A Study on Misclassification of Software Vulnerabilities when using Deep Learning and Machine Learning Algorithms

As the field of computer science has advanced over the years, there has been a tremendous increase in the software being created, and this increase has been accompanied by a growth of software vulnerabilities. A software vulnerability is a security flaw found in software that can potentially be exploited by attackers to perform cyber attacks. Since automatic approaches for identifying and analyzing vulnerabilities has become a trending topic in research community, the classification of vulnerability is still an open issue. Machine and deep learning has been applied as promising approaches for automatically classifying vulnerabilities; unfrotunately suche methods could produce errors due to misclassification. With this paper we compare five shallow learning models and fourteen deep learning models with the aim of characterizing quantitatively the differences in terms of classification’s errors.

[1]  Paul N. Bennett,et al.  Context-Aware Intent Identification in Email Conversations , 2019, SIGIR.

[2]  Martin F. Porter,et al.  An algorithm for suffix stripping , 1997, Program.

[3]  Peter Kok Keong Loh,et al.  Using Natural Language Tool to Assist VPRG Automated Extraction from Textual Vulnerability Description , 2011, 2011 IEEE Workshops of International Conference on Advanced Information Networking and Applications.

[4]  Mirella Lapata,et al.  Long Short-Term Memory-Networks for Machine Reading , 2016, EMNLP.

[5]  K. Mustafa,et al.  Software Design Level Vulnerability Classification Model , 2012 .

[6]  Petra Perner,et al.  Data Mining - Concepts and Techniques , 2002, Künstliche Intell..

[7]  Vinhthuy T. Phan,et al.  IRS : An Issue Resolution System for Cyber Attack Classification and Management , 2012 .

[8]  Masaya Nakayama,et al.  Text-Mining Approach for Estimating Vulnerability Score , 2015, 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS).

[9]  Vali Derhami,et al.  An automatic method for CVSS score prediction using vulnerabilities description , 2015, J. Intell. Fuzzy Syst..

[10]  Lukasz Kaiser,et al.  Attention is All you Need , 2017, NIPS.

[11]  Ehsan Aghaei,et al.  ThreatZoom: Hierarchical Neural Network for CVEs to CWEs Classification , 2020, SecureComm.

[12]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.