A Recommender System for Tracking Vulnerabilities

Abstract

Mitigating vulnerabilities in software requires first identifying the vulnerabilities with an organization’s software assets. This seemingly trivial task involves maintaining vendor product vulnerability notification for a kludge of hardware and software packages from innumerable software publishers, coding projects, and third-party package managers. On the other hand, software vulnerability databases are often consistently reported and categorized in clean, standard formats and neatly tied to a common software product enumerator (i.e., CPE). Currently it is a heavy workload for cybersecurity analysts at organizations to match their hardware and software package inventory to target CPEs. This hinders organizations from getting notifications for new vulnerabilities, and identifying applicable vulnerabilities. In this paper, we present a recommender system to automatically identify a minimal candidate set of CPEs for software names to improve vulnerability identification and alerting accuracy. The recommender system uses a pipeline of natural language processing, fuzzy matching, and machine learning to significantly reduce the human effort needed for software product vulnerability matching.