KR-102962947-B1 - SYSTEM AND METHOD FOR CALCULATING VULNERABILITY SCORES BASED ON MULTIPLE EXTERNAL DATA SOURCES AND ADVANCED DATA FUSION

Abstract

The present invention relates to a vulnerability assessment and scoring system for cyber security threat management, comprising: a data collection module that collects raw vulnerability-related data from multiple heterogeneous external data sources and internal data sources; a preprocessing normalization module that standardizes the collected raw vulnerability-related data into a consistent format; a data fusion integration module that combines the standardized raw vulnerability-related data to generate an integrated view for each vulnerability; a contextualization engine that configures contextualized vulnerability data by reflecting organization-specific contextual information in the integrated vulnerability view generated through the data fusion integration module; and a vulnerability scoring module that calculates a vulnerability score using a predefined scoring algorithm for the contextualized vulnerability data configured through the contextualization engine.

Inventors

• 고인구

Assignees

• 주식회사 위드네트웍스

Dates

Publication Date

20260511

Application Date

20250701

Claims (14)

1. A data collection module that collects raw vulnerability-related data from multiple heterogeneous external data sources providing vulnerability information and internal data sources provided by an organization's internal system that can be linked with said vulnerability information; A preprocessing normalization module that standardizes the collected raw data related to the above-mentioned vulnerabilities into a consistent format; A data fusion integration module that combines standardized raw vulnerability-related data to generate an integrated view of each vulnerability; A contextualization engine that configures contextualized vulnerability data by reflecting organization-specific context information in the integrated vulnerability view generated through the above data fusion integration module; and A vulnerability score calculation module that calculates a vulnerability score using a predefined score calculation algorithm for contextualized vulnerability data configured through the contextualization engine; The above preprocessing normalization module is, Map vendor- and platform-specific vulnerability identifiers to Common Vulnerabilities and Exposures (CVE), standardize software and hardware identifiers to Common Platform Enumeration (CPE) or internal asset identifiers, and normalize the attributes and values of each data field, The above data fusion integration module is, From multiple normalized raw vulnerability data, based on Common Vulnerabilities and Exposures (CVE) identifiers, each entry in the National Vulnerability Database (NVD) for a specific CVE is linked with the Known Exploited Vulnerabilities (KEV) status, threat intelligence reports mentioning the CVE, and internal asset data affected by the CVE to generate an integrated data view, The above contextualization engine is, Constructing and updating a knowledge graph representing the relationships between vulnerabilities, assets, and threats by reflecting as context information asset importance derived from analyzing asset inventory data; network context data regarding asset network location and accessibility; data on the status of applied security controls; and business impact analysis results quantifying potential losses that may occur if specific asset vulnerabilities are exploited. Vulnerability score calculation device.
2. In paragraph 1, The above heterogeneous external data source is, Characterized by including at least one of a public vulnerability database, a language or platform-specific security database, an exploit information database, a weakness enumeration database, a threat intelligence feed, and a monitoring service. Vulnerability score calculation device.
3. In paragraph 1, The above internal data source is, Characterized by including at least one of an asset management system, a CMDB (Configuration Management Database), a SIEM (Security Information and Event Management) system, a patch management system, and a configuration management database, Vulnerability score calculation device.
4. delete
5. delete
6. delete
7. delete
8. In paragraph 1, The above score calculation algorithm is, One of a weighting model, a knowledge graph-based scoring system, a Markov Chain Monte Carlo-based model, and a machine learning model, or a hybrid model combining these. Vulnerability score calculation device.
9. In paragraph 8, The above weighting model is, A weighting model that assigns weights to factors including at least one of a CVSS (Common Vulnerability Scoring System) base score, an EPSS (Exploit Prediction Scoring System)-based exploitability score, a KEV (Known Exploited Vulnerabilities) status, a threat intelligence score, asset importance, and a SIEM (Security Information and Event Management) alert correlation, wherein the weights are dynamically adjustable. Vulnerability score calculation device.
10. In paragraph 8, The above knowledge graph-based score calculation is, Characterized by querying a knowledge graph representing vulnerabilities, assets, and threats to perform at least one of centrality measurement, attack path analysis, and risk propagation modeling. Vulnerability score calculation device.
11. In paragraph 8, The above Markov Chain Monte Carlo-based model is, Characterized by modeling vulnerability risk, including vulnerability characteristics, exploitability, threat actor information, asset attributes, and security control status, as a probability distribution, and estimating a score from said probability distribution. Vulnerability score calculation device.
12. In paragraph 8, The above machine learning model is, A model characterized by predicting a risk score or category by learning patterns and correlations between multiple input features, including Common Vulnerability Scoring System (CVSS) metrics, Exploit Prediction Scoring System (EPS) scores, the presence of Known Exploited Vulnerabilities (KEV), threat actor activities, asset attributes, and Security Information and Event Management (SIEM) alert patterns, included in vulnerability data. Vulnerability score calculation device.
13. In paragraph 1, A result providing module that provides a vulnerability list, a vulnerability score, context information reflected in the score calculation, and supporting information; further comprising Vulnerability score calculation device.
14. In a vulnerability score calculation method performed by a vulnerability score calculation device, the method comprises: A data collection step of collecting raw vulnerability-related data from multiple heterogeneous external data sources providing vulnerability information and internal data sources provided by an internal system of an organization that can be linked with said vulnerability information; A preprocessing normalization step for standardizing raw data related to the above-mentioned vulnerability into a consistent format; A data fusion integration step that combines standardized raw vulnerability-related data to generate an integrated view of each vulnerability; A contextualization step for configuring contextualized vulnerability data by reflecting organization-specific context information in an integrated view of the above-mentioned vulnerability; A vulnerability score calculation step that calculates a vulnerability score using a predefined score calculation algorithm for contextualized vulnerability data; and Includes a result providing step that provides vulnerability scores and vulnerability information; and The above preprocessing normalization step is, It is characterized by mapping vulnerability identifiers that differ by vendor and platform to Common Vulnerabilities and Exposures (CVE), standardizing software and hardware identifiers to Common Platform Enumeration (CPE) or internal asset identifiers, and normalizing the attributes and values of each data field. The above data fusion integration step is, It is characterized by generating an integrated data view by linking each entry in the National Vulnerability Database (NVD) for a specific CVE with the Known Exploited Vulnerabilities (KEV) status, threat intelligence reports mentioning the CVE, and internal asset data affected by the CVE, based on CVE (Common Vulnerabilities and Exposures) identifiers in multiple normalized raw vulnerability data. The above contextualization step is, Characterized by constructing and updating a knowledge graph representing the relationships between vulnerabilities, assets, and threats by reflecting as context information asset importance derived from analyzing asset inventory data; network context data regarding asset network location and accessibility; data regarding the status of applied security controls; and business impact analysis results quantifying potential losses that may occur if vulnerabilities of specific assets are exploited. Vulnerability score calculation method.

Description

System and Method for Calculating Vulnerability Scores Based on Multiple External Data Sources and Advanced Data Fusion The present invention relates to a vulnerability assessment and scoring system for cyber security threat management in the field of information security technology, more specifically, to a technology that calculates accurate and predictive vulnerability scores through machine learning and knowledge graph-based algorithms by normalizing and fusing information collected from multiple external data sources and reflecting the context according to the organization's environment and asset characteristics. In the modern IT environment, rapidly identifying system and software vulnerabilities, assessing their severity, and determining resolution priorities has become a critical task for effectively responding to cyber threats. However, a phenomenon known as the "CVE (Common Vulnerabilities and Exposures) Shock" has recently emerged, characterized by a rapid surge in the volume and complexity of vulnerabilities. Consequently, security teams are facing significant difficulties in determining which vulnerabilities to prioritize within limited resources. In particular, existing vulnerability assessment methods tend to focus on theoretical severity rather than actual risk, leading to issues where unnecessary resources are allocated to low-priority vulnerabilities or, conversely, threats with a high probability of actual attack are overlooked. The Common Vulnerability Scoring System (CVSS), a representative vulnerability assessment system, calculates scores based on Base, Temporal, and Environmental metrics; however, it has limitations as the assessment results can be subjective and it fails to adequately reflect specific organizational environments, business impacts, or asset values. Furthermore, because the scores themselves are static and do not reflect real-time threat situations, they cannot consider dynamic factors, such as the spread of attack code or patch status, in a timely manner. Consequently, relying entirely on CVSS can lead to prioritization errors, where vulnerabilities requiring actual priority response are overlooked, or conversely, unimportant vulnerabilities are overemphasized. Furthermore, the Exploit Prediction Scoring System (EPSS), which adds a predictive dimension of exploitability that CVSS fails to provide, utilizes machine learning to predict short-term exploitability but does not sufficiently consider the actual impact of the vulnerability or the organization's specific threat scenarios. Furthermore, traditional methods such as vulnerability scanners and penetration testing also have limitations, including limited visibility focused on known CVEs (Common Vulnerabilities and Exposures), severity-based prioritization lacking business context, and high costs. Meanwhile, existing vulnerability management systems generally rely on a single vulnerability database, such as the National Vulnerability Database (NVD), to collect and analyze vulnerability information. However, since different external data sources have unique information and update cycles, reliance on a single source can lead to the omission of specific vulnerabilities or delays in response. Therefore, to overcome the limitations of existing systems, there is a need for a system that provides a holistic view of vulnerability risks by integrating a comprehensive, dynamic, context-aware, and predictive vulnerability score calculation mechanism with various external data feeds. FIG. 1 is an overall configuration diagram of a vulnerability score calculation device utilizing a plurality of external data sources and advanced data fusion according to one embodiment of the present invention. FIG. 2 is a block diagram illustrating the function of a vulnerability score calculation device utilizing a plurality of external data sources and advanced data fusion according to an embodiment of the present invention. FIG. 3 is a flowchart illustrating a method for calculating a vulnerability score using a plurality of external data sources and advanced data fusion according to an embodiment of the present invention. Specific embodiments of the present invention will be described in detail below with reference to the drawings. However, the concept of the present invention is not limited to the presented embodiments. Those skilled in the art who understand the concept of the present invention may easily propose other inventions that are inferior or other embodiments included within the scope of the concept of the present invention by adding, changing, or deleting other components within the same scope of the concept, and such are also to be considered to be included within the scope of the concept of the present invention. Furthermore, the terms described below are established considering their functions in the present invention; since these may vary depending on the inventor's intent or convention, their definitions should be based on th