# F4. AI-Driven Mitigation Recommendations

1. Explain My Top Risk
    * Input: asset name
    * Output: “These CVEs pose the highest risk because…”, plus mitigation hints.
2. Mitigation Roadmap
    * Input: list of high-risk CVEs or asset
    * Output: prioritized step-by-step action plan (patch, config hardening, monitoring).
3. Risk Trend Insights
    * Input: date range
    * Output: narrative on emerging risk patterns (e.g., “Web servers saw a 40% spike in Critical CVEs in Q1 2025…”)

In [65]:
from openai import OpenAI
import os
import pandas as pd

# Config
api_key = os.getenv("OPENAI_API_KEY")
if not api_key:
    raise RuntimeError("API key not set.")
client = OpenAI(api_key=api_key)
asset_scores = pd.read_csv('../data/asset_risk_summary.csv')
vuln_scores = pd.read_csv('../data/cve_vuln_summary.csv')
vul_catalogue = pd.read_csv('../data/vuln_catalogue_v2.csv')

# Tidy up
scores = pd.merge(asset_scores,vuln_scores,how='inner',on=['cpeName','Title'])
scores.sort_values(by='riskScore').head(10)
df0 = pd.merge(vul_catalogue,scores, how='inner', on=['Title','cpeName','cveID'])
df0.drop(columns=['Unnamed: 0','vectorString','WrittenAt'],inplace=True,axis=1)
df = df0.sort_values(by='riskScore', ascending=False)
top10 = df.head(5)

In [66]:
top10.head()

Unnamed: 0,sid,Title,cpeName,cveID,published,last_modified,baseScore,exploitabilityScore,impactScore,baseSeverity,...,integrityImpact,availabilityImpact,cwes,description,references,tags,full_json,MaxRiskScore,countHighRiskCVEs (>7.0),riskScore
402,402,Oracle Database Server 19c,cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*...,CVE-2020-1953,2020-03-13T15:15:11.373,2024-11-21T05:11:43.567,10.0,3.9,6.0,CRITICAL,...,HIGH,HIGH,NVD-CWE-noinfo,Apache Commons Configuration uses a third-part...,https://lists.apache.org/thread.html/d0e00f2e1...,"Third Party Advisory, Third Party Advisory","{'cve': {'id': 'CVE-2020-1953', 'sourceIdentif...",7.47,3,7.47
441,441,Microsoft Exchange Server 2019 Cumulative Upda...,cpe:2.3:a:microsoft:exchange_server:2019:cumul...,CVE-2024-21410,2024-02-13T18:15:59.680,2024-11-29T15:28:11.497,9.8,3.9,5.9,CRITICAL,...,HIGH,HIGH,CWE-287;NVD-CWE-noinfo,Microsoft Exchange Server Elevation of Privile...,https://msrc.microsoft.com/update-guide/vulner...,"Patch, Vendor Advisory, Patch, Vendor Advisory","{'cve': {'id': 'CVE-2024-21410', 'sourceIdenti...",7.35,1,7.35
424,424,Microsoft Exchange Server 2019,cpe:2.3:a:microsoft:exchange_server:2019:-:*:*...,CVE-2019-0586,2019-01-08T21:29:02.207,2024-11-21T04:16:54.737,9.8,3.9,5.9,CRITICAL,...,HIGH,HIGH,CWE-787,A remote code execution vulnerability exists i...,http://www.securityfocus.com/bid/106421 | http...,"Third Party Advisory, VDB Entry, Patch, Vendor...","{'cve': {'id': 'CVE-2019-0586', 'sourceIdentif...",7.35,2,7.35
320,320,Fortinet FortiGate 7000,cpe:2.3:h:fortinet:fortigate_7000:-:*:*:*:*:*:*:*,CVE-2023-27997,2023-06-13T09:15:16.613,2025-03-10T20:40:57.323,9.8,3.9,5.9,CRITICAL,...,HIGH,HIGH,CWE-122;CWE-787,A heap-based buffer overflow vulnerability [CW...,https://fortiguard.com/psirt/FG-IR-23-097 | ht...,"Vendor Advisory, Vendor Advisory","{'cve': {'id': 'CVE-2023-27997', 'sourceIdenti...",7.35,1,7.35
383,383,Oracle Database Server 19c,cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*...,CVE-2019-16942,2019-10-01T17:15:10.323,2024-11-21T04:31:23.477,9.8,3.9,5.9,CRITICAL,...,HIGH,HIGH,CWE-502,A Polymorphic Typing issue was discovered in F...,https://access.redhat.com/errata/RHSA-2019:390...,"Third Party Advisory, Third Party Advisory, Th...","{'cve': {'id': 'CVE-2019-16942', 'sourceIdenti...",7.47,3,7.35


In [67]:
cols = (['Title',
        'cpeName',
        'cveID',
        'published',
        'baseScore',
        'exploitabilityScore',
        'impactScore',
        'riskScore',
        'MaxRiskScore',
        'countHighRiskCVEs (>7.0)',
        'baseSeverity',
        'attackVector',
        'attackComplexity',
        'confidentialityImpact',
        'availabilityImpact',
        'description'])
records = top10[cols].to_dict(orient='records')

In [68]:
import json

def explain_top_risks(df, client):
    risks_json = json.dumps(records, indent=2)

    # Construct the system and user prompts
    system_prompt = (
        "You are a cybersecurity expert specializing in vulnerability risk analysis "
        "and mitigation planning with a focus on NIST's Cybersecurity Framework 2.0."
    )

    user_prompt = (
        "Below is a list of the 10 highest-risk vulnerabilities (CVEs) affecting my assets. "
        "For each item, do the following:\n"
        "1. Briefly explain why this CVE poses a high risk based on its details.\n"
        "2. Suggest concise, actionable mitigation steps or best practices.\n"
        "Present the output as a numbered list. Here are the vulnerabilities:\n"
        f"{risks_json}"
    )

    # Send to OpenAI
    response = client.chat.completions.create(
        model="gpt-4o",  # or "gpt-4", "gpt-3.5-turbo" as available
        messages=[
            {"role": "system", "content": system_prompt},
            {"role": "user", "content": user_prompt}
        ],
        max_tokens=1000,
        temperature=0.2
    )

    return response.choices[0].message.content

# Usage:
explanation = explain_top_risks(df, client)
print(explanation)

Here's a detailed analysis and mitigation plan for each of the listed vulnerabilities:

1. **CVE-2020-1953 - Oracle Database Server 19c**
   - **Risk Explanation:** This vulnerability involves Apache Commons Configuration, which can execute arbitrary code if a YAML file from an untrusted source is parsed. The critical risk stems from the potential for remote code execution with low attack complexity and high confidentiality and availability impacts.
   - **Mitigation Steps:**
     - Update Apache Commons Configuration to a version where this issue is resolved.
     - Ensure YAML files are sourced from trusted locations only.
     - Implement strict input validation and sanitization for all external data sources.

2. **CVE-2024-21410 - Microsoft Exchange Server 2019 Cumulative Update 14**
   - **Risk Explanation:** This is an elevation of privilege vulnerability in Microsoft Exchange Server, allowing attackers to gain unauthorized access and potentially execute arbitrary commands. The n

In [78]:
def get_trend_summary(df, freq='Q'):
    # Aggregates counts of CVEs by asset and severity, grouped by quarter or year.
    df['published'] = pd.to_datetime(df['published'])
    if freq == 'Q':
        df['period'] = df['published'].dt.to_period('Q')
    elif freq == 'Y':
        df['period'] = df['published'].dt.to_period('Y')
    else:
        raise ValueError("freq must be 'Q' for quarter or 'Y' for year.")
    # Group by period, asset, and severity
    trend = df.groupby(['period', 'cpeName', 'baseSeverity']).size().unstack(fill_value=0)
    return trend

# By quarter:
quarterly_trend = get_trend_summary(df, freq='Q')

# Calculate % Change (Quarter-over-Quarter)
def calculate_qoq_change(trend_df):
    # Ensure DataFrame is sorted by period
    trend_df = trend_df.sort_index(level=0)
    # Calculate the percentage change
    pct_change = trend_df.groupby('cpeName').pct_change().replace([float('inf'), -float('inf')], 0).fillna(0) * 100
    pct_change = pct_change.round(1)
    return pct_change

quarterly_change = calculate_qoq_change(quarterly_trend)
quarterly_change

Unnamed: 0_level_0,baseSeverity,CRITICAL,HIGH,LOW,MEDIUM
period,cpeName,Unnamed: 2_level_1,Unnamed: 3_level_1,Unnamed: 4_level_1,Unnamed: 5_level_1
2016Q2,cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*,0.0,0.0,0.0,0.0
2018Q2,cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*,0.0,-100.0,0.0,0.0
2018Q3,cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*,0.0,0.0,0.0,0.0
2018Q4,cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*,0.0,0.0,0.0,0.0
2018Q4,cpe:2.3:a:oracle:database_server:19c:*:*:*:*:*:*:*,0.0,0.0,0.0,0.0
...,...,...,...,...,...
2024Q2,cpe:2.3:a:adobe:acrobat_reader:20.004.30006:*:*:*:classic:*:*:*,0.0,128.6,0.0,-42.9
2024Q3,cpe:2.3:a:adobe:acrobat_reader:20.004.30006:*:*:*:classic:*:*:*,0.0,-31.2,0.0,25.0
2024Q4,cpe:2.3:a:adobe:acrobat_reader:20.004.30006:*:*:*:classic:*:*:*,0.0,-45.5,0.0,100.0
2024Q4,cpe:2.3:a:microsoft:exchange_server:2019:-:*:*:*:*:*:*,0.0,0.0,0.0,0.0


In [81]:
def generate_trend_narrative_prompt(trend_df, pct_change_df, start_period, end_period):
    # Filter the dataframes for the date range
    filtered_trend = trend_df.loc[start_period:end_period].reset_index()
    filtered_pct_change = pct_change_df.loc[start_period:end_period].reset_index()

    # Convert Period columns to strings so they're JSON serializable
    for df in (filtered_trend, filtered_pct_change):
        if 'period' in df.columns:
            df['period'] = df['period'].astype(str)

    trend_data = filtered_trend.to_dict(orient='records')
    change_data = filtered_pct_change.to_dict(orient='records')

    trend_json = json.dumps(trend_data, indent=2)
    change_json = json.dumps(change_data, indent=2)
    prompt = (
        "You are a cybersecurity risk analyst. Below are two tables:\n\n"
        "1. Raw counts of vulnerabilities (CVEs) by asset and severity for each quarter.\n"
        "2. The corresponding quarter-over-quarter percentage change for each asset and severity.\n\n"
        "Analyze the data, highlighting emerging risk patterns. Narrate where there were significant spikes or drops, and call out assets with the most notable changes. Use percentages and time periods (e.g., 'Web servers saw a 40% spike in Critical CVEs in Q1 2025').\n"
        "Finish by suggesting which assets or severities require immediate attention due to recent trends.\n\n"
        f"Raw trend data:\n{trend_json}\n\n"
        f"Quarterly percent change data:\n{change_json}\n"
    )
    return prompt



# Example: full range
prompt = generate_trend_narrative_prompt(quarterly_trend, quarterly_change, 
                                         quarterly_trend.index.get_level_values(0).min(), 
                                         quarterly_trend.index.get_level_values(0).max())

system_prompt = "You are an expert at analyzing vulnerability data for security reporting with a particular interest in NIST's Cybersecurity Framework 2.0."
user_prompt = prompt

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[
        {"role": "system", "content": system_prompt},
        {"role": "user", "content": user_prompt}
    ],
    max_tokens=1000,
    temperature=0.3
)
print(response.choices[0].message.content)


### Analysis of Vulnerability Trends

#### Emerging Risk Patterns

1. **Adobe Acrobat Reader**:
   - **High Severity**: There was a significant increase in high severity vulnerabilities in Adobe Acrobat Reader, with a 466.7% increase in Q1 2022 compared to the previous quarter. This trend continued with a 111.8% increase in Q2 2022. However, there was a notable drop of 52.8% in Q3 2022.
   - **Medium Severity**: The medium severity vulnerabilities also saw a spike in Q2 2022 with a 300% increase, followed by a 54.2% decrease in Q3 2022.
   - **Recent Trends**: In Q3 2023, there was a dramatic 1800% increase in medium severity vulnerabilities, indicating a resurgence of risk. However, by Q4 2023, there was a reduction of 57.9% in medium severity vulnerabilities.

2. **Oracle Database Server 19c**:
   - **Critical and High Severity**: The critical vulnerabilities remained relatively stable with occasional spikes, such as in Q1 2019. High severity vulnerabilities saw fluctuations, with a 

### Analysis of Vulnerability Trends

#### Emerging Risk Patterns

1. **Adobe Acrobat Reader**:
   - **High Severity**: There was a significant increase in high severity vulnerabilities in Adobe Acrobat Reader, with a 466.7% increase in Q1 2022 compared to the previous quarter. This trend continued with a 111.8% increase in Q2 2022. However, there was a notable drop of 52.8% in Q3 2022.
   - **Medium Severity**: The medium severity vulnerabilities also saw a spike in Q2 2022 with a 300% increase, followed by a 54.2% decrease in Q3 2022.
   - **Recent Trends**: In Q3 2023, there was a dramatic 1800% increase in medium severity vulnerabilities, indicating a resurgence of risk. However, by Q4 2023, there was a reduction of 57.9% in medium severity vulnerabilities.

2. **Oracle Database Server 19c**:
   - **Critical and High Severity**: The critical vulnerabilities remained relatively stable with occasional spikes, such as in Q1 2019. High severity vulnerabilities saw fluctuations, with a significant increase in Q1 2020 (300% increase from the previous quarter).
   - **Medium Severity**: There was a notable 600% increase in medium severity vulnerabilities in Q4 2019, followed by a decrease in subsequent quarters.

3. **Microsoft Exchange Server 2019**:
   - **Critical Severity**: There were spikes in critical vulnerabilities in Q1 2019 and Q3 2023.
   - **Medium Severity**: Medium severity vulnerabilities showed a 100% increase in Q2 2019, followed by a 50% decrease in Q3 2019.

4. **Oracle Database 19c (Enterprise)**:
   - **Medium Severity**: There was a significant 350% increase in medium severity vulnerabilities in Q3 2022, followed by a 100% decrease in Q4 2022.

5. **Fortinet Fortigate 7000**:
   - **Critical Severity**: A critical vulnerability was reported in Q2 2023, marking a new risk for this asset.

#### Significant Spikes or Drops

- **Adobe Acrobat Reader** experienced significant fluctuations in both high and medium severity vulnerabilities, with notable spikes in Q1 and Q2 2022 and Q3 2023.
- **Oracle Database Server 19c** had a notable spike in medium severity vulnerabilities in Q4 2019.
- **Microsoft Exchange Server 2019** saw critical vulnerabilities in Q1 2019 and Q3 2023, indicating periodic high-risk periods.

#### Assets Requiring Immediate Attention

- **Adobe Acrobat Reader**: The consistent fluctuations and recent spikes in both high and medium severity vulnerabilities suggest that this asset requires immediate attention to mitigate potential risks.
- **Microsoft Exchange Server 2019**: The presence of critical vulnerabilities in recent quarters indicates a need for heightened monitoring and patching efforts.
- **Fortinet Fortigate 7000**: The emergence of a critical vulnerability in Q2 2023 suggests that this asset should be prioritized for security assessments and remediation.

Overall, the data highlights the importance of continuous monitoring and timely patching, especially for assets like Adobe Acrobat Reader and Microsoft Exchange Server, which have shown significant vulnerability trends.