research-article

Predicting the severity and exploitability of vulnerability reports using convolutional neural nets

Authors:

Mehdi MirakhorliAuthors Info & Claims

EnCyCriS '22: Proceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems

Pages 1 - 8

https://doi.org/10.1145/3524489.3527298

Published: 30 November 2022 Publication History

Abstract

Common Vulnerability and Exposure (CVE) reports published by Vulnerability Management Systems (VMSs) are used to evaluate the severity and exploitability of software vulnerabilities. Public vulnerability databases such as NVD uses the Common Vulnerability Scoring System (CVSS) to assign various scores to CVEs to evaluate their base severity, impact, and exploitability. Previous studies have shown that vulnerability databases rely on a manual, labor-intensive and error-prone process which may lead to inconsistencies in the CVE data and delays in the releasing of new CVEs. Furthermore, it was shown that CVSS scoring is based on complex calculations and may not be accurate enough in assessing the potential severity and exploitability of vulnerabilities in real life. This work uses Convolutional Neural Networks (CNN) to train text classification models to automate the prediction of the severity and exploitability of CVEs, and proposes a new exploitability scoring method by creating a Product Hygiene Index based on the Common Product Enumeration (CPE) catalog. Using CVE descriptions published by the NVD and the exploits identified by exploit databases, it trains CNN models to predict the base severity and exploitability of CVEs. Preliminary experiment results and the conducted case study indicate that the severity of CVEs can be predicted automatically with high confidences, and the proposed exploitability scoring method achieves better results compared to the exploitability scoring provided by the NVD.

References

[1]

Luca Allodi, Sebastian Banescu, Henning Femmer, and Kristian Beckers. 2018. Identifying Relevant Information Cues for Vulnerability Assessment Using CVSS. In Proceedings of the Eighth ACM Conference on Data and Application Security and Privacy (Tempe, AZ, USA) (CODASPY '18). Association for Computing Machinery, New York, NY, USA, 119--126.

Digital Library

[2]

Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2010. Beyond Heuristics: Learning to Classify Vulnerabilities and Predict Exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining (Washington, DC, USA) (KDD '10). Association for Computing Machinery, New York, NY, USA, 105--114.

Digital Library

[3]

P. Cheng, L. Wang, S. Jajodia, and A. Singhal. 2012. Aggregating CVSS Base Scores for Semantics-Rich Network Security Metrics. In 2012 IEEE 31st Symposium on Reliable Distributed Systems. 31--40.

Digital Library

[4]

Cognyte CTI Research Group. 2021. Top CVE Threats of 2021. https://www.cognyte.com/blog/cve_report_vulnerability_management/. (Accessed on 1/10/2022).

[5]

Alexis Conneau, Holger Schwenk, Loïc Barrault, and Yann LeCun. 2016. Very Deep Convolutional Networks for Natural Language Processing. CoRR abs/1606.01781 (2016). arXiv:1606.01781 http://arxiv.org/abs/1606.01781

[6]

CVE Automation Working Group. 2022. CVE Automation Working Group Git Pilot. https://github.com/CVEProject/cvelist. (Accessed on 09/03/2020).

[7]

CveDetails.com. 2022. CVE Details, The Ultimate Security Vulnerability Datasource. https://www.cvedetails.com/vulnerabilities-by-types.php. (Accessed on 10/26/2020).

[8]

Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the Detection of Inconsistencies in Public Security Vulnerability Reports. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 869--885. https://www.usenix.org/conference/usenixsecurity19/presentation/dong

[9]

E. Doynikova and I. Kotenko. 2017. CVSS-based Probabilistic Risk Assessment for Cyber Situational Awareness and Countermeasure Selection. In 2017 25th Euromicro International Conference on Parallel, Distributed and Network-based Processing (PDP). 346--353.

[10]

exploit db.com. 2022. Exploit Database - Exploits for Penetration Testers, Researchers, and Ethical Hackers. https://www.exploit-db.com/. (Accessed on 09/01/2021).

[11]

Fariborz Farahmand, Shamkant Navathe, Philip Jr, and Gunter Sharp. 2003. Managing vulnerabilities of information systems to security incidents. In Proceedings of the 5th international conference on Electronic commerce. 348--354.

Digital Library

[12]

Henning Femmer, D. Fernández, S. Wagner, and S. Eder. 2017. Rapid quality assurance with Requirements Smells. ArXiv abs/1611.08847 (2017).

[13]

First.org. 2015. Common Vulnerability Scoring System v3.0: Example Document. https://www.first.org/cvss/v3.0/examples. (Accessed on 12/03/2020).

[14]

M. Frigault, Lingyu Wang, A. Singhal, and S. Jajodia. 2008. Measuring network security using dynamic bayesian network. In QoP '08.

[15]

Ruslan Habalov and Timo Schmid. [n. d.]. Vulncode-DB. https://www.vulncode-db.com/. (Accessed on 09/02/2020).

[16]

S. Hershey, S. Chaudhuri, D. P. W. Ellis, J. F. Gemmeke, A. Jansen, R. C. Moore, M. Plakal, D. Platt, R. A. Saurous, B. Seybold, M. Slaney, R. J. Weiss, and K. Wilson. 2017. CNN architectures for large-scale audio classification. In 2017 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). 131--135.

Digital Library

[17]

Z. Huang, M. DAngelo, D. Miyani, and D. Lie. 2016. Talos: Neutralizing Vulnerabilities with Security Workarounds for Rapid Response. In 2016 IEEE Symposium on Security and Privacy (SP). 618--635.

[18]

Robert Keeling, Rishi Chhatwal, Nathaniel Huber-Fliflet, Jianping Zhang, Fusheng Wei, Haozhen Zhao, Ye Shi, and Han Qin. 2019. Empirical Comparisons of CNN with Other Learning Algorithms for Text Classification in Legal Document Review. 2038--2042.

[19]

Atefeh Khazaei, Mohammad Ghasemzadeh, and Vali Derhami. 2015. An automatic method for CVSS score prediction using vulnerabilities description. Journal of Intelligent & Fuzzy Systems 30 (08 2015), 89--96.

[20]

Yoon Kim. 2014. Convolutional Neural Networks for Sentence Classification. CoRR abs/1408.5882 (2014). arXiv:1408.5882 http://arxiv.org/abs/1408.5882

[21]

Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet Classification with Deep Convolutional Neural Networks. In Proceedings of the 25th International Conference on Neural Information Processing Systems - Volume 1 (Lake Tahoe, Nevada) (NIPS'12). Curran Associates Inc., Red Hook, NY, USA, 1097--1105.

Digital Library

[22]

Bill Ladd. 2017. The Race Between Security Professionals and Adversaries. https://www.recordedfuture.com/vulnerability-disclosure-delay/. (Accessed on 09/02/2020).

[23]

Bill Ladd. 2020. The Dragon Is Winning - U.S. Lags Behind Chinese Vulnerability Reporting. https://go.recordedfuture.com/hubfs/reports/cta-2017-1019.pdf. (Accessed on 06/30/2020).

[24]

Steven Lang, Felipe Bravo-Marquez, Christopher Beckham, Mark Hall, and Eibe Frank. 2019. WekaDeeplearning4j: A deep learning package for Weka based on Deeplearning4j. Knowledge-Based Systems 178 (2019), 48 -- 50.

Digital Library

[25]

Frank Li, Zakir Durumeric, Jakub Czyz, Mohammad Karami, Michael Bailey, Damon McCoy, Stefan Savage, and Vern Paxson. 2016. You've got vulnerability: Exploring effective vulnerability notifications. In 25th USENIX Security Symposium (USENIX Security 16). 1033--1050.

[26]

Frank Li, Grant Ho, Eric Kuan, Yuan Niu, Lucas Ballard, Kurt Thomas, Elie Bursztein, and Vern Paxson. 2016. Remedying web hijacking: Notification effectiveness and webmaster comprehension. In Proceedings of the 25th International Conference on World Wide Web. 1009--1019.

Digital Library

[27]

Aravind Machiry, Nilo Redini, Eric Camellini, Christopher Kruegel, and Giovanni Vigna. 2020. Spider: Enabling fast patch propagation in related software repositories. In 2020 IEEE Symposium on Security and Privacy (SP). IEEE.

[28]

Fabio Massacci. 2010. Which is the right source for vulnerabilities studies? an empirical analysis on mozilla firefox. In In Proceedings of MetriSec'10. Citeseer, 1--8.

[29]

Peter M. Mell, K. Scarfone, and Sasha Romanosky. 2007. A Complete Guide to the Common Vulnerability Scoring System Version 2.0 | NIST.

[30]

MITRE. 2022. MITRE CVE Homepage. https://cve.mitre.org/#. (Accessed on 12/01/2020).

[31]

MITRE Common Vulnerabilities and Exposures (CVE). 2022. CVE Working Group. https://cve.mitre.org/working_groups.html. (Accessed on 09/03/2020).

[32]

Dongliang Mu, Alejandro Cuevas, Limin Yang, Hang Hu, Xinyu Xing, Bing Mao, and Gang Wang. 2018. Understanding the Reproducibility of Crowd-reported Security Vulnerabilities. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 919--936. https://www.usenix.org/conference/usenixsecurity18/presentation/mu

[33]

National Institute of Standards and Technology. 2022. Common Vulnerability Scoring System Calculator. https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator. (Accessed on 10/26/2020).

[34]

National Institute of Standards and Technology (NIST). 2022. Official Common Platform Enumeration (CPE) Dictionary. https://nvd.nist.gov/products/cpe. (Accessed on 10/26/2020).

[35]

National Vulnerability Database. 2020. NVD Dashboard. https://nvd.nist.gov/general/nvd-dashboard#. (Accessed on 10/01/2020).

[36]

National Vulnerability Database. 2020. NVD Data Feeds. https://nvd.nist.gov/vuln/data-feeds. (Accessed on 11/15/2020).

[37]

National Vulnerability Database. 2020. Product Integration with NVD CVSS Calculators. https://nvd.nist.gov/vuln-metrics/cvss. (Accessed on 11/15/2020).

[38]

Viet Hung Nguyen and Fabio Massacci. 2013. The (un) reliability of NVD vulnerable versions data: An empirical experiment on Google Chrome vulnerabilities. In Proceedings of the 8th ACM SIGSAC symposium on Information, Computer and Communications Security. ACM, 493--498.

Digital Library

[39]

Ahmet Okutan and Mehdi Mirakhorli. 2022. Exploitability Analysis Datasets and Models. https://github.com/SoftwareDesignLab/exploitability_analysis.

[40]

Joseph Pamula, Sushil Jajodia, Paul Ammann, and Vipin Swarup. 2006. A Weakest-Adversary Security Metric for Network Configuration Security Analysis. In Proceedings of the 2nd ACM Workshop on Quality of Protection (Alexandria, Virginia, USA) (QoP '06). Association for Computing Machinery, New York, NY, USA, 31--38.

Digital Library

[41]

riskbasedsecurity.com. 2022. VulnDB. https://vulndb.cyberriskanalytics.com/. (Accessed on 09/01/2021).

[42]

Jukka Ruohonen. 2019. A look at the time delays in CVSS vulnerability scoring. Applied Computing and Informatics 15, 2 (2019), 129--135.

[43]

Jukka Ruohonen. 2019. A look at the time delays in CVSS vulnerability scoring. Applied Computing and Informatics 15, 2 (2019), 129 -- 135.

[44]

Carl Sabottke, Octavian Suciu, and Tudor Dumitras. 2015. Vulnerability Disclosure in the Age of Social Media: Exploiting Twitter for Predicting Real-World Exploits. In 24th USENIX Security Symposium (USENIX Security 15). USENIX Association, Washington, D.C., 1041--1056. https://www.usenix.org/conference/usenixsecurity15/technical-sessions/presentation/sabottke

Digital Library

[45]

securityfocus.com. 2022. SecurityFocus. https://www.securityfocus.com/. (Accessed on 09/01/2020).

[46]

SOC Prime. 2022. The Top 10 Most Severe Vulnerabilities In 2021. https://www.cybersecurityintelligence.com/blog/top-10-most-severe-vulnerabilities-in-2021-6046.html. (Accessed on 1/10/2022).

[47]

Jonathan Spring, Eric Hatleback, Allen D. Householder, Art Manion, and Deana Shick. 2018. Towards Improving CVSS. https://resources.sei.cmu.edu/library/asset-view.cfm?assetid=538368. (Accessed on 12/03/2020).

[48]

The MathWorks, Inc. 2020. Mamdani and Sugeno Fuzzy Inference Systems. https://www.mathworks.com/help/fuzzy/types-of-fuzzy-inference-systems.html. (Accessed on 12/09/2020).

[49]

US National Vulnerability Dataabse. 2022. CVE-2011-1027 Detail. https://nvd.nist.gov/vuln/detail/CVE-2011-1027. (Accessed on 1/10/2022).

[50]

US National Vulnerability Dataabse. 2022. CVE-2011-3696 Detail. https://nvd.nist.gov/vuln/detail/CVE-2011-3696. (Accessed on 1/10/2022).

[51]

US National Vulnerability Dataabse. 2022. CVE-2011-3697 Detail. https://nvd.nist.gov/vuln/detail/CVE-2011-3697. (Accessed on 1/10/2022).

[52]

US National Vulnerability Dataabse. 2022. CVE-2020-0796 Detail. https://nvd.nist.gov/vuln/detail/CVE-2020-0796. (Accessed on 1/10/2022).

[53]

US National Vulnerability Dataabse. 2022. CVE-2021-22893 Detail. https://nvd.nist.gov/vuln/detail/CVE-2021-22893. (Accessed on 1/10/2022).

[54]

US National Vulnerability Dataabse. 2022. CVE-2021-44228 Detail. https://nvd.nist.gov/vuln/detail/CVE-2021-44228. (Accessed on 1/10/2022).

[55]

Marie Vasek and Tyler Moore. 2012. Do Malware Reports Expedite Cleanup? An Experimental Study. In 5th Workshop on Cyber Security Experimentation and Test (CSET 12). USENIX Association, Bellevue, WA. https://www.usenix.org/conference/cset12/workshop-program/presentation/Vasek

[56]

Su Zhang, Doina Caragea, and Xinming Ou. 2011. An empirical study on using the national vulnerability database to predict software vulnerabilities. In International Conference on Database and Expert Systems Applications. Springer, 217--231.

Digital Library

Cited By

Ezenwoye OPinconschi E(2024)A Study of Fine-Tuned Language Models in Vulnerability Classification2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527294(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527294
Jois OG RBaisak RUpadhyaya S(2024)Logs2Vul: Vulnerability Detection from Logs for CSPM2024 Fourth International Conference on Advances in Electrical, Computing, Communication and Sustainable Technologies (ICAECT)10.1109/ICAECT60202.2024.10469167(1-7)Online publication date: 11-Jan-2024
https://doi.org/10.1109/ICAECT60202.2024.10469167
Malhotra RVidushi (2024)Text mining based an automatic model for software vulnerability severity predictionInternational Journal of System Assurance Engineering and Management10.1007/s13198-024-02371-215:8(3706-3724)Online publication date: 31-May-2024
https://doi.org/10.1007/s13198-024-02371-2
Show More Cited By

Index Terms

Predicting the severity and exploitability of vulnerability reports using convolutional neural nets
1. Security and privacy
  1. Software and application security

Recommendations

A Survey on Software Vulnerability Exploitability Assessment
Knowing the exploitability and severity of software vulnerabilities helps practitioners prioritize vulnerability mitigation efforts. Researchers have proposed and evaluated many different exploitability assessment methods. The goal of this research is to ...
Assessing vulnerability exploitability risk using software properties

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public ...
Using Attack Surface Entry Points and Reachability Analysis to Assess the Risk of Software Vulnerability Exploitability
HASE '14: Proceedings of the 2014 IEEE 15th International Symposium on High-Assurance Systems Engineering

An unpatched vulnerability can lead to security breaches. When a new vulnerability is discovered, it needs to be assessed so that it can be prioritized. A major challenge in software security is the assessment of the potential risk due to vulnerability ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

EnCyCriS '22: Proceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems

May 2022

64 pages

ISBN:9781450392907

DOI:10.1145/3524489

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

Sponsors

SIGSOFT: ACM Special Interest Group on Software Engineering

In-Cooperation

IEEE CS

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 30 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Conference

ICSE '22

Sponsor:

SIGSOFT

ICSE '22: 44th International Conference on Software Engineering

May 16, 2022

Pennsylvania, Pittsburgh

Upcoming Conference

ICSE 2025

2025 IEEE/ACM 46th International Conference on Software Engineering

April 26 - May 3, 2025

Ottawa , ON , Canada

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
138
Total Downloads

Downloads (Last 12 months)46
Downloads (Last 6 weeks)4

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Ezenwoye OPinconschi E(2024)A Study of Fine-Tuned Language Models in Vulnerability Classification2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527294(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527294
Jois OG RBaisak RUpadhyaya S(2024)Logs2Vul: Vulnerability Detection from Logs for CSPM2024 Fourth International Conference on Advances in Electrical, Computing, Communication and Sustainable Technologies (ICAECT)10.1109/ICAECT60202.2024.10469167(1-7)Online publication date: 11-Jan-2024
https://doi.org/10.1109/ICAECT60202.2024.10469167
Malhotra RVidushi (2024)Text mining based an automatic model for software vulnerability severity predictionInternational Journal of System Assurance Engineering and Management10.1007/s13198-024-02371-215:8(3706-3724)Online publication date: 31-May-2024
https://doi.org/10.1007/s13198-024-02371-2
Esnoul CColomo-Palacios RJee EChockalingam SEidar Simensen JBae D(2023)Report on the 3rd International Workshop on Engineering and Cybersecurity of Critical Systems (EnCyCriS - 2022)ACM SIGSOFT Software Engineering Notes10.1145/3573074.357309548:1(81-84)Online publication date: 17-Jan-2023
https://dl.acm.org/doi/10.1145/3573074.3573095

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Media

Figures

Other

Tables

View Table of Contents