Community Based Platform for Vulnerability Categorization Jana Kom´ arkov´ a ∗† , Luk´ aˇ s Sadlek ∗† , Martin Laˇ stoviˇ cka ∗† ∗ Institute of Computer Science, † Faculty of Informatics Masaryk University, Brno, Czech Republic {komarkova, lastovicka}@ics.muni.cz, sadlek@mail.muni.cz Abstract—Many approaches, such as attack graphs, require knowledge of vulnerability’s properties such as impact, prereq- uisities, and exploitability. Currently, those properties are either categorized manually or too roughly. We present a program for granular, automated categorization of vulnerability. Further, we present a platform supporting researchers by gathering and sharing raw data about vulnerabilities and community labeled datasets. The source code of our categorization program is available on GitHub. I. I NTRODUCTION Lot of approaches for attack prediction, attack correlation or vulnerability patching requires knowledge of vulnerability properties [1], [2], [3]. Such properties include vulnerability exploit prerequisities, impact of exploiting a vulnerability and, should we want to introduce probabilistic treatment, likelihood of successful exploit. So far all this information has been taken from manually an- alyzed data or from the semi-formalized rough categorization provided by National Vulnerability Database (NVD). How- ever, the sheer amount of disclosed vulnerabilities precludes the manual categorization as witnessed by closure of Open Sourced Vulnerability Database in 2016. Our solution gathers the publicly available information about vulnerabilities and provides both categorized data and data sources for further research of vulnerabilities’ properties. II. VULNERABILITY I NFORMATION SOURCES In this section, we describe sources of information on vulnerabilities used for vulnerability categorization. The National Vulnerability Database (NVD) 1 is a cyber security vulnerability database maintained by the National Institute of Standards and Technology (NIST) Computer Secu- rity Division. NVD provides a description of each vulnerability as well as a Common Vulnerability Scoring System (CVSS) score. CVSS score is a structured description of the principal characteristics of the vulnerability 2 . The latest version of the CVSSv3 has been used since 2016. All vulnerabilities (including the latest one) are scored using CVSSv2. Another publicly available source which will be included in our platform is vendor provided information. Each vendor 1 https://nvd.nist.gov/ 2 https://www.first.org/cvss/ provides (mostly unstructured) information about vulnerabili- ties in his products. Since the vendors are the most credible source, such information can be valuable. III. VULNERABILITY DESCRIPTION We identified three main properties that could researchers find useful: impact, prerequisities of vulnerability exploit, and probability of successful exploit. A. Impact For the purpose of attack graph building, we have created following categories of vulnerability exploit impact: • arbitrary code execution as root/administrator/system, • gain root/system/administrator privileges on system, • privilege escalation on system, • gain user privileges on system, • arbitrary code execution as user of application, • gain privileges on application, • system integrity/availability/confidentiality loss, • application integrity/availability/confidentiality loss, • communication integrity/availability/confidentiality loss. The categories are not exclusive, vulnerability can have multiple impacts on system. The categories were designed to follow the rough categorization in NVD. Granularity was added in order to more accurately model the reality. Each category captures either a attacker’s privilege gain or attacker’s capability to command or harm the target. B. Prerequisities The prerequisities are sufficiently categorized in CVSS by attack/access vector (CVSSv2/CVSSv2) and privileges required (CVSSv3). C. Likelihood of Exploit The probability of successful exploit are covered in CVSS in attack/access complexity (CVSSv2/CVSSv2), user interaction (CVSSv3) and exploitability (CVSSv2). IV. VULNERABILITY I MPACT CATEGORIZATION In this section we present a proof-of-concept program for vulnerability impact categorization. The program uses CVSSv2, CVSSv3, CPE and text description to derive the impact. It utilizes a differences between CVSSv2 and CVSSv3 methodologies, namely that the CVSSv3 impact is related 978-1-5386-3416-5/18/$31.00 c  2018 IEEE