TY - GEN
T1 - Learning to predict severity of software vulnerability using only vulnerability description
AU - Han, Zhuobing
AU - Li, Xiaohong
AU - Xing, Zhenchang
AU - Liu, Hongtao
AU - Feng, Zhiyong
N1 - Publisher Copyright:
© 2017 IEEE.
PY - 2017/11/2
Y1 - 2017/11/2
N2 - Software vulnerabilities pose significant security risks to the host computing system. Faced with continuous disclosure of software vulnerabilities, system administrators must prioritize their efforts, triaging the most critical vulnerabilities to address first. Many vulnerability scoring systems have been proposed, but they all require expert knowledge to determine intricate vulnerability metrics. In this paper, we propose a deep learning approach to predict multi-class severity level of software vulnerability using only vulnerability description. Compared with intricate vulnerability metrics, vulnerability description is the "surface level" information about how a vulnerability works. To exploit vulnerability description for predicting vulnerability severity, discriminative features of vulnerability description have to be defined. This is a challenging task due to the diversity of software vulnerabilities and the richness of vulnerability descriptions. Instead of relying on manual feature engineering, our approach uses word embeddings and a one-layer shallow Convolutional Neural Network (CNN) to automatically capture discriminative word and sentence features of vulnerability descriptions for predicting vulnerability severity. We exploit large amounts of vulnerability data from the Common Vulnerabilities and Exposures (CVE) database to train and test our approach.
AB - Software vulnerabilities pose significant security risks to the host computing system. Faced with continuous disclosure of software vulnerabilities, system administrators must prioritize their efforts, triaging the most critical vulnerabilities to address first. Many vulnerability scoring systems have been proposed, but they all require expert knowledge to determine intricate vulnerability metrics. In this paper, we propose a deep learning approach to predict multi-class severity level of software vulnerability using only vulnerability description. Compared with intricate vulnerability metrics, vulnerability description is the "surface level" information about how a vulnerability works. To exploit vulnerability description for predicting vulnerability severity, discriminative features of vulnerability description have to be defined. This is a challenging task due to the diversity of software vulnerabilities and the richness of vulnerability descriptions. Instead of relying on manual feature engineering, our approach uses word embeddings and a one-layer shallow Convolutional Neural Network (CNN) to automatically capture discriminative word and sentence features of vulnerability descriptions for predicting vulnerability severity. We exploit large amounts of vulnerability data from the Common Vulnerabilities and Exposures (CVE) database to train and test our approach.
KW - Deep learning
KW - Mining software repositories
KW - Multi-class classification
KW - Vulnerability severity prediction
UR - http://www.scopus.com/inward/record.url?scp=85040543079&partnerID=8YFLogxK
U2 - 10.1109/ICSME.2017.52
DO - 10.1109/ICSME.2017.52
M3 - Conference contribution
T3 - Proceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017
SP - 125
EP - 136
BT - Proceedings - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2017 IEEE International Conference on Software Maintenance and Evolution, ICSME 2017
Y2 - 19 September 2017 through 22 September 2017
ER -