BF–Based Vulnerability Classifications
Irena Bojanova, Inventor/Creator, PI & Lead, NIST Bugs Framework (BF), 2014 – ~~~
The process for comprehensive BF-based systems (traditional of AI) for the creation of BF vulnerability classifications is presented by the BF Vulnerability Classification Model (see Figure 42). It defines how the BF taxonomy and tools are utilized to generate BFCWE and BFCVE datasets and query them and possibly other vulnerability-related repositories to create the BFVUL datasets of diverse multidimensional vulnerability classifications based on common properties and similarities.
Figure 1. BF Vulnerability Classification Model.
The process for the creation of BF-based vulnerability classifications involves the following steps:
- BFCWE Dataset: Create a comprehensively labeled weakness dataset.
- BFCVE Dataset: Create a comprehensively labeled vulnerability dataset.
- Severity: Query the CVE for CVSS scores or use other automated approaches to determine the vulnerability severity score.
- Platform: Query the CVE for associated CPEs.
- Exploitation: Query the NVD and EPSS for the probability of a CVE being exploited in the next 30 days.
- Priority: Query the NVD and KEV or use other automated approaches to determine prioritization for remediation.
- Vulnerability Classifications: Generate multidimensional vulnerability classifications based on common properties and similarities.
Security vulnerabilities could be classified by common root causes (i.e., software or firmware bugs or hardware defect-induced bugs or faults), such as declaring a variable of a wrong data type. They could also be classified by any other BF taxons, such as propagating faults, common final errors, operation and operand attributes, identical BF specifications (i.e., chains of weaknesses), and even the number of underlying weaknesses.
The BF operation and operand attributes provide insight into the severity of the weaknesses and how they relate to commonly used scores, such as CVSS and EPSS. Their analysis would allow for deeper research on the most significant³ and most exploited⁴ weaknesses and vulnerabilities. Intriguing classifications by BF classes and CPE⁵ data may reveal systematic input/output check safety, memory safety, data type safety, and other secure coding problems by particular vendors and products. These multidimensional BF vulnerability classifications would contribute to a deeper analysis and refined understanding of security weaknesses, vulnerabilities, exploits, and failures. They would enable more focused cybersecurity research and the highly informed development of effective countermeasures against potential security threats and specific exploits.
BF PATENT PENDING
BF CITATION: