Learning to predict severity of software vulnerability using only vulnerability description

Zhuobing Han, Xiaohong Li*, Zhenchang Xing, Hongtao Liu, Zhiyong Feng

*Corresponding author for this work

    Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

    143 Citations (Scopus)

    Abstract

    Software vulnerabilities pose significant security risks to the host computing system. Faced with continuous disclosure of software vulnerabilities, system administrators must prioritize their efforts, triaging the most critical vulnerabilities to address first. Many vulnerability scoring systems have been proposed, but they all require expert knowledge to determine intricate vulnerability metrics. In this paper, we propose a deep learning approach to predict multi-class severity level of software vulnerability using only vulnerability description. Compared with intricate vulnerability metrics, vulnerability description is the "surface level" information about how a vulnerability works. To exploit vulnerability description for predicting vulnerability severity, discriminative features of vulnerability description have to be defined. This is a challenging task due to the diversity of software vulnerabilities and the richness of vulnerability descriptions. Instead of relying on manual feature engineering, our approach uses word embeddings and a one-layer shallow Convolutional Neural Network (CNN) to automatically capture discriminative word and sentence features of vulnerability descriptions for predicting vulnerability severity. We exploit large amounts of vulnerability data from the Common Vulnerabilities and Exposures (CVE) database to train and test our approach.

    Original languageEnglish
    Title of host publicationProceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017
    PublisherInstitute of Electrical and Electronics Engineers Inc.
    Pages125-136
    Number of pages12
    ISBN (Electronic)9781538609927
    DOIs
    Publication statusPublished - 2 Nov 2017
    Event2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017 - Shanghai, China
    Duration: 19 Sept 201722 Sept 2017

    Publication series

    NameProceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017

    Conference

    Conference2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017
    Country/TerritoryChina
    CityShanghai
    Period19/09/1722/09/17

    Fingerprint

    Dive into the research topics of 'Learning to predict severity of software vulnerability using only vulnerability description'. Together they form a unique fingerprint.

    Cite this