{"id":"https://openalex.org/W7118938020","doi":"https://doi.org/10.48550/arxiv.2601.01308","title":"Automated SBOM-Driven Vulnerability Triage for IoT Firmware: A Lightweight Pipeline for Risk Prioritization","display_name":"Automated SBOM-Driven Vulnerability Triage for IoT Firmware: A Lightweight Pipeline for Risk Prioritization","publication_year":2026,"publication_date":"2026-01-04","ids":{"openalex":"https://openalex.org/W7118938020","doi":"https://doi.org/10.48550/arxiv.2601.01308"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2601.01308","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.01308","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2601.01308","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120757871","display_name":"Abdurrahman Tolay","orcid":null},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Tolay, Abdurrahman","raw_affiliation_strings":[],"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":1,"corresponding_author_ids":["https://openalex.org/A5120757871"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6388999819755554,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.6388999819755554,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.06809999793767929,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.048900000751018524,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/firmware","display_name":"Firmware","score":0.8314999938011169},{"id":"https://openalex.org/keywords/triage","display_name":"Triage","score":0.6660000085830688},{"id":"https://openalex.org/keywords/vulnerability","display_name":"Vulnerability (computing)","score":0.560699999332428},{"id":"https://openalex.org/keywords/vulnerability-assessment","display_name":"Vulnerability assessment","score":0.5282999873161316},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.5126000046730042},{"id":"https://openalex.org/keywords/exploit","display_name":"Exploit","score":0.49810001254081726},{"id":"https://openalex.org/keywords/vendor","display_name":"Vendor","score":0.48010000586509705},{"id":"https://openalex.org/keywords/software","display_name":"Software","score":0.47780001163482666}],"concepts":[{"id":"https://openalex.org/C67212190","wikidata":"https://www.wikidata.org/wiki/Q104851","display_name":"Firmware","level":2,"score":0.8314999938011169},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7372999787330627},{"id":"https://openalex.org/C2777120189","wikidata":"https://www.wikidata.org/wiki/Q780067","display_name":"Triage","level":2,"score":0.6660000085830688},{"id":"https://openalex.org/C95713431","wikidata":"https://www.wikidata.org/wiki/Q631425","display_name":"Vulnerability (computing)","level":2,"score":0.560699999332428},{"id":"https://openalex.org/C167063184","wikidata":"https://www.wikidata.org/wiki/Q1400839","display_name":"Vulnerability assessment","level":3,"score":0.5282999873161316},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.5126000046730042},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.49810001254081726},{"id":"https://openalex.org/C2777338717","wikidata":"https://www.wikidata.org/wiki/Q1762621","display_name":"Vendor","level":2,"score":0.48010000586509705},{"id":"https://openalex.org/C2777904410","wikidata":"https://www.wikidata.org/wiki/Q7397","display_name":"Software","level":2,"score":0.47780001163482666},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.4683000147342682},{"id":"https://openalex.org/C2777615720","wikidata":"https://www.wikidata.org/wiki/Q11888847","display_name":"Prioritization","level":2,"score":0.41040000319480896},{"id":"https://openalex.org/C172776598","wikidata":"https://www.wikidata.org/wiki/Q7943570","display_name":"Vulnerability management","level":4,"score":0.3785000145435333},{"id":"https://openalex.org/C189430467","wikidata":"https://www.wikidata.org/wiki/Q7293293","display_name":"Ranking (information retrieval)","level":2,"score":0.3555999994277954},{"id":"https://openalex.org/C81860439","wikidata":"https://www.wikidata.org/wiki/Q251212","display_name":"Internet of Things","level":2,"score":0.35179999470710754},{"id":"https://openalex.org/C132964779","wikidata":"https://www.wikidata.org/wiki/Q2110223","display_name":"Raw data","level":2,"score":0.33550000190734863},{"id":"https://openalex.org/C12174686","wikidata":"https://www.wikidata.org/wiki/Q1058438","display_name":"Risk assessment","level":2,"score":0.31769999861717224},{"id":"https://openalex.org/C62555980","wikidata":"https://www.wikidata.org/wiki/Q1460420","display_name":"Emergency management","level":2,"score":0.29159998893737793},{"id":"https://openalex.org/C112930515","wikidata":"https://www.wikidata.org/wiki/Q4389547","display_name":"Risk analysis (engineering)","level":1,"score":0.2800999879837036},{"id":"https://openalex.org/C32896092","wikidata":"https://www.wikidata.org/wiki/Q189447","display_name":"Risk management","level":2,"score":0.2671999931335449},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.26429998874664307},{"id":"https://openalex.org/C188087704","wikidata":"https://www.wikidata.org/wiki/Q369577","display_name":"Standardization","level":2,"score":0.26030001044273376},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.26030001044273376},{"id":"https://openalex.org/C105339364","wikidata":"https://www.wikidata.org/wiki/Q2297740","display_name":"Software deployment","level":2,"score":0.25839999318122864},{"id":"https://openalex.org/C2776836416","wikidata":"https://www.wikidata.org/wiki/Q1364844","display_name":"False alarm","level":2,"score":0.2542000114917755},{"id":"https://openalex.org/C2780814629","wikidata":"https://www.wikidata.org/wiki/Q327353","display_name":"System administrator","level":2,"score":0.2535000145435333}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2601.01308","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.01308","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2601.01308","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2601.01308","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"The":[0,100,172],"proliferation":[1],"of":[2,4,18,24,48,137,160,191],"Internet":[3],"Things":[5],"(IoT)":[6],"devices":[7],"has":[8],"introduced":[9],"significant":[10],"security":[11],"challenges,":[12],"primarily":[13],"due":[14],"to":[15,75,90,168,179],"the":[16,22,111,123,155,157,181],"opacity":[17],"firmware":[19,29,59,203],"components":[20,89],"and":[21,64,93,122,163,185],"complexity":[23],"supply":[25],"chain":[26],"dependencies.":[27],"IoT":[28,81],"frequently":[30],"relies":[31],"on":[32,104],"outdated,":[33],"third-party":[34],"libraries":[35],"embedded":[36,161],"within":[37],"monolithic":[38],"binary":[39],"blobs,":[40],"making":[41],"vulnerability":[42],"management":[43],"difficult.":[44],"While":[45],"Software":[46],"Bill":[47],"Materials":[49],"(SBOM)":[50],"standards":[51],"have":[52],"matured,":[53],"generating":[54],"actionable":[55],"intelligence":[56],"from":[57,79,110],"raw":[58],"dumps":[60],"remains":[61],"a":[62,70,84,95,146,164,175,189,196],"manual":[63],"error-prone":[65],"process.":[66],"This":[67],"paper":[68],"presents":[69],"lightweight,":[71],"automated":[72],"pipeline":[73],"designed":[74],"extract":[76],"file":[77],"systems":[78],"Linux-based":[80],"firmware,":[82,194],"generate":[83],"comprehensive":[85],"SBOM,":[86],"map":[87],"identified":[88],"known":[91],"vulnerabilities,":[92],"apply":[94],"multi-factor":[96],"triage":[97,143,186],"scoring":[98,165],"model.":[99],"proposed":[101],"system":[102],"focuses":[103],"risk":[105,148],"prioritization":[106],"by":[107,144],"integrating":[108],"signals":[109],"Common":[112],"Vulnerability":[113],"Scoring":[114,119],"System":[115,120],"(CVSS),":[116],"Exploit":[117],"Prediction":[118],"(EPSS),":[121],"CISA":[124],"Known":[125],"Exploited":[126],"Vulnerabilities":[127],"(KEV)":[128],"catalog.":[129],"Unlike":[130],"conventional":[131],"scanners":[132],"that":[133],"produce":[134],"high":[135],"volumes":[136],"uncontextualized":[138],"alerts,":[139],"this":[140],"approach":[141],"emphasizes":[142],"calculating":[145],"localized":[147],"score":[149],"for":[150,199],"each":[151],"finding.":[152],"We":[153],"describe":[154],"architecture,":[156],"normalization":[158],"challenges":[159],"Linux,":[162],"methodology":[166],"intended":[167],"reduce":[169],"alert":[170],"fatigue.":[171],"study":[173],"outlines":[174],"planned":[176],"evaluation":[177],"strategy":[178],"validate":[180],"extraction":[182],"success":[183],"rate":[184],"efficacy":[187],"using":[188],"dataset":[190],"public":[192],"vendor":[193],"offering":[195],"reproducibility":[197],"framework":[198],"future":[200],"research":[201],"in":[202],"security.":[204]},"counts_by_year":[],"updated_date":"2026-01-08T20:10:11.968330","created_date":"2026-01-08T00:00:00"}