survey

A Survey on Data-driven Software Vulnerability Assessment and Prioritization

Authors:

Triet H. M. Le,

M. Ali BabarAuthors Info & Claims

ACM Computing Surveys, Volume 55, Issue 5

Article No.: 100, Pages 1 - 39

https://doi.org/10.1145/3529757

Published: 03 December 2022 Publication History

Abstract

Software Vulnerabilities (SVs) are increasing in complexity and scale, posing great security risks to many software systems. Given the limited resources in practice, SV assessment and prioritization help practitioners devise optimal SV mitigation plans based on various SV characteristics. The surges in SV data sources and data-driven techniques such as Machine Learning and Deep Learning have taken SV assessment and prioritization to the next level. Our survey provides a taxonomy of the past research efforts and highlights the best practices for data-driven SV assessment and prioritization. We also discuss the current limitations and propose potential solutions to address such issues.

References

[1]

Ehsan Aghaei, Waseem Shadid, and Ehab Al-Shaer. 2020. ThreatZoom: CVE2CWE using hierarchical neural network. arXiv preprint arXiv:2009.11501 (2020).

[2]

Shirin Akbarinasaji, Bora Caglayan, and Ayse Bener. 2018. Predicting bug-fixing time: A replication study using an open source software project. J. Syst. Softw. 136 (2018), 173–186.

Digital Library

[3]

M. Ugur Aksu, Kemal Bicakci, M. Hadi Dilek, A. Murat Ozbayoglu, and E. Islam Tatli. 2018. Automated generation of attack graphs using NVD. In Proceedings of the 8th Conference on Data and Application Security and Privacy. 135–142.

Digital Library

[4]

Wajdi Aljedaani, Yasir Javed, and Mamdouh Alenezi. 2020. LDA categorization of security bug reports in chromium projects. In Proceedings of the European Symposium on Software Engineering. 154–161.

Digital Library

[5]

Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, and Paulo Shakarian. 2017. Proactive identification of exploits in the wild through vulnerability mentions online. In Proceedings of the International Conference on Cyber Conflict (CyCon US). IEEE, 82–88.

[6]

Mohammed Almukaynizi, Eric Nunes, Krishna Dharaiya, Manoj Senguttuvan, Jana Shakarian, and Paulo Shakarian. 2019. Patch before exploited: An approach to identify targeted software vulnerabilities. In AI in Cybersecurity. Springer, 81–113.

[7]

Afsah Anwar, Ahmed Abusnaina, Songqing Chen, Frank Li, and David Mohaisen. 2020. Cleaning the NVD: Comprehensive quality assessment, improvements, and analyses. arXiv preprint arXiv:2006.15074 (2020).

[8]

Masaki Aota, Hideaki Kanehara, Masaki Kubo, Noboru Murata, Bo Sun, and Takeshi Takahashi. 2020. Automation of vulnerability classification from its description using machine learning. In Proceedings of the IEEE Symposium on Computers and Communications (ISCC). IEEE, 1–7.

[9]

Dzmitry Bahdanau, Kyunghyun Cho, and Yoshua Bengio. 2014. Neural machine translation by jointly learning to align and translate. arXiv preprint arXiv:1409.0473 (2014).

[10]

Roberto Camacho Barranco, Arnold P. Boedihardjo, and M. Shahriar Hossain. 2019. Analyzing evolving stories in news articles. Int. J. Data Sci. Analyt. 8, 3 (2019), 241–256.

[11]

Lotfi ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, Achim D. Brucker, and Philip Miseldine. 2015. Factors impacting the effort required to fix security vulnerabilities. In Proceedings of the International Conference on Information Security. Springer, 102–119.

Digital Library

[12]

Massimo Bernaschi, Emanuele Gabrielli, and Luigi V. Mancini. 2002. REMUS: A security-enhanced operating system. ACM Trans. Inf. Syst. Secur. 5, 1 (2002), 36–61.

Digital Library

[13]

Navneet Bhatt, Adarsh Anand, and V. S. S. Yadavalli. 2021. Exploitability prediction of software vulnerabilities. Qual. Reliab. Eng. Int. 37, 2 (2021), 648–663.

[14]

Farzana Ahamed Bhuiyan, Md Bulbul Sharif, and Akond Rahman. 2021. Security bug report usage for software vulnerability research: A systematic mapping study. IEEE Access 9 (2021), 28471–28495.

[15]

Hodaya Binyamini, Ron Bitton, Masaki Inokuchi, Tomohiko Yagyu, Yuval Elovici, and Asaf Shabtai. 2021. A framework for modeling cyber attack techniques from security vulnerability descriptions. In Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. 2574–2583.

Digital Library

[16]

David M. Blei and Jon D. McAuliffe. 2007. Supervised topic models. In Proceedings of the 20th International Conference on Neural Information Processing Systems. 121–128.

Digital Library

[17]

David M. Blei, Andrew Y. Ng, and Michael I. Jordan. 2003. Latent Dirichlet allocation. J. Mach. Learn. Res. 3, Jan (2003), 993–1022.

Digital Library

[18]

Piotr Bojanowski, Edouard Grave, Armand Joulin, and Tomas Mikolov. 2017. Enriching word vectors with subword information. Trans. Assoc. Computat. Ling. 5 (2017), 135–146.

[19]

Amiangshu Bosu, Jeffrey C. Carver, Munawar Hafiz, Patrick Hilley, and Derek Janni. 2014. Identifying the characteristics of vulnerable code changes: An empirical study. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering. 257–268.

Digital Library

[20]

Mehran Bozorgi, Lawrence K. Saul, Stefan Savage, and Geoffrey M. Voelker. 2010. Beyond heuristics: Learning to classify vulnerabilities and predict exploits. In Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining. 105–114.

Digital Library

[21]

Broadcom. [n. d.]. Symantec attack signatures. Retrieved from https://bit.ly/symantec_att_sign.

[22]

Broadcom. [n. d.]. Symantec threat explorer. Retrieved from https://bit.ly/symantec_threats.

[23]

Benjamin L. Bullough, Anna K. Yanchenko, Christopher L. Smith, and Joseph R. Zipkin. 2017. Predicting exploitation of disclosed software vulnerabilities using open-source data. In Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics. 45–53.

Digital Library

[24]

George G. Cabral, Leandro L. Minku, Emad Shihab, and Suhaib Mujahid. 2019. Class imbalance evolution and verification latency in just-in-time software defect prediction. In Proceedings of the IEEE/ACM 41st International Conference on Software Engineering (ICSE). IEEE, 666–676.

Digital Library

[25]

CERT. [n. d.]. Basic fuzzing framework. Retrieved from https://bit.ly/basic_fuzzing_framework.

[26]

Sang Kil Cha. [n. d.]. OFuzz. Retrieved from https://github.com/sangkilc/ofuzz.

[27]

Sang Kil Cha, Thanassis Avgerinos, Alexandre Rebert, and David Brumley. 2012. Unleashing mayhem on binary code. In Proceedings of the IEEE Symposium on Security and Privacy. IEEE, 380–394.

Digital Library

[28]

Girish Chandrashekar and Ferat Sahin. 2014. A survey on feature selection methods. Comput. Electric. Eng. 40, 1 (2014), 16–28.

Digital Library

[29]

Haipeng Chen, Jing Liu, Rui Liu, Noseong Park, and V. S. Subrahmanian. 2019. VASE: A Twitter-based vulnerability analysis and score engine. In Proceedings of the IEEE International Conference on Data Mining (ICDM). IEEE, 976–981.

[30]

Haipeng Chen, Jing Liu, Rui Liu, Noseong Park, and V. S. Subrahmanian. 2019. VEST: A system for vulnerability exploit scoring & timing. In Proceedings of the International Joint Conference on Artificial Intelligence. 6503–6505.

[31]

Haipeng Chen, Rui Liu, Noseong Park, and V. S. Subrahmanian. 2019. Using Twitter to predict when vulnerabilities will be exploited. In Proceedings of the 25th International Conference on Knowledge Discovery & Data Mining. 3143–3152.

Digital Library

[32]

Jinfu Chen, Patrick Kwaku Kudjo, Solomon Mensah, Selasie Aformaley Brown, and George Akorfu. 2020. An automatic software vulnerability classification framework using term frequency-inverse gravity moment and feature selection. J. Syst. Softw. 167 (2020), 110616.

[33]

Kewen Chen, Zuping Zhang, Jun Long, and Hao Zhang. 2016. Turning from TF-IDF to TF-IGM for term weighting in text classification. Exp. Syst. Applic. 66 (2016), 245–260.

Digital Library

[34]

Tianqi Chen and Carlos Guestrin. 2016. XGBoost: A scalable tree boosting system. In Proceedings of the 22nd International Conference on Knowledge Discovery and Data Mining. 785–794.

Digital Library

[35]

Yang Chen, Andrew E. Santosa, Ang Ming Yi, Abhishek Sharma, Asankhaya Sharma, and David Lo. 2020. A machine learning approach for vulnerability curation. In Proceedings of the 17th International Conference on Mining Software Repositories. 32–42.

Digital Library

[36]

Zhongqiang Chen, Yuan Zhang, and Zhongrong Chen. 2010. A categorization framework for common computer vulnerabilities and exposures. Comput. J. 53, 5 (2010), 551–580.

Digital Library

[37]

Corinna Cortes and Vladimir Vapnik. 1995. Support-vector networks. Mach. Learn. 20, 3 (1995), 273–297.

[38]

Koby Crammer, Ofer Dekel, Joseph Keshet, Shai Shalev-Shwartz, and Yoram Singer. 2006. Online passive aggressive algorithms. (2006).

[39]

Daniela S. Cruzes and Tore Dybå. 2011. Research synthesis in software engineering: A tertiary study. Inf. Softw. Technol. 53, 5 (2011), 440–455.

Digital Library

[40]

Siddhartha Shankar Das, Edoardo Serra, Mahantesh Halappanavar, Alex Pothen, and Ehab Al-Shaer. 2021. V2W-BERT: A framework for effective hierarchical multiclass classification of software vulnerabilities. arXiv preprint arXiv:2102.11498 (2021).

[41]

Francisco Gomes de Oliveira Neto, Richard Torkar, Robert Feldt, Lucas Gren, Carlo A. Furia, and Ziwei Huang. 2019. Evolution of statistical analysis in empirical software engineering research: Current state and steps forward. J. Syst. Softw. 156 (2019), 246–267.

Digital Library

[42]

Daniel Alves de Sousa, Elaine Ribeiro de Faria, and Rodrigo Sanches Miani. 2020. Evaluating the performance of Twitter-based exploit detectors. arXiv preprint arXiv:2011.03113 (2020).

[43]

Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2018. BERT: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018).

[44]

Nesara Dissanayake, Asangi Jayatilaka, Mansooreh Zahedi, and M. Ali Babar. 2020. Software security patch management—a systematic literature review of challenges, approaches, tools and practices. arXiv preprint arXiv:2012.00544 (2020).

[45]

Brendan Dolan-Gavitt, Patrick Hulin, Engin Kirda, Tim Leek, Andrea Mambretti, Wil Robertson, Frederick Ulrich, and Ryan Whelan. 2016. LAVA: Large-scale automated vulnerability addition. In Proceedings of the IEEE Symposium on Security and Privacy (SP). IEEE, 110–121.

[46]

Ying Dong, Wenbo Guo, Yueqi Chen, Xinyu Xing, Yuqing Zhang, and Gang Wang. 2019. Towards the detection of inconsistencies in public security vulnerability reports. In Proceedings of the 28th USENIX Security Symposium. 869–885.

Digital Library

[47]

Xuanyu Duan, Mengmeng Ge, Triet Huynh Minh Le, Faheem Ullah, Shang Gao, Xuequan Lu, and M. Ali Babar. 2021. Automated security assessment for the internet of things. In Proceedings of the IEEE 26th Pacific Rim International Symposium on Dependable Computing (PRDC). IEEE, 47–56.

[48]

Xu Duan, Jingzheng Wu, Shouling Ji, Zhiqing Rui, Tianyue Luo, Mutian Yang, and Yanjun Wu. 2019. VulSniper: Focus your attention to shoot fine-grained vulnerabilities. In Proceedings of the International Joint Conference on Artificial Intelligence. 4665–4671.

[49]

Saso Dzeroski and Bernard Zenko. 2002. Is combining classifiers better than selecting the best one? In Proceedings of the International Conference on Machine Learning. Citeseer, 123e30.

[50]

Michel Edkrantz. 2015. Predicting Exploit Likelihood for Cyber Vulnerabilities with Machine Learning. Master’s thesis.

[51]

Michel Edkrantz, Staffan Truvé, and Alan Said. 2015. Predicting vulnerability exploits in the wild. In Proceedings of the IEEE 2nd International Conference on Cyber Security and Cloud Computing. IEEE, 513–514.

Digital Library

[52]

Clément Elbaz, Louis Rilling, and Christine Morin. 2020. Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure. In Proceedings of the 15th International Conference on Availability, Reliability and Security. 1–10.

Digital Library

[53]

ESET. [n. d.]. ESET security advisories. Retrieved from https://bit.ly/eset_virus.

[54]

João Rafael Gonçalves Evangelista, Renato José Sassi, Márcio Romero, and Domingos Napolitano. 2020. Systematic literature review to investigate the application of open source intelligence (OSINT) with artificial intelligence. J. Appl. Secur. Res. (2020), 1–25.

[55]

Yong Fang, Yongcheng Liu, Cheng Huang, and Liang Liu. 2020. FastEmbed: Predicting vulnerability exploitation possibility based on ensemble machine learning algorithm. PLoS One 15, 2 (2020), e0228439.

[56]

Jenny Rose Finkel, Trond Grenager, and Christopher D. Manning. 2005. Incorporating non-local information into information extraction systems by Gibbs sampling. In Proceedings of the 43rd Annual Meeting of the Association for Computational Linguistics (ACL’05). 363–370.

Digital Library

[57]

FIRST. [n. d.]. Common Vulnerability Scoring System. Retrieved from https://www.first.org/cvss.

[58]

FIRST. [n. d.]. CVSS version 2. Retrieved from https://www.first.org/cvss/v2/guide.

[59]

FIRST. [n. d.]. CVSS version 3. Retrieved from https://www.first.org/cvss/v3.0/specification-document.

[60]

FIRST. [n. d.]. CVSS version 3.1. Retrieved from https://www.first.org/cvss/v3.1/specification-document.

[61]

Park Foreman. 2019. Vulnerability Management. CRC Press.

[62]

Wikimedia Foundation. [n. d.]. Wikipedia pages. Retrieved from https://www.wikipedia.org.

[63]

Recorded Future. [n. d.]. Recorded Future security advisories. Retrieved from https://bit.ly/rf_sec.

[64]

Marian Gawron, Feng Cheng, and Christoph Meinel. 2017. Automatic vulnerability classification using machine learning. In Proceedings of the International Conference on Risks and Security of Internet and Systems. Springer, 3–17.

[65]

Michael Gegick, Pete Rotella, and Tao Xie. 2010. Identifying security bug reports via text mining: An industrial case study. In Proceedings of the 7th IEEE Working Conference on Mining Software Repositories (MSR’10). IEEE, 11–20.

[66]

Seyed Mohammad Ghaffarian and Hamid Reza Shahriari. 2017. Software vulnerability analysis and discovery using machine-learning and data-mining techniques: A survey. ACM Comput. Surv. 50, 4 (2017), 1–36.

Digital Library

[67]

Xi Gong, Zhenchang Xing, Xiaohong Li, Zhiyong Feng, and Zhuobing Han. 2019. Joint prediction of multiple vulnerability characteristics through multi-task learning. In Proceedings of the 24th International Conference on Engineering of Complex Computer Systems (ICECCS). IEEE, 31–40.

[68]

Danielle Gonzalez, Holly Hastings, and Mehdi Mirakhorli. 2019. Automated characterization of software vulnerabilities. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 135–139.

[69]

Ian Goodfellow, Yoshua Bengio, and Aaron Courville. 2016. Deep Learning. The MIT Press.

Digital Library

[70]

Gustavo Grieco, Guillermo Luis Grinblat, Lucas Uzal, Sanjay Rawat, Josselin Feist, and Laurent Mounier. 2016. Toward large-scale vulnerability discovery using machine learning. In Proceedings of the 6th ACM Conference on Data and Application Security and Privacy. 85–96.

Digital Library

[71]

Hao Guo, Zhenchang Xing, and Xiaohong Li. 2020. Predicting missing information of key aspects in vulnerability reports. arXiv preprint arXiv:2008.02456 (2020).

[72]

Jiawei Han, Micheline Kamber, and Jian Pei. 2011. Data mining concepts and techniques third edition. Morg. Kauf. Series Data Manag. Syst. 5, 4 (2011), 83–124.

[73]

Jiawei Han, Jian Pei, and Yiwen Yin. 2000. Mining frequent patterns without candidate generation. ACM SIGMOD Rec. 29, 2 (2000), 1–12.

Digital Library

[74]

Zhuobing Han, Xiaohong Li, Hongtao Liu, Zhenchang Xing, and Zhiyong Feng. 2018. DeepWeak: Reasoning common software weaknesses via knowledge graph embedding. In Proceedings of the IEEE 25th International Conference on Software Analysis, Evolution and Reengineering (SANER). IEEE, 456–466.

[75]

Zhuobing Han, Xiaohong Li, Zhenchang Xing, Hongtao Liu, and Zhiyong Feng. 2017. Learning to predict severity of software vulnerability using only vulnerability description. In Proceedings of the IEEE International Conference on Software Maintenance and Evolution (ICSME). IEEE, 125–136.

[76]

Trevor Hastie, Robert Tibshirani, and Jerome Friedman. 2009. The Elements of Statistical Learning: Data Mining, Inference, and Prediction. Springer Science & Business Media.

[77]

Sepp Hochreiter and Jürgen Schmidhuber. 1997. Long short-term memory. Neural Computat. 9, 8 (1997), 1735–1780.

Digital Library

[78]

Daan Hommersom, Antonino Sabetta, Bonaventura Coppola, and Damian A. Tamburri. 2021. Automated mapping of vulnerability advisories onto their fix commits in open source repositories. arXiv preprint arXiv:2103.13375 (2021).

[79]

Sameera Horawalavithana, Abhishek Bhattacharjee, Renhao Liu, Nazim Choudhury, Lawrence O. Hall, and Adriana Iamnitchi. 2019. Mentions of security vulnerabilities on Reddit, Twitter and Github. In Proceedings of the IEEE/WIC/ACM International Conference on Web Intelligence. 200–207.

Digital Library

[80]

Susan Horwitz, Thomas Reps, and David Binkley. 1990. Interprocedural slicing using dependence graphs. ACM Trans. Program. Lang. Syst. 12, 1 (1990), 26–60.

Digital Library

[81]

Guoyan Huang, Yazhou Li, Qian Wang, Jiadong Ren, Yongqiang Cheng, and Xiaolin Zhao. 2019. Automatic classification method for software vulnerability based on deep neural network. IEEE Access 7 (2019), 28291–28298.

[82]

Shin-Ying Huang and Yiju Wu. 2020. Dynamic software vulnerabilities threat prediction through social media contextual analysis. In Proceedings of the 15th Asia Conference on Computer and Communications Security. 892–894.

Digital Library

[83]

Yujin Huang, Han Hu, and Chunyang Chen. 2021. Robustness of on-device models: Adversarial attack to deep learning models on android apps. In Proceedings of the IEEE/ACM 43rd International Conference on Software Engineering: Software Engineering in Practice (ICSE-SEIP). IEEE, 101–110.

Digital Library

[84]

SecurityFocus Inc. [n. d.]. BugTraq vulnerability database. Retrieved from http://www.securityfocus.com.

[85]

Secunia Inc.[n. d.]. Secunia vulnerability advisories. Retrieved from http://secunia.com.

[86]

Jay Jacobs, Sasha Romanosky, Idris Adjerid, and Wade Baker. 2020. Improving vulnerability remediation through better exploit prediction. J. Cybersecur. 6, 1 (2020), tyaa015.

[87]

Jay Jacobs, Sasha Romanosky, Benjamin Edwards, Michael Roytman, and Idris Adjerid. 2019. Exploit prediction scoring system (EPSS). arXiv preprint arXiv:1908.04856 (2019).

[88]

Yuning Jiang and Yacine Atif. 2020. An approach to discover and assess vulnerability severity automatically in cyber-physical systems. In Proceedings of the 13th International Conference on Security of Information and Networks. 1–8.

Digital Library

[89]

Yasen Jiao and Pufeng Du. 2016. Performance measures in evaluating machine learning based bioinformatics predictors for classifications. Quantitat. Biol. 4, 4 (2016), 320–330.

[90]

Kenta Kanakogi, Hironori Washizaki, Yoshiaki Fukazawa, Shinpei Ogata, Takao Okubo, Takehisa Kato, Hideyuki Kanuka, Atsuo Hazeyama, and Nobukazu Yoshioka. 2021. Tracing CAPEC attack patterns from CVE vulnerability information using natural language processing technique. In Proceedings of the 54th Hawaii International Conference on System Sciences. 6996.

[91]

Guolin Ke, Qi Meng, Thomas Finley, Taifeng Wang, Wei Chen, Weidong Ma, Qiwei Ye, and Tie-Yan Liu. 2017. LightGBM: A highly efficient gradient boosting decision tree. Adv. Neural Inf. Process. Syst. 30 (2017), 3146–3154.

[92]

Staffs Keele et al. 2007. Guidelines for Performing Systematic Literature Reviews in Software Engineering. Technical Report. Technical report, Ver. 2.3 EBSE Technical Report. EBSE.

[93]

Inc. Kenna Security. [n. d.]. Kenna Security. Retrieved from http://www.kennasecurity.com.

[94]

Saad Khan and Simon Parkinson. 2018. Review into state of the art of vulnerability assessment using artificial intelligence. In Guide to Vulnerability Analysis for Computer Networks and Systems. Springer, 3–32.

[95]

Atefeh Khazaei, Mohammad Ghasemzadeh, and Vali Derhami. 2016. An automatic method for CVSS score prediction using vulnerabilities description. J. Intell. Fuzzy Syst. 30, 1 (2016), 89–96.

[96]

Yoon Kim. 2014. Convolutional neural networks for sentence classification. In Proceedings of the Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, 1746–1751.

[97]

Thomas N. Kipf and Max Welling. 2016. Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907 (2016).

[98]

Mikko Kivelä, Alex Arenas, Marc Barthelemy, James P. Gleeson, Yamir Moreno, and Mason A. Porter. 2014. Multilayer networks. J. Complex Netw. 2, 3 (2014), 203–271.

[99]

Teuvo Kohonen. 1990. The self-organizing map. Proc. IEEE 78, 9 (1990), 1464–1480.

[100]

Kyriakos Kritikos, Kostas Magoutis, Manos Papoutsakis, and Sotiris Ioannidis. 2019. A survey on vulnerability assessment tools and databases for cloud-based web applications. Array 3 (2019), 100011.

[101]

Patrick Kwaku Kudjo, Jinfu Chen, Solomon Mensah, Richard Amankwah, and Christopher Kudjo. 2020. The effect of bellwether analysis on software vulnerability severity prediction models. Softw. Qual. J. (2020), 1–34.

[102]

Patrick Kwaku Kudjo, Jinfu Chen, Minmin Zhou, Solomon Mensah, and Rubing Huang. 2019. Improving the accuracy of vulnerability report classification using term frequency-inverse gravity moment. In Proceedings of the IEEE 19th International Conference on Software Quality, Reliability and Security (QRS). IEEE, 248–259.

[103]

Ram Shankar Siva Kumar, Jonathon Penney, Bruce Schneier, and Kendra Albert. 2020. Legal risks of adversarial machine learning research. arXiv preprint arXiv:2006.16179 (2020).

[104]

Miron B. Kursa, Aleksander Jankowski, and Witold R. Rudnicki. 2010. Boruta—A system for feature selection. Fundamenta Informaticae 101, 4 (2010), 271–285.

Digital Library

[105]

Siwei Lai, Liheng Xu, Kang Liu, and Jun Zhao. 2015. Recurrent convolutional neural networks for text classification. In Proceedings of the AAAI Conference on Artificial Intelligence.

[106]

Quoc Le and Tomas Mikolov. 2014. Distributed representations of sentences and documents. In Proceedings of the International Conference on Machine Learning. PMLR, 1188–1196.

[107]

Triet H. M. Le and M. Ali Babar. 2022. On the use of fine-grained vulnerable code statements for software vulnerability assessment models. arXiv preprint arXiv:2203.08417 (2022).

[108]

Triet H. M. Le, Huaming Chen, and M. Ali Babar. [n. d.]. Supplementary materials. Retrieved from https://figshare.com/s/da4d238ecdf9123dc0b8.

[109]

Triet H. M. Le, Hao Chen, and M. Ali Babar. 2020. Deep learning for source code modeling and generation: Models, applications, and challenges. ACM Comput. Surv. 53, 3 (2020), 1–38.

Digital Library

[110]

Triet H. M. Le, Roland Croft, David Hin, and M. Ali Babar. 2021. A large-scale study of security vulnerability support on developer Q&A websites. In Evaluation and Assessment in Software Engineering. 109–118.

Digital Library

[111]

Triet H. M. Le, David Hin, Roland Croft, and M. Ali Babar. 2020. PUMiner: Mining security posts from developer question and answer websites with PU learning. In Proceedings of the 17th International Conference on Mining Software Repositories. 350–361.

Digital Library

[112]

Triet H. M. Le, David Hin, Roland Croft, and M. Ali Babar. 2021. DeepCVA: Automated commit-level vulnerability assessment with deep multi-task learning. In Proceedings of the 36th IEEE/ACM International Conference on Automated Software Engineering (ASE). IEEE, 717–729.

[113]

Triet H. M. Le, Bushra Sabir, and Muhammad Ali Babar. 2019. Automated software vulnerability assessment with concept drift. In Proceedings of the 16th International Conference on Mining Software Repositories (MSR). IEEE, 371–382.

Digital Library

[114]

Yi Li, Shaohua Wang, and Tien N. Nguyen. 2021. Vulnerability detection with fine-grained interpretations. In Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering.

[115]

Guanjun Lin, Sheng Wen, Qing-Long Han, Jun Zhang, and Yang Xiang. 2020. Software vulnerability detection using deep neural networks: A survey. Proc. IEEE 108, 10 (2020), 1825–1848.

[116]

Zhechao Lin, Xiang Li, and Xiaohui Kuang. 2017. Machine learning in vulnerability databases. In Proceedings of the 10th International Symposium on Computational Intelligence and Design (ISCID). IEEE, 108–113.

[117]

Hailong Liu and Bo Li. 2019. Automated classification of attacker privileges based on deep neural network. In Proceedings of the International Conference on Smart Computing and Communication. Springer, 180–189.

Digital Library

[118]

Jiakun Liu, Qiao Huang, Xin Xia, Emad Shihab, David Lo, and Shanping Li. 2020. Is using deep learning frameworks free? Characterizing technical debt in deep learning frameworks. In Proceedings of the ACM/IEEE 42nd International Conference on Software Engineering: Software Engineering in Society. 1–10.

Digital Library

[119]

Kai Liu, Yun Zhou, Qingyong Wang, and Xianqiang Zhu. 2019. Vulnerability severity prediction with deep neural network. In Proceedings of the 5th International Conference on Big Data and Information Analytics (BigDIA). IEEE, 114–119.

[120]

Ruchika Malhotra et al. 2021. Severity prediction of software vulnerabilities using textual data. In Proceedings of the International Conference on Recent Trends in Machine Learning, IoT, Smart Cities and Applications. Springer, 453–464.

[121]

Pratyusa K. Manadhata and Jeannette M. Wing. 2010. An attack surface metric. IEEE Trans. Softw. Eng. 37, 3 (2010), 371–386.

Digital Library

[122]

Mitchell Marcus, Beatrice Santorini, and Mary Ann Marcinkiewicz. 1993. Building a large annotated corpus of English: The Penn Treebank. (1993).

[123]

A. Mazuera-Rozo, A. Mojica-Hanke, M. Linares-Vasquez, and G. Bavota. 2021. Shallow or deep? An empirical study on detecting vulnerabilities using deep learning. In Proceedings of the IEEE/ACM 29th International Conference on Program Comprehension (ICPC). 276–287.

[124]

Andrew Meneely, Harshavardhan Srinivasan, Ayemi Musa, Alberto Rodriguez Tejeda, Matthew Mokary, and Brian Spates. 2013. When a patch goes bad: Exploring the properties of vulnerability-contributing commits. In Proceedings of the ACM/IEEE International Symposium on Empirical Software Engineering and Measurement. IEEE, 65–74.

[125]

Tim Menzies, Suvodeep Majumder, Nikhila Balaji, Katie Brey, and Wei Fu. 2018. 500+ times faster than deep learning: A case study exploring faster methods for text mining stackoverflow. In Proceedings of the IEEE/ACM 15th International Conference on Mining Software Repositories (MSR). IEEE, 554–563.

[126]

Trend Micro. [n. d.]. Trend Micro security advisories. Retrieved from https://bit.ly/trend_micro_sec.

[127]

Trend Micro. [n. d.]. ZeroDay Initiative security advisories. Retrieved from https://bit.ly/zeroday_sec.

[128]

Microsoft. [n. d.]. Microsoft security advisories. Retrieved from https://bit.ly/ms_sec_advisories.

[129]

Tomas Mikolov, Ilya Sutskever, Kai Chen, Greg Corrado, and Jeffrey Dean. 2013. Distributed representations of words and phrases and their compositionality. arXiv preprint arXiv:1310.4546 (2013).

[130]

MITRE. [n. d.]. Common Attack Pattern Enumeration and Classification. Retrieved from https://capec.mitre.org.

[131]

MITRE. [n. d.]. Common Platform Enumeration. Retrieved from https://cpe.mitre.org.

[132]

MITRE. [n. d.]. Common Vulnerabilities and Exposures. Retrieved from https://cve.mitre.org/.

[133]

MITRE. [n. d.]. Common Weakness Enumeration. Retrieved from https://cwe.mitre.org.

[134]

Vanamala Mounika, Xiaohong Yuan, and Kanishka Bandaru. 2019. Analyzing CVE database using unsupervised topic modelling. In Proceedings of the International Conference on Computational Science and Computational Intelligence. 72–77.

[135]

Syed Shariyar Murtaza, Wael Khreich, Abdelwahab Hamou-Lhadj, and Ayse Basar Bener. 2016. Mining trends and patterns of software vulnerabilities. J. Syst. Softw. 117 (2016), 218–228.

Digital Library

[136]

Sarang Na, Taeeun Kim, and Hwankuk Kim. 2016. A study on the classification of common vulnerabilities and exposures using naïve Bayes. In Proceedings of the International Conference on Broadband and Wireless Computing, Communication and Applications. Springer, 657–662.

[137]

Sheikh Motahar Naim, Arnold P. Boedihardjo, and M. Shahriar Hossain. 2017. A scalable model for tracking topical evolution in large document collections. In Proceedings of the IEEE International Conference on Big Data (Big Data). IEEE, 726–735.

[138]

Shunta Nakagawa, Tatsuya Nagai, Hideaki Kanehara, Keisuke Furumoto, Makoto Takita, Yoshiaki Shiraishi, Takeshi Takahashi, Masami Mohri, Yasuhiro Takano, and Masakatu Morii. 2019. Character-level convolutional neural network for predicting severity of software vulnerability from vulnerability description. IEICE Trans. Inf. Syst. 102, 9 (2019), 1679–1682.

[139]

Stephan Neuhaus and Thomas Zimmermann. 2010. Security trend analysis with CVE topic models. In Proceedings of the IEEE 21st International Symposium on Software Reliability Engineering. IEEE, 111–120.

Digital Library

[140]

NIST. [n. d.]. National Vulnerability Database. Retrieved from https://nvd.nist.gov.

[141]

NIST. [n. d.]. Software Assurance Reference Dataset (SARD). Retrieved from https://samate.nist.gov/SRD.

[142]

NIST. [n. d.]. Vulnerability description ontology. Retrieved from https://bit.ly/nist_vdo.

[143]

Eric Nunes, Ahmad Diab, Andrew Gunn, Ericsson Marin, Vineet Mishra, Vivin Paliath, John Robertson, Jana Shakarian, Amanda Thart, and Paulo Shakarian. 2016. Darknet and Deepnet mining for proactive cybersecurity threat intelligence. In Proceedings of the IEEE Conference on Intelligence and Security Informatics (ISI). IEEE, 7–12.

Digital Library

[144]

Saahil Ognawala, Ricardo Nales Amato, Alexander Pretschner, and Pooja Kulkarni. 2018. Automatically assessing vulnerabilities discovered by compositional analysis. In Proceedings of the 1st International Workshop on Machine Learning and Software Engineering in Symbiosis. 16–25.

Digital Library

[145]

Saahil Ognawala, Martín Ochoa, Alexander Pretschner, and Tobias Limmer. 2016. MACKE: Compositional analysis of low-level vulnerabilities with symbolic execution. In Proceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. 780–785.

Digital Library

[146]

Masao Ohira, Yutaro Kashiwa, Yosuke Yamatani, Hayato Yoshiyuki, Yoshiya Maeda, Nachai Limsettho, Keisuke Fujino, Hideaki Hata, Akinori Ihara, and Kenichi Matsumoto. 2015. A dataset of high impact bugs: Manually-classified issue reports. In Proceedings of the IEEE/ACM 12th Working Conference on Mining Software Repositories. IEEE, 518–521.

[147]

Lotfi Ben Othmane, Golriz Chehrazi, Eric Bodden, Petar Tsalovski, and Achim D. Brucker. 2017. Time for addressing software security issues: Prediction models and impacting factors. Data Sci. Eng. 2, 2 (2017), 107–124.

[148]

Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel. 2005. MulVAL: A logic-based network security analyzer. In Proceedings of the USENIX Security Symposium. 113–128.

[149]

OWASP. [n. d.]. Open Web Application Security Project. Retrieved from https://bit.ly/owasp_main.

[150]

Julio-Omar Palacio-Niño and Fernando Berzal. 2019. Evaluation metrics for unsupervised learning algorithms. arXiv preprint arXiv:1905.05667 (2019).

[151]

Sinno Jialin Pan and Qiang Yang. 2009. A survey on transfer learning. IEEE Trans. Knowl. Data Eng. 22, 10 (2009), 1345–1359.

Digital Library

[152]

Javier Pastor-Galindo, Pantaleone Nespoli, Félix Gómez Mármol, and Gregorio Martínez Pérez. 2020. The not yet exploited goldmine of OSINT: Opportunities, open challenges and future trends. IEEE Access 8 (2020), 10282–10304.

[153]

Fayola Peters, Thein Than Tun, Yijun Yu, and Bashar Nuseibeh. 2017. Text filtering and ranking for security bug report prediction. IEEE Trans. Softw. Eng. 45, 6 (2017), 615–631.

[154]

Matthew E. Peters, Mark Neumann, Mohit Iyyer, Matt Gardner, Christopher Clark, Kenton Lee, and Luke Zettlemoyer. 2018. Deep contextualized word representations. arXiv preprint arXiv:1802.05365 (2018).

[155]

Openwall Project. [n. d.]. Openwall security advisories. Retrieved from https://bit.ly/sec_openwall.

[156]

Rapid7. [n. d.]. Metasploit security advisories. Retrieved from https://www.rapid7.com/db/modules.

[157]

Sebastian Raschka. 2018. Model evaluation, model selection, and algorithm selection in machine learning. arXiv preprint arXiv:1811.12808 (2018).

[158]

Nils Reimers and Iryna Gurevych. 2019. Sentence-BERT: Sentence embeddings using siamese BERT-networks. arXiv preprint arXiv:1908.10084 (2019).

[159]

Ishai Rosenberg, Asaf Shabtai, Yuval Elovici, and Lior Rokach. 2021. Adversarial machine learning attacks and defense methods in the cyber security domain. ACM Comput. Surv. 54, 5 (2021), 1–36.

Digital Library

[160]

Jukka Ruohonen. 2017. Classifying web exploits with topic modeling. In Proceedings of the 28th International Workshop on Database and Expert Systems Applications (DEXA). IEEE, 93–97.

[161]

Jukka Ruohonen and Ville Leppänen. 2018. Toward validation of textual information retrieval techniques for software weaknesses. In Proceedings of the International Conference on Database and Expert Systems Applications. Springer, 265–277.

[162]

Rebecca Russell, Louis Kim, Lei Hamilton, Tomo Lazovich, Jacob Harer, Onur Ozdemir, Paul Ellingwood, and Marc McConley. 2018. Automated vulnerability detection in source code using deep representation learning. In Proceedings of the 17th IEEE International Conference on Machine Learning and Applications (ICMLA). IEEE, 757–762.

[163]

Ernesto R. Russo, Andrea D. Sorbo, Corrado A. Visaggio, and Gerardo Canfora. 2019. Summarizing vulnerabilities’ descriptions to support experts during vulnerability assessment activities. J. Syst. Softw. 156 (2019), 84–99.

Digital Library

[164]

Bushra Sabir, Faheem Ullah, M. Ali Babar, and Raj Gaire. 2021. Machine learning for detecting data exfiltration: A review. ACM Comput. Surv. 54, 3 (2021), 1–47.

Digital Library

[165]

Carl Sabottke, Octavian Suciu, and Tudor Dumitraş. 2015. Vulnerability disclosure in the age of social media: Exploiting Twitter for predicting real-world exploits. In Proceedings of the 24th USENIX Security Symposium. 1041–1056.

Digital Library

[166]

Sefa Eren Sahin and Ayse Tosun. 2019. A conceptual replication on predicting the severity of software vulnerabilities. In Proceedings of the Evaluation and Assessment on Software Engineering. 244–250.

Digital Library

[167]

Arthur D. Sawadogo, Tegawendé F. Bissyandé, Naouel Moha, Kevin Allix, Jacques Klein, Li Li, and Yves Le Traon. 2020. Learning to catch security patches. arXiv preprint arXiv:2001.09148 (2020).

[168]

Offensive Security. [n. d.]. Exploit Database. Retrieved from https://www.exploit-db.com.

[169]

SecurityTracker. [n. d.]. SecurityTracker vulnerability database. Retrieved from https://securitytracker.com.

[170]

Abubakar Omari Abdallah Semasaba, Wei Zheng, Xiaoxue Wu, and Samuel Akwasi Agyemang. 2020. Literature survey of deep learning-based vulnerability analysis on source code. IET Softw. (2020).

[171]

Internet Security Services. [n. d.]. Online database X-Force. Retrieved from http://www.iss.net/xforce.

[172]

Ruchi Sharma, Ritu Sibal, and Sangeeta Sabharwal. 2021. Software vulnerability prioritization using vulnerability description. Int. J. Syst. Assur. Eng. Manag. 12, 1 (2021), 58–64.

[173]

Prasha Shrestha, Arun Sathanur, Suraj Maharjan, Emily Saldanha, Dustin Arendt, and Svitlana Volkova. 2020. Multiple social platforms reveal actionable signals for software vulnerability awareness: A study of Github, Twitter and Reddit. PLoS One 15, 3 (2020), e0230250.

[174]

Bo Shuai, Haifeng Li, Mengjun Li, Quan Zhang, and Chaojing Tang. 2013. Automatic classification for vulnerability based on machine learning. In Proceedings of the IEEE International Conference on Information and Automation (ICIA). IEEE, 312–318.

[175]

Shashank Kumar Singh and Amrita Chaturvedi. 2020. Applying deep learning for discovery and analysis of software vulnerabilities: A brief survey. Soft Comput.: Theor. Applic. (2020), 649–658.

[176]

Vincent Smyth. 2017. Software vulnerability management: How intelligence helps reduce the risk. Netw. Secur. 2017, 3 (2017), 10–12.

Digital Library

[177]

Georgios Spanos and Lefteris Angelis. 2018. A multi-target approach to estimate software vulnerability characteristics and severity scores. J. Syst. Softw. 146 (2018), 152–166.

[178]

Georgios Spanos, Lefteris Angelis, and Dimitrios Toloudis. 2017. Assessment of vulnerability severity using text mining. In Proceedings of the 21st Pan-Hellenic Conference on Informatics. 1–6.

Digital Library

[179]

Georgios Spanos, Angeliki Sioziou, and Lefteris Angelis. 2013. WIVSS: A new methodology for scoring information systems vulnerabilities. In Proceedings of the 17th Pan-Hellenic Conference on Informatics. 83–90.

Digital Library

[180]

Jonathan Spring, Eric Hatleback, Allen Householder, Art Manion, and Deana Shick. 2021. Time to change the CVSS? IEEE Secur. Priv. 19, 2 (2021), 74–78.

[181]

Kenneth O. Stanley and Risto Miikkulainen. 2002. Evolving neural networks through augmenting topologies. Evolut. Computat. 10, 2 (2002), 99–127.

Digital Library

[182]

Octavian Suciu, Connor Nelson, Zhuoer Lyu, Tiffany Bao, and Tudor Dumitras. 2021. Expected exploitability: Predicting the development of functional vulnerability exploits. arXiv preprint arXiv:2102.07869 (2021).

[183]

Jiamou Sun, Zhenchang Xing, Hao Guo, Deheng Ye, Xiaohong Li, Xiwei Xu, and Liming Zhu. 2021. Generating informative CVE description from ExploitDB posts by extractive summarization. arXiv preprint arXiv:2101.01431 (2021).

[184]

Nan Sun, Jun Zhang, Paul Rimba, Shang Gao, Leo Yu Zhang, and Yang Xiang. 2018. Data-driven cybersecurity incident prediction: A survey. IEEE Commun. Surv. Tutor. 21, 2 (2018), 1744–1772.

[185]

Nazgol Tavabi, Palash Goyal, Mohammed Almukaynizi, Paulo Shakarian, and Kristina Lerman. 2018. DarkEmbed: Exploit prediction with neural language models. In Proceedings of the AAAI Conference on Artificial Intelligence.

[186]

Dimitrios Toloudis, Georgios Spanos, and Lefteris Angelis. 2016. Associating the severity of vulnerabilities with their description. In Proceedings of the International Conference on Advanced Information Systems Engineering. Springer, 231–242.

[187]

Shubham Tripathi, Gustavo Grieco, and Sanjay Rawat. 2017. Exniffer: Learning to prioritize crashes by assessing the exploitability from memory dump. In Proceedings of the 24th Asia-Pacific Software Engineering Conference (APSEC). IEEE, 239–248.

[188]

Jesper E. Van Engelen and Holger H. Hoos. 2020. A survey on semi-supervised learning. Mach. Learn. 109, 2 (2020), 373–440.

[189]

Mounika Vanamala, Xiaohong Yuan, and Kaushik Roy. 2020. Topic modeling and classification of common vulnerabilities and exposures database. In Proceedings of the International Conference on Artificial Intelligence, Big Data, Computing and Data Communication Systems (icABCD). IEEE, 1–5.

[190]

Hein S. Venter, Jan H. P. Eloff, and Y. L. Li. 2008. Standardising vulnerability categories. Comput. Secur. 27, 3–4 (2008), 71–83.

Digital Library

[191]

James Walden. 2020. The impact of a major security event on an open source project: The case of OpenSSL. In Proceedings of the 17th International Conference on Mining Software Repositories. 409–419.

Digital Library

[192]

Zhiyuan Wan, Xin Xia, David Lo, and Gail C. Murphy. 2019. How does machine learning change software development practices? IEEE Trans. Softw. Eng. (2019).

[193]

Ju An Wang and Minzhe Guo. 2010. Vulnerability categorization using Bayesian networks. In Proceedings of the 6th Annual Workshop on Cyber Security and Information Intelligence Research. 1–4.

Digital Library

[194]

Peichao Wang, Yun Zhou, Baodan Sun, and Weiming Zhang. 2019. Intelligent prediction of vulnerability severity level based on text mining and XGBboost. In Proceedings of the 11th International Conference on Advanced Computational Intelligence (ICACI). IEEE, 72–77.

[195]

Yaqing Wang, Quanming Yao, James T. Kwok, and Lionel M. Ni. 2020. Generalizing from a few examples: A survey on few-shot learning. ACM Comput. Surv. 53, 3 (2020), 1–34.

Digital Library

[196]

Emil Wåreus and Martin Hell. 2020. Automated CPE labeling of CVE summaries with machine learning. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3–22.

Digital Library

[197]

Alexander Warnecke, Daniel Arp, Christian Wressnegger, and Konrad Rieck. 2020. Evaluating explanation methods for deep learning in security. In Proceedings of the IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 158–174.

[198]

Sachini Weerawardhana, Subhojeet Mukherjee, Indrajit Ray, and Adele Howe. 2014. Automated extraction of vulnerability information for home computer security. In Proceedings of the International Symposium on Foundations and Practice of Security. Springer, 356–366.

[199]

Tao Wen, Yuqing Zhang, Ying Dong, and Gang Yang. 2015. A novel automatic severity vulnerability assessment framework. J. Commun. 10, 5 (2015), 320–329.

[200]

Mark A. Williams, Roberto Camacho Barranco, Sheikh Motahar Naim, Sumi Dey, M. Shahriar Hossain, and Monika Akbar. 2020. A vulnerability analysis and prediction framework. Comput. Secur. 92 (2020), 101751.

[201]

Mark A. Williams, Sumi Dey, Roberto Camacho Barranco, Sheikh Motahar Naim, M. Shahriar Hossain, and Monika Akbar. 2018. Analyzing evolving trends of vulnerabilities in national vulnerability database. In Proceedings of the IEEE International Conference on Big Data (Big Data). IEEE, 3011–3020.

[202]

Svante Wold, Kim Esbensen, and Paul Geladi. 1987. Principal component analysis. Chemomet. Intell. Laborat. Syst. 2, 1–3 (1987), 37–52.

[203]

Xiaoxue Wu, Wei Zheng, Xin Xia, and David Lo. 2021. Data quality matters: A case study on data label correctness for security bug report prediction. IEEE Trans. Softw. Eng. (2021).

[204]

Chaowei Xiao, Armin Sarabi, Yang Liu, Bo Li, Mingyan Liu, and Tudor Dumitras. 2018. From patching delays to infection symptoms: Using risk profiles for an early discovery of vulnerabilities exploited in the wild. In Proceedings of the 27th USENIX Security Symposium (USENIX Security’18). 903–918.

[205]

Hongbo Xiao, Zhenchang Xing, Xiaohong Li, and Hao Guo. 2019. Embedding and predicting software security entity relationships: A knowledge graph based approach. In Proceedings of the International Conference on Neural Information Processing. Springer, 50–63.

Digital Library

[206]

Yasuhiro Yamamoto, Daisuke Miyamoto, and Masaya Nakayama. 2015. Text-mining approach for estimating vulnerability score. In Proceedings of the 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS). IEEE, 67–73.

[207]

Guanhua Yan, Junchen Lu, Zhan Shu, and Yunus Kucuk. 2017. ExploitMeter: Combining fuzzing with machine learning for automated evaluation of software exploitability. In Proceedings of the IEEE Symposium on Privacy-Aware Computing (PAC). IEEE, 164–175.

[208]

Jiao Yin, MingJian Tang, Jinli Cao, and Hua Wang. 2020. Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description. Knowl.-based Syst. 210 (2020), 106529.

[209]

Sofonias Yitagesu, Xiaowang Zhang, Zhiyong Feng, Xiaohong Li, and Zhenchang Xing. 2021. Automatic part-of-speech tagging for security vulnerability descriptions. In Proceedings of the IEEE/ACM 18th International Conference on Mining Software Repositories (MSR). IEEE, 29–40.

[210]

Awad A. Younis and Yashwant K. Malaiya. 2014. Using software structure to predict vulnerability exploitation potential. In Proceedings of the IEEE 8th International Conference on Software Security and Reliability. IEEE, 13–18.

Digital Library

[211]

Peng Zeng, Guanjun Lin, Lei Pan, Yonghang Tai, and Jun Zhang. 2020. Software vulnerability analysis and discovery using deep learning techniques: A survey. IEEE Access (2020).

[212]

Hongyu Zhang, Liang Gong, and Steve Versteeg. 2013. Predicting bug-fixing time: An empirical study of commercial software projects. In Proceedings of the 35th International Conference on Software Engineering (ICSE). IEEE, 1042–1051.

[213]

Li Zhang and Vrizlynn L. L. Thing. 2018. Assisting vulnerability detection by prioritizing crashes with incremental learning. In Proceedings of the TENCON IEEE Region 10 Conference. IEEE, 2080–2085.

[214]

Xiong Zhang, Haoran Xie, Hao Yang, Hongkai Shao, and Minghao Zhu. 2020. A general framework to understand vulnerabilities in information systems. IEEE Access 8 (2020), 121858–121873.

[215]

Xiang Zhang, Junbo Zhao, and Yann LeCun. 2015. Character-level convolutional networks for text classification. arXiv preprint arXiv:1509.01626 (2015).

[216]

Yu Zhang, Peter Tiňo, Aleš Leonardis, and Ke Tang. 2020. A survey on neural network interpretability. arXiv preprint arXiv:2012.14261 (2020).

[217]

Yu Zhang and Qiang Yang. 2021. A survey on multi-task learning. IEEE Trans. Knowl. Data Eng. (2021).

[218]

Yukun Zhu, Ryan Kiros, Rich Zemel, Ruslan Salakhutdinov, Raquel Urtasun, Antonio Torralba, and Sanja Fidler. 2015. Aligning books and movies: Towards story-like visual explanations by watching movies and reading books. In Proceedings of the IEEE International Conference on Computer Vision. 19–27.

Digital Library

[219]

Thomas Zimmermann, Rahul Premraj, Nicolas Bettenburg, Sascha Just, Adrian Schroter, and Cathrin Weiss. 2010. What makes a good bug report? IEEE Trans. Softw. Eng. 36, 5 (2010), 618–643.

Digital Library

[220]

Deqing Zou, Sujuan Wang, Shouhuai Xu, Zhen Li, and Hai Jin. 2019. \(\mu\) VulDeePecker: A deep learning-based system for multiclass vulnerability detection. IEEE Trans. Depend. Secure Comput. (2019).

Digital Library

[221]

Deqing Zou, Yawei Zhu, Shouhuai Xu, Zhen Li, Hai Jin, and Hengkai Ye. 2021. Interpreting deep learning-based vulnerability detector predictions based on heuristic searching. ACM Trans. Softw. Eng. Methodol. 30, 2 (2021), 1–31.

Digital Library

[222]

Serkan Özkan. [n. d.]. CVE Details. Retrieved from https://www.cvedetails.com.

Cited By

Jia QQu XJiang ZWang C(2024)Enterprise Security Patch Management with Deep Reinforcement LearningSSRN Electronic Journal10.2139/ssrn.4816905Online publication date: 2024
https://doi.org/10.2139/ssrn.4816905
Shiri Harzevili NBoaye Belle AWang JWang SJiang ZNagappan N(2024)A Systematic Literature Review on Automated Software Vulnerability Detection Using Machine LearningACM Computing Surveys10.1145/3699711Online publication date: 11-Oct-2024
https://dl.acm.org/doi/10.1145/3699711
Le TBabar M(2024)Automatic Data Labeling for Software Vulnerability Prediction Models: How Far Are We?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686675(131-142)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686675
Show More Cited By

Index Terms

A Survey on Data-driven Software Vulnerability Assessment and Prioritization

Recommendations

A Survey on Software Vulnerability Exploitability Assessment
Knowing the exploitability and severity of software vulnerabilities helps practitioners prioritize vulnerability mitigation efforts. Researchers have proposed and evaluated many different exploitability assessment methods. The goal of this research is to ...
Mitigating Data Imbalance for Software Vulnerability Assessment: Does Data Augmentation Help?
ESEM '24: Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement

Background: Software Vulnerability (SV) assessment is increasingly adopted to address the ever-increasing volume and complexity of SVs. Data-driven approaches have been widely used to automate SV assessment tasks, particularly the prediction of the ...
Assessing vulnerability exploitability risk using software properties

Attacks on computer systems are now attracting increased attention. While the current trends in software vulnerability discovery indicate that the number of newly discovered vulnerabilities continues to be significant, the time between the public ...

Comments

Information & Contributors

Information

Published In

cover image ACM Computing Surveys

ACM Computing Surveys Volume 55, Issue 5

May 2023

810 pages

ISSN:0360-0300

EISSN:1557-7341

DOI:10.1145/3567470

Editor:
Albert Zomaya
University of Sydney, Australia

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 03 December 2022

Online AM: 19 April 2022

Accepted: 30 March 2022

Revised: 13 February 2022

Received: 25 July 2021

Published in CSUR Volume 55, Issue 5

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Survey
Refereed

Funding Sources

Cyber Security Research Centre Limited
Australian Government’s Cooperative Research Centres Programme

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

31
Total Citations
View Citations
2,625
Total Downloads

Downloads (Last 12 months)1,002
Downloads (Last 6 weeks)89

Reflects downloads up to 14 Oct 2024

Other Metrics

View Author Metrics

Citations

Cited By

Jia QQu XJiang ZWang C(2024)Enterprise Security Patch Management with Deep Reinforcement LearningSSRN Electronic Journal10.2139/ssrn.4816905Online publication date: 2024
https://doi.org/10.2139/ssrn.4816905
Shiri Harzevili NBoaye Belle AWang JWang SJiang ZNagappan N(2024)A Systematic Literature Review on Automated Software Vulnerability Detection Using Machine LearningACM Computing Surveys10.1145/3699711Online publication date: 11-Oct-2024
https://dl.acm.org/doi/10.1145/3699711
Le TBabar M(2024)Automatic Data Labeling for Software Vulnerability Prediction Models: How Far Are We?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686675(131-142)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686675
Le TAli Babar M(2024)Mitigating Data Imbalance for Software Vulnerability Assessment: Does Data Augmentation Help?Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686674(119-130)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686674
Nguyen ALe TBabar M(2024)Automated Code-centric Software Vulnerability Assessment: How Far Are We? An Empirical Study in C/C++Proceedings of the 18th ACM/IEEE International Symposium on Empirical Software Engineering and Measurement10.1145/3674805.3686670(72-83)Online publication date: 24-Oct-2024
https://dl.acm.org/doi/10.1145/3674805.3686670
B. Heluany JGoetzfried JMehlig BGkioulos V(2024)Vulnerability management digital twin for energy systemsProceedings of the 19th International Conference on Availability, Reliability and Security10.1145/3664476.3671013(1-11)Online publication date: 30-Jul-2024
https://dl.acm.org/doi/10.1145/3664476.3671013
Pan SBao LZhou JHu XXia XLi Sd'Amorim M(2024)Unveil the Mystery of Critical Software VulnerabilitiesCompanion Proceedings of the 32nd ACM International Conference on the Foundations of Software Engineering10.1145/3663529.3663835(138-149)Online publication date: 10-Jul-2024
https://dl.acm.org/doi/10.1145/3663529.3663835
Le TBabar MThai T(2024)Software Vulnerability Prediction in Low-Resource Languages: An Empirical Study of CodeBERT and ChatGPTProceedings of the 28th International Conference on Evaluation and Assessment in Software Engineering10.1145/3661167.3661281(679-685)Online publication date: 18-Jun-2024
https://dl.acm.org/doi/10.1145/3661167.3661281
Massacci F(2024)The Holy Grail of Vulnerability PredictionsIEEE Security and Privacy10.1109/MSEC.2023.333393622:1(4-6)Online publication date: 22-Jan-2024
https://dl.acm.org/doi/10.1109/MSEC.2023.3333936
Ezenwoye OPinconschi E(2024)A Study of Fine-Tuned Language Models in Vulnerability Classification2024 12th International Symposium on Digital Forensics and Security (ISDFS)10.1109/ISDFS60797.2024.10527294(1-6)Online publication date: 29-Apr-2024
https://doi.org/10.1109/ISDFS60797.2024.10527294
Show More Cited By

View Options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

HTML Format

View this article in HTML Format.

Media

Figures

Other

Tables

View full text|Download PDF

View Issue’s Table of Contents