Abstract
The classification of vulnerabilities is a fundamental step to derive formal attributes that allow a deeper analysis. Therefore, it is required that this classification has to be performed timely and accurate. Since the current situation demands a manual interaction in the classification process, the timely processing becomes a serious issue. Thus, we propose an automated alternative to the manual classification, because the amount of identified vulnerabilities per day cannot be processed manually anymore. We implemented two different approaches that are able to automatically classify vulnerabilities based on the vulnerability description. We evaluated our approaches, which use Neural Networks and the Naive Bayes methods respectively, on the base of publicly known vulnerabilities.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
References
Bozorgi, M., Saul, L.K., Savage, S., Voelker, G.M.: Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD International Conference on Knowledge Discovery and Data Mining, pp. 105–114. ACM (2010)
Carnegie Mellon University: Cert/cc vulnerability report form (2017). Accessed 12 Mar 2017
Frank, E., Paynter, G.W., Witten, I.H., Gutwin, C., Nevill-Manning, C.G.: Domain-specific keyphrase extraction. In: 16th International Joint Conference on Artificial Intelligence (IJCAI 99), vol. 2, pp. 668–673. Morgan Kaufmann Publishers Inc., San Francisco (1999)
Franklin, J., Wergin, C., Booth, H.: CVSS implementation guidance. Nat. Inst. Stand. Technol. NISTIR-7946 (2014). http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7946.pdf
Hasso Plattner Institute: HPI vulnerability database (2017). Accessed 26 Mar 2017
Hein, D., Saiedian, H.: Predicting attack prone software components using repository mined change metrics. In: Proceedings of the 2nd International Conference on Information Systems Security and Privacy, ICISSP, vol. 1, pp. 554–563 (2016)
Mell, P., Scarfone, K., Romanosky, S.: Common vulnerability scoring system. Secur. Priv. IEEE 4(6), 85–89 (2006)
Mitre Corporation: CPE - Common Platform Enumeration (2017). Accessed 11 Mar 2017
National Institute of Standards and Technology: National vulnerability database (2017). Accessed 22 Feb 2017
Neuhaus, S., Zimmermann, T., Holler, C., Zeller, A.: Predicting vulnerable software components. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, pp. 529–540. ACM (2007)
Pennington, J., Socher, R., Manning, C.D.: GloVe: global vectors for word representation. In: Empirical Methods in Natural Language Processing (EMNLP), pp. 1532–1543 (2014)
Russell, S.J., Norvig, P., Canny, J.F., Malik, J.M., Edwards, D.D.: Artificial Intelligence: A Modern Approach, vol. 2. Prentice Hall, Upper Saddle River (2003)
Scandariato, R., Walden, J., Hovsepyan, A., Joosen, W.: Predicting vulnerable software components via text mining. IEEE Trans. Softw. Eng. 40(10), 993–1006 (2014)
Schapire, R.E., Singer, Y.: Improved boosting algorithms using confidence-rated predictions. Mach. Learn. 37(3), 297–336 (1999)
Schumacher, M., Haul, C., Hurler, M., Buchmann, A.: Data mining in vulnerability databases. Comput. Sci., 12–24 (2000)
Text Fixer: Common English Words List (2017). Accessed 11 Mar 2017
Wijayasekara, D., Manic, M., McQueen, M.: Vulnerability identification and classification via text mining bug databases. In: IECON 2014–40th Annual Conference of the IEEE Industrial Electronics Society, pp. 3612–3618. IEEE (2014)
Zhang, S., Ou, X., Caragea, D.: Predicting cyber risks through national vulnerability database. Inf. Secur. J. Glob. Perspect. 24(4–6), 194–206 (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Gawron, M., Cheng, F., Meinel, C. (2018). Automatic Vulnerability Classification Using Machine Learning. In: Cuppens, N., Cuppens, F., Lanet, JL., Legay, A., Garcia-Alfaro, J. (eds) Risks and Security of Internet and Systems. CRiSIS 2017. Lecture Notes in Computer Science(), vol 10694. Springer, Cham. https://doi.org/10.1007/978-3-319-76687-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-319-76687-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76686-7
Online ISBN: 978-3-319-76687-4
eBook Packages: Computer ScienceComputer Science (R0)