Software vulnerability prioritization using vulnerability description

Whenever a vulnerability is detected by the testing team, it is described based on its characteristics and a detailed overview of the vulnerability is given by the testing team. Usually, there are certain features or keywords that points towards the possible severity level of a vulnerability. Using these keywords in the vulnerability description, a possible estimation of the severity level of vulnerabilities can be given just by their description. In this paper, we are eliminating the need for generating a severity score for software vulnerabilities by using the description of a vulnerability for their prioritization. This study makes use of word embedding and convolution neural network (CNN). The CNN is trained with sufficient samples vulnerability descriptions from all the categories, so that it can capture discriminative words and features for the categorization task. The proposed system helps to channelize the efforts of the testing team by prioritizing the newly found vulnerabilities in three categories based on previous data. The dataset includes three data samples from three different vendors and two mixed vendor data samples.

[1]  Jeffrey Pennington,et al.  GloVe: Global Vectors for Word Representation , 2014, EMNLP.

[2]  Pavol Zavarsky,et al.  An Analysis of CVSS v2 Environmental Scoring , 2011, 2011 IEEE Third Int'l Conference on Privacy, Security, Risk and Trust and 2011 IEEE Third Int'l Conference on Social Computing.

[3]  Ritu Sibal,et al.  Prioritizing software vulnerability types using multi-criteria decision-making techniques , 2017 .

[4]  Zhidong Deng,et al.  Densely Connected CNN with Multi-scale Feature Attention for Text Classification , 2018, IJCAI.

[5]  P. K. Kapur,et al.  A comparative study of vulnerability discovery modeling and software reliability growth modeling , 2015, 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE).

[6]  Ritu Sibal,et al.  Change Point Modelling in the Vulnerability Discovery Process , 2018 .

[7]  Karen A. Scarfone,et al.  An analysis of CVSS version 2 vulnerability scoring , 2009, ESEM 2009.

[8]  Ritu Sibal,et al.  Software Vulnerability Prioritization: A Comparative Study Using TOPSIS and VIKOR Techniques , 2018, System Performance and Management Analytics.

[9]  D. Damodaran,et al.  User-based multi-upgradation vulnerability discovery model , 2017, 2017 6th International Conference on Reliability, Infocom Technologies and Optimization (Trends and Future Directions) (ICRITO).

[10]  Tomi Männistö,et al.  Improving CVSS-based vulnerability prioritization and response with context information , 2009, ESEM 2009.

[11]  Ritu Sibal,et al.  Vulnerability Discovery Modeling for Open and Closed Source Software , 2016, Int. J. Secur. Softw. Eng..

[12]  Jianxin Li,et al.  Large-Scale Hierarchical Text Classification with Recursively Regularized Deep Graph-CNN , 2018, WWW.

[13]  Mehran Bozorgi,et al.  Beyond heuristics: learning to classify vulnerabilities and predict exploits , 2010, KDD.

[14]  Sunil Kumar Khatri,et al.  Two-phase methodology for prioritization and utility assessment of software vulnerabilities , 2020, Int. J. Syst. Assur. Eng. Manag..

[15]  Benjamin Edwards,et al.  Exploit Prediction Scoring System (EPSS) , 2019, Digital Threats: Research and Practice.

[16]  Yoon Kim,et al.  Convolutional Neural Networks for Sentence Classification , 2014, EMNLP.

[17]  Yann LeCun,et al.  Very Deep Convolutional Networks for Text Classification , 2016, EACL.

[18]  P. K. Kapur,et al.  Vulnerability Discovery and Patch Modeling , 2019 .

[19]  P. K. Kapur,et al.  Vulnerability discovery model for a software system using stochastic differential equation , 2015, 2015 International Conference on Futuristic Trends on Computational Analysis and Knowledge Management (ABLAZE).

[20]  Umesh Kumar Singh,et al.  A framework for zero-day vulnerabilities detection and prioritization , 2019, J. Inf. Secur. Appl..

[21]  Patrick Kwaku Kudjo,et al.  The effect of Bellwether analysis on software vulnerability severity prediction models , 2020, Software Quality Journal.

[22]  P. K. Kapur,et al.  Bi-Criterion Problem to Determine Optimal Vulnerability Discovery and Patching Time , 2017 .

[23]  Ruchi Sharma,et al.  An Improved Scoring System for Software Vulnerability Prioritization , 2018 .

[24]  Karen Scarfone,et al.  Common Vulnerability Scoring System , 2006, IEEE Security & Privacy.

[25]  Zhenchang Xing,et al.  Learning to Predict Severity of Software Vulnerability Using Only Vulnerability Description , 2017, 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME).

[26]  Lefteris Angelis,et al.  WIVSS: a new methodology for scoring information systems vulnerabilities , 2013, PCI '13.

[27]  Sasha Romanosky,et al.  Improving vulnerability remediation through better exploit prediction , 2020, J. Cybersecur..

[28]  Yuqing Zhang,et al.  Improving VRSS-based vulnerability prioritization using analytic hierarchy process , 2012, J. Syst. Softw..

[29]  Yuqing Zhang,et al.  VRSS: A new system for rating and scoring vulnerabilities , 2011, Comput. Commun..

[30]  Lefteris Angelis,et al.  Impact Metrics of Security Vulnerabilities: Analysis and Weighing , 2015, Inf. Secur. J. A Glob. Perspect..