Vulnerabilities’ CVSS scores soon to be assigned by AI

Get a copy of the upcoming book "Secure Operations Technology"

The National Institute of Standards and Technology (NIST) is planning to use IBM’s Watson to evaluate how critical publicly reported computer vulnerabilities are and assign an appropriate severity score.

AI assigns CVSS scores

CVSS scores

Publicly known information-security vulnerabilities are usually assigned a CVE number to serve as an ID and make it easier for everybody to track, and a Common Vulnerability Scoring System (CVSS) score, to make it easier for companies to prioritize responses and resources according to the threat.

CVSS scores range from 0.0 to 10.0 and are calculated by taking into consideration things like:

  • The complexity of an attack that can result in the exploitation of a vulnerability
  • Whether the attack requires use interaction
  • Whether the effect of the attack on confidentiality, integrity and availability of the target system and the data is manipulates is none, low, or high, and so on.

CVSS scores are still assigned by NIST’s human analysts, and the process is time-consuming.

According to Matthew Scholl, chief of the National Institute of Standards and Technology’s computer security division, it takes analysts 5 to 10 minutes to calculate a score for simple vulnerabilities and far longer for new, unusual and complex ones.

But, as the number of reported vulnerabilities keeps increasing with each passing year (and especially with the advent of IoT), the burden on NIST analysts is getting heavier.

IBM Watson calculates CVSS scores

To free up their analysts’ time and allow them to concentrate on more important matters, NIST is testing whether an artificial intelligence system such as Watson can take over for them.

So far, the results are encouraging.

Scholl told NextGov that, for a while now, Watson has been tasked with poring through historical reports, data and CVSS scores from the institute’s human analysts and assigning its own scores.

The test revealed that Watson does extremely well when it comes to common vulnerabilities, but has trouble assigning an appropriate score for novel and/ or complex ones.

Luckily, it also releases a confidence percentage for each CVSS score and if that percentage is lower than a predefined threshold (high 90s), a human analyst is tasked to take a look at it and come up with a suitable score.

NIST plans to use Watson to assign risk scores to most publicly reported vulnerabilities by October 2019, if the program is securely integrated with other NIST systems and is able to handle the workload.

They are also looking into using the technology in other NIST areas.