CVE Severity Prediction From Vulnerability Description - A Deep Learning Approach
Abstract
The Common Vulnerabilities and Exposures (CVE) system is a widely used standard for identifying and tracking known vulnerabilities in software systems. The severity of these vulnerabilities must be determined in order to prioritize mitigation efforts. However, assigning severity to a vulnerability is a challenging task that requires careful analysis of its characteristics and potential impact. Considering the vast number of vulnerabilities identified every year, it is vital to automate the severity assignment, thereby reducing manual effort. This paper proposes a novel approach for predicting the severity of vulnerabilities based on their CVE description using GPT-2, a state-of-the-art language model. The CVSS severity values distribution imbalance is addressed using oversampling and contextual data augmentation techniques. This approach leverages the large-scale language modeling capabilities of GPT-2 to automatically extract relevant features from CVE descriptions and predict the severity level of the vulnerability. The model is evaluated on a test data set of 7,765 CVEs and achieves a high accuracy of 84.2% and an F1 score of 0.82 in predicting the severity of the vulnerabilities on the test data. A comparative analysis of this approach was done against state-of-the-art methods, demonstrating the superior performance of the proposed approach. Based on the results, the proposed approach could be considered a valuable tool for quickly and accurately identifying high-severity vulnerabilities, facilitating more efficient and effective vulnerability management practices. Furthermore, this approach could be extended to other natural language processing tasks related to vulnerability analysis and management.
Reference
[1]
S. Satyadevan, BS Kalarickal, M Jinesh, Springer. Security, trust and implementation limitations of prominent IoT platforms, Proceedings of the 3-rd International Conference on Frontiers of Intelligent Computing: Theory and Applications (FICTA) 2 (2015) 85–95.
[2]
Common vulnerability scoring system [Online], Available: https://www.first.org/cvss/. 2015, (Accessed 16/03/2023).
[3]
P Johnson, R Lagerström, M Ekstedt, U Franke, Can the common vulnerability scoring system be trusted? a bayesian analysis, IEEE Transactions on Dependable and Secure Computing 15 (6) (2016) 1002–1015.
[4]
Aarthy A Devi, AK Mohan, M Sethumadhavan, Wireless security auditing: attack vectors and mitigation strategies, Procedia Computer Science 115 (2017) 674–682.
[5]
National Vulnerability Database [Online], Available: https://nvd.nist.gov/. 2022, (Accessed 01/05/2023).
[6]
MR Shahid, H Debar, CVSS-BERT: Explainable Natural Language Processing to Determine the Severity of a Computer Security Vulnerability from its Description, 20-th IEEE International Conference on Machine Learning and Applications (ICMLA) 2021 (2021) 1600–1607.
[7]
A Khazaei, M Ghasemzadeh, V Derhami, An automatic method for CVSS score prediction using vulnerabilities description, Journal of Intelligent & Fuzzy Systems 30 (1) (2016) 89–96.
[8]
C Elbaz, L Rilling, C Morin, Fighting N-day vulnerabilities with automated CVSS vector prediction at disclosure, Proceedings of the 15th International Conference on Availability, Reliability and Security 2020 (2020) 1–10.
[9]
CVSS Specification Document [Online], Available: https://www.first.Org/cvss/v3.l/specification-document. 2019, (Accessed 13/02/2023).
[10]
I Babalau, D Corlatescu, O Grigorescu, C Sandescu, M Dascalu, IEEE, Severity prediction of software vulnerabilities based on their text description. 23-rd International Symposium on Symbolic and Numeric Algorithms for Scientific Computing (SYNASC) 2021 (2021) 171–177.
[11]
SE Sahin, A Tosun, A conceptual replication on predicting the severity of software vulnerabilities, Proceedings of the 23rd International Conference on Evaluation and Assessment in Software Engineering 2019 (2019) 244–250.
[12]
N Aloysius, M Geetha, IEEE, A review on deep convolutional neural networks. International Conference on Communication and Signal Processing (ICCSP). (2017) 0588–0592.
[13]
Kühn P, Relke DN, Reuter C. Common vulnerability scoring system prediction based on open source intelligence information sources. Computers & Security. 2023; 131 (C): 103286.
[14]
JC Costa, T Roxo, JB Sequeiros, H Proenca, PR Inacio, Predicting CVSS metric via description interpretation, IEEE Access 10 (2022) 59125–59134.
[15]
Shi F, Kai S, Zheng J, Zhong Y. XLNet-Based Prediction Model for CVSS Metric Values. Applied Sciences (Switzerland). 2022; 12 (18): 8983.
[16]
Chase MP, Coley SMC. Rubric for applying CVSS to medical devices [Online], Available: https://www.mitre.org/news-insights/publication/rubric-applying-cvss-medical-devices. MITRE Corp, McLean, VA, USA, Tech Rep. 2020, (Accessed 15/09/2022).
[17]
Radford A, Wu J, Child R, Luan D, Amodei D, Sutskever I. Language Models are Unsupervised Multitask Learners [Online], Available: https://api.semanticscholar.Org/CorpusID:160025533.2019.
[18]
NVD. Vulnerability Status [Online], Available: https://nvd.nist.gov/vuln/vulnerability-status. 2022, (Accessed 18/07/2023).
[19]
Narayanan S, Mannam K, Rajan SP, Rangan PV. Evaluation of Transfer Learning for Adverse Drug Event (ADE) and Medication Entity Extraction. Proceedings of the 3rd Clinical Natural Language Processing Workshop. 2020 Nov: 55-64.
[20]
X Wu, S Lv, L Zang, J Han, S Hu, Conditional BERT contextual augmentation, Computational Science - ICCS 2019: 19th International Conference 2019 (2019) 84–95.
[21]
Devlin J, Chang MW, Lee K, Toutanova K. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv: 181004805. 2018.
[22]
S Gargee, PB Gopinath, SRS Kancharla, C Anand, AS Babu, Analyzing and addressing the difference in toxicity prediction between different comments with same semantic meaning in Google’s perspective API, ICT Systems and Sustainability: Proceedings of ICT4SD. (2022) 455–464.
[23]
D Gupta, K Vani, CK Singh, Using Natural Language Processing techniques and fuzzy-semantic similarity for automatic external plagiarism detection, International Conference on Advances in Computing, Communications and Informatics (ICACCI). (2014) 2694–2699.
[24]
CVE-2022-0180 [Online], Available: https://nvd.nist.gov/vuln/detail/CVE-2022-0180.2022, (Accessed 09/09/2023).
[25]
N Nair, S Narayanan, P Achan, K Soman, Springer, Clinical note section identification using transfer learning. Proceedings of Sixth International Congress on Information and Communication Technology: ICICT, London 1 (2021) 533–542.
[26]
Yin J, Tang M, Cao J, Wang H. Apply transfer learning to cybersecurity: Predicting exploitability of vulnerabilities by description. Knowledge-Based Systems. 2020; 210: 106529.
[27]
A Venugopal, V Sreelekshmi, JJ Nair, Ensemble Deep Learning Model for Breast Histopathology Image Classification, ICT Infrastructure and Computing: Proceedings of ICT4SD. (2022) 499–509.
[28]
S Nayar, J Vinitha Panicker, JJ Nair, Deep Learning Based Model for Multi-class Classification of Cervical Cells Using Pap Smear Images, IEEE 7th International conference for Convergence in Technology (I2CT). (2022) 1–6.
[29]
Severity Prediction of the Vulnerability [Online], Available: https://github.com/ICU-Medical/CVSS-Severity-prediction.git.2023, (Accessed 15/09/2023).
Recommendations
A vulnerability severity prediction method based on bimodal data and multi-task learning
Highlights- A new vulnerability severity prediction method is proposed to improve the F1 score.
- The GraphCodeBert is used to provide comprehensive information for prediction.
- Multi-task learning is used to enhance the generalization ability of ...
AbstractFacing the increasing number of software vulnerabilities, the automatic analysis of vulnerabilities has become an important task in the field of software security. However, the existing severity prediction methods are mainly based on ...
Vulnerability scoring for security configuration settings
QoP '08: Proceedings of the 4th ACM workshop on Quality of protectionThe best-known vulnerability scoring standard, the Common Vulnerability Scoring System (CVSS), is designed to quantify the severity of security-related software flaw vulnerabilities. This paper describes our efforts to determine if CVSS could be adapted ...
A Conceptual Replication on Predicting the Severity of Software Vulnerabilities
EASE '19: Proceedings of the 23rd International Conference on Evaluation and Assessment in Software EngineeringSoftware vulnerabilities may lead to crucial security risks in software systems. Thus, prioritization of the vulnerabilities is an important task for security teams, and assessing how severe the vulnerabilities are would help teams during fixing and ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
Copyright © 2024.
Publisher
Elsevier Science Publishers B. V.
Netherlands
Publication History
Published: 24 July 2024
Author Tags
Qualifiers
- Research-article
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 0Total Downloads
- Downloads (Last 12 months)0
- Downloads (Last 6 weeks)0
Reflects downloads up to 21 Nov 2024
Other Metrics
Citations
View Options
View options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in