Again, we're talking about recommender systems and today we look at a system that aims to mitigate software vulnerabilities.
Identifying and addressing vulnerabilities is crucial for organizations, but it can be a difficult task due to the large number of software assets they manage. This involves tracking vulnerability notifications for various hardware and software packages from multiple vendors and third-party managers. Software vulnerability databases can help by providing standardized formats and a common identifier, but it's still a challenging task for cybersecurity analysts to match their inventory with the database. This can lead to missing out on new vulnerabilities and delays in identifying applicable ones.
The paper proposes a recommender system that uses the Common Product Enumerations (CPEs) associated with the various vulnerabilities that are discovered and match them to the software used by a company. In this way, they can easily find out if a company has any unpatched vulnerabilities. So, to achieve its goal, this recommendation system uses natural language to extract the topics and context of software and vulnerabilities. It also uses fuzzy matching to ensure no options are missed and then similarity calculations to make recommendations.
The researchers of this paper evaluate the efficiency of their tool against a human and win easily. Perhaps this is a step in the right direction?
But let's not forget that the human element is very important and will stay essential in cyber security!