Majesty’s Prison and Probation Service, this study aims to explore the relationship between age and various Extremism Risk Guidance 22+ (ERG22+) assessment outcomes.Design/methodology/approachA database of 490 individuals was developed by coding content of ERG22+ reports from 2010 to 2021, equating to nearly all cases in England and Wales across this time period. Socio-demographic information, offending histories, online activities and risk factors were coded for all individuals. This study focuses on 465 individuals convicted of terrorist/terrorist-related offending, with statistical analyses used to compare three age groups: “20 and under” (61 cases), 21–25 (133 cases) and “26 and over” (271 cases).FindingsSignificant associations were found between presence of certain behaviours/characteristics and age groups. For those aged 20 and under, a heightened propensity for excitement, comradeship and adventure, along with greater susceptibility to influence and need for status were generally key to offending pathways, with a diminished likelihood of a prior criminal history. Of the three ERG22+ dimensions, findings indicate a weak but significant negative correlation between age and engagement levels.Practical implicationsRecommendations include ensuring extremism risk assessments reflect age-specific behaviours and tendencies, that interventions are tailored to address common age-related vulnerabilities, and the need for age-specific policies to support and manage children and young adults within the counter-terrorism space.Originality/valueThese novel findings point towards notable developmental milestones in adolescence, affecting behavioural tendencies and risk. This underscores the importance of age as a determinant when interpreting extremism risk assessments.

Identifying and Mitigating Web Application Vulnerabilities: A Comparative Study of Countermeasures and Tools

In the current age of technology, web applications and websites have experienced significant growth. This expansion has made their security a critical area of research. Web applications offer benefits, which makes user’s lives easier. In this paper, common web application vulnerabilities and effective strategies to mitigate the vulnerabilities are identified using a comparative study of countermeasures and open-source web application vulnerability assessment tools. Specifically, the top ten web application vulnerabilities and their countermeasures are investigated. Accordingly, several open-source vulnerability assessment tools are also introduced. The review highlights that with the developments and deployments of web applications on the internet, users are chased by a remarkable number of cyber-attacks. Attackers take advantage of available vulnerabilities in a web application or website, such as SQL injections, cross-site scripting, and broken authentications. This paper concludes by providing the best practices to mitigate cyber-attacks on web applications and suggests future directions for enhancing vulnerability assessment through machine learning techniques

The Role of Sustainable Competitiveness Indicator in Malaysian Tourism and Economic Growth

Abstract This paper proposes a sustainable competitiveness indicator for the state of tourism vulnerability in the Malaysian tourism market. Further investigation has also been done on the time-frequency and lead-lag relationship of the indicator with tourism development and economic growth. The resultant indicator is consisted of 12 variables, identified based on the pillars of sustainability and competitiveness to extract a common vulnerability component using a dynamic approximate factor model. The model’s accuracy rate was at a promising 92% based on the variable importance assessment using random forest algorithms. Through the implementation of bivariate wavelet coherence analysis, the empirical results indicated that the constructed indicator has a positive leading role in Malaysian tourism development and economic growth. This indicator can be embedded within an early warning system to signify vulnerabilities in the Malaysian tourism market.

System Security Testing Using The Penetration Testing Method on The Palapa Vocational School Library Website

The Palapa Library utilizes its website as the primary platform for providing information and services to users. However, the presence of vulnerabilities in the website poses significant threats to data and system security. This study aims to identify and analyze vulnerabilities on the Palapa Library website using the Penetration Testing method based on the NIST SP 800-115 standard. This method involves four stages: planning, discovery, attack, and reporting. The testing results identified two major vulnerabilities: sensitive information disclosure and SQL Injection. Once the vulnerabilities were identified, their severity levels were assessed using the Common Vulnerability Scoring System (CVSS) version 3.1. CVSS provides scores for the vulnerabilities, helping prioritize remediation efforts from the highest to the lowest risk. Based on the assessment results, appropriate remediation measures were developed to enhance the security of the Palapa Library website. This study is expected to serve as a reference for preventing similar security threats in the future and assisting other institutions facing similar challenges in improving the security of their information systems.