Forecasting the number of identified information security vulnerabilities based on the theory of “Gray Systems”

Objective. The aim of the work is to assess the possibility of applying the theory of “gray systems” to build a methodology for predicting the number of identified vulnerabilities in conditions of uncertainty of influencing factors and lack of initial data, including a comparative analysis of the results of this prediction obtained using traditional and improved models of the theory of “gray systems”, as well as machine learning models.

Method. The paper describes a technique for constructing a “gray model” for predicting the number of identified vulnerabilities based on the theory of “gray systems”. The initial data for forecasting is information obtained from the CVE (Common Vulnerabilities and Exposures) vulnerability database. In the course of the study, the results of forecasting obtained using the developed “gray model” and the linear regression model implemented on the basis of the scikit-learn library and the Python programming language are analyzed.

Result. The use of a linear regression model and models based on the theory of “gray systems” to predict the number of identified vulnerabilities allows you to get close forecast values. According to data obtained from the CVE vulnerability database, information on 7,015 identified vulnerabilities was published for the 1st quarter of 2023. The forecast obtained on the basis of the traditional model of the theory of “gray systems” turned out to be the closest to the published value. It should be noted that the forecast of the “gray model” is based only on the values of the initial data and does not depend on the circumstances arising in the field of information security, which is a limitation in the use of the proposed methodology.

Conclusion. The results of the study indicate the possibility of applying the theory of “gray systems” for short-term forecasting of the number of detected vulnerabilities. The application of the developed methodology makes it possible to carry out the specified forecasting with a limited number of initial data.

1. Wang, Yu. Forecasting passenger traffic volumes based on the theory of “gray systems” Bulletin of the Belarusian State University of Transport: Science and Transport. 2021;1(42): 77-81. – EDN OKGSXG. (In Russ)

2. Deng, J. L. Introduction to grey system theory. J Grey System. 1989; 1:1-24.

3. Common Vulnerabilities and Exposures. URL: https://cve.mitre.org // (accessed 01.03.2023).

4. Bindhu, B. K. Application of grey system theory on the influencing parameters of aerobic granulation in SBR / B. K. Bindhu, G. Madhu. Environ Technol. 2017; 38(17):2143-2152.

5. Drovnikova I.G., Etepnev A.S., Rogozin E.A. Main types vulnerabilities and the relationship of security components in substantiating the reliability indicators of the information protection system against unauthorized access in automated systems. Devices and systems. Management, control, diagnostics. 2019; 3:. 59-64. (In Russ)

6. Kubarev, A.V. Approach to formalization of vulnerabilities of information systems based on their classification features. Issues of cybersecurity. 2013;2(2):29-33. – EDN SZEDHH. (In Russ)

7. Vulnerability database. FSTEC of Russia. URL: https://bdu.fstec.ru/vul (accessed: 03/04/2023).

8. Konovalenko, S. A. Identification of vulnerabilities of information systems by means of a combined method of analysis of parametric data determined by monitoring systems of computer networks. S. A. Konovalenko, I. D. Korolev. Almanac of modern science and education. 2016;1(113): 60-66. – EDN XEEDXH. (In Russ)

9. Maps of sources containing information about software vulnerabilities. A. L. Serdny, M. A. Tarelkin, A. A. Lomov, K. V. Simonov. Information and security. 2019; 22( 3): 411-422. – EDN ZOUMGN. (In Russ)

10. Fedorchenko, A.V. Research of open databases of vulnerabilities and assessment of the possibility of their application in systems of security analysis of computer networks / A.V. Fedorchenko, A. A. Chechulin, I. V. Kotenko. Information and control systems. 2014; 5(72): 72-79. – EDN SXXXKH. (In Russ)

11. Serdechnyj A.L., Gerasimov I.V., Makarov O.YU. i dr. Technology for identifying information about vulnerabilities of third-party components of open source software. Informaciya i bezopasnost’. 2020;. 23(3):347–364 – EDN PYXOUT. (In Russ)

12. Avetisyan A.I., Belevancev A.A., Chuklyaev I.I. Technologies of static and dynamic analysis of software vulnerabilities. Voprosy kiberbezopasnosti. 2014; 3(4): 20–28 – EDN SSYPXV. (In Russ)

13. Russell R. et al. Automated Vulnerability Detection in Source Code Using Deep Representation Learning. 17th IEEE International Conference on Machine Learning and Applications (ICMLA), Orlando, FL, USA. 2018; 757–762. DOI: http://dx.doi.org/10.1109/ICMLA.2018.00120.

14. Wang T., Wei T., Gu G. and Zou W. TaintScope: A Checksum-Aware Directed Fuzzing Tool for Automatic Software Vulnerability Detection. IEEE Symposium on Security and Privacy, Oakland, CA, USA. 2010; 497–512. DOI: http://dx.doi.org/10.1109/SP.2010.37.

15. Lin G., Wen S., Han Q. -L., Zhang J. and Xiang Y. Software Vulnerability Detection Using Deep Neural Networks: A Survey in Proceedings of the IEEE. Oct. 2020;108(10):1825–1848. DOI: http://dx.doi.org/10.1109/JPROC.2020.2993293.