Automated Characterization of Software Vulnerabilities

TL;DR

This paper demonstrates that machine learning classifiers can automatically identify vulnerability characteristics from CVE report descriptions, improving the speed and accuracy of vulnerability reporting for better system maintenance.

Contribution

It introduces a method to automatically detect vulnerability characteristics from textual CVE descriptions using classification algorithms, reducing manual effort and improving report accuracy.

Findings

Support Vector Machine achieved the best classification accuracy.

All six classifiers evaluated produced accurate results.

Automating characterization improves vulnerability reporting efficiency.

Abstract

Preventing vulnerability exploits is a critical software maintenance task, and software engineers often rely on Common Vulnerability and Exposure (CVEs) reports for information about vulnerable systems and libraries. These reports include descriptions, disclosure sources, and manually-populated vulnerability characteristics such as root cause from the NIST Vulnerability Description Ontology (VDO). This information needs to be complete and accurate so stakeholders of affected products can prevent and react to exploits of the reported vulnerabilities. However, characterizing each report requires significant time and expertise which can lead to inaccurate or incomplete reports. This directly impacts stakeholders ability to quickly and correctly maintain their affected systems. In this study, we demonstrate that VDO characteristics can be automatically detected from the textual descriptions included in CVE reports. We evaluated the performance of 6 classification algorithms with a dataset of 365 vulnerability descriptions, each mapped to 1 of 19 characteristics from the VDO. This work demonstrates that it is feasible to train classification techniques to accurately characterize vulnerabilities from their descriptions. All 6 classifiers evaluated produced accurate results, and the Support Vector Machine classifier was the best-performing individual classifier. Automating the vulnerability characterization process is a step towards ensuring stakeholders have the necessary data to effectively maintain their systems.