Skip to main content
SpringerLink
Log in
Book cover

International Conference on Ubiquitous Security

UbiSec 2022: Ubiquitous Security pp 129–143Cite as

Assessing Vulnerability from Its Description

  • Conference paper
  • First Online:

  • 744 Accesses

Part of the book series: Communications in Computer and Information Science ((CCIS,volume 1768))

Abstract

This paper shows an end-to-end Artificial Intelligence (AI) system to estimate the severity level and the various Common Vulnerability Scoring System (CVSS) components from natural language descriptions without reproducing the vulnerability. This natural language processing-based approach can estimate the CVSS from only the Common Vulnerabilities and Exposures description without the need to reproduce the vulnerability environment. We present an Error Grid Analysis for the CVSS base score prediction task. Experiments on CVSS 2.0 and CVSS 3.1 show that state-of-the-art deep learning models can predict the CVSS scoring components with high accuracy. The low-cost Universal Sentence Encoder (large) model outperforms the Generative Pre-trained Transformer-3 (GPT-3) and the Support Vector Machine baseline on the majority of the classification tasks with a lower computation overhead than the GPT-3.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

References

  1. Universal-sentence-encoder. https://tfhub.dev/google/universal-sentence-encoder-large/5

  2. Abadi, M., et al.: TensorFlow: Large-scale machine learning on heterogeneous systems (2015). https://www.tensorflow.org/, software available from tensorflow.org

  3. Beck, A., Rass, S.: Using neural networks to aid cvss risk aggregation-an empirically validated approach. J. Innov. Digital Ecosyst. 3(2), 148–154 (2016)

    Article  Google Scholar 

  4. Brown, T., et al.: Language models are few-shot learners. Adv. Neural Inform. Process. Syst. 33, 1877–1901 (2020)

    Google Scholar 

  5. Cer, D., et al.: Universal sentence encoder. arXiv preprint arXiv:1803.11175 (2018)

  6. Clarke, W.L.: The original clarke error grid analysis (ega). Diabetes Technol. Therap. 7(5), 776–779 (2005)

    Article  Google Scholar 

  7. Costa, J.C., Roxo, T., Sequeiros, J.B., Proença, H., Inácio, P.R.: Predicting cvss metric via description interpretation. IEEE Access (2022)

    Google Scholar 

  8. FIRST, E.: Common vulnerability scoring system version 3.1: Specification document (2019)

    Google Scholar 

  9. Harris, C.R., et al.: Array programming with NumPy. Nature 585(7825), 357–362 (2020). https://doi.org/10.1038/s41586-020-2649-2

  10. IBM: Common Vulnerability Scoring System (CVSS). https://www.ibm.com/docs/en/qradar-on-cloud?topic=vulnerabilities-common-vulnerability-scoring-system-cvss

  11. Iosif, A.C., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: The First International Conference on Ubiquitous Security (UbiSec 2021), pp. 171–188. Springer (2021). https://doi.org/10.1007/978-981-19-0468-4_13

  12. Iyyer, M., Manjunatha, V., Boyd-Graber, J., Daumé III, H.: Deep unordered composition rivals syntactic methods for text classification. In: Proceedings of the 53rd Annual Meeting of the Association for Computational Linguistics and the 7th International Joint Conference on Natural Language Processing (volume 1: Long papers), pp. 1681–1691 (2015)

    Google Scholar 

  13. Joachims, T.: A probabilistic analysis of the rocchio algorithm with tfidf for text categorization. Carnegie-mellon univ pittsburgh pa dept of computer science, Tech. rep. (1996)

    Google Scholar 

  14. Kibriya, A.M., Frank, E., Pfahringer, B., Holmes, G.: Multinomial Naive Bayes for text categorization revisited. In: Webb, G.I., Yu, X. (eds.) AI 2004. LNCS (LNAI), vol. 3339, pp. 488–499. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30549-1_43

    Chapter  Google Scholar 

  15. Kitaev, N., Kaiser, Ł., Levskaya, A.: Reformer: The efficient transformer. arXiv preprint arXiv:2001.04451 (2020)

  16. Kramer, O.: Machine Learning for Evolution Strategies. SBD, vol. 20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33383-0

    Book  MATH  Google Scholar 

  17. Mell, P., Scarfone, K., Romanosky, S., et al.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-forum of incident response and security teams. vol. 1, p. 23 (2007)

    Google Scholar 

  18. Noble, W.S.: What is a support vector machine? Nature Biotechnol. 24(12), 1565–1567 (2006)

    Article  Google Scholar 

  19. Nowak, M., Walkowski, M., Sujecki, S.: Machine learning algorithms for conversion of CVSS base score from 2.0 to 3.x. In: Paszynski, M., Kranzlmüller, D., Krzhizhanovskaya, V.V., Dongarra, J.J., Sloot, P.M.A. (eds.) ICCS 2021. LNCS, vol. 12744, pp. 255–269. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77967-2_21

    Chapter  Google Scholar 

  20. NVD, N.: National vulnerability database (2022)

    Google Scholar 

  21. Pedregosa, F., et al.: Scikit-learn: Machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)

    Google Scholar 

  22. Ruohonen, J.: A look at the time delays in cvss vulnerability scoring. Appl. Comput. Inform. 15(2), 129–135 (2019)

    Article  Google Scholar 

  23. Shahid, M.R., Debar, H.: Cvss-bert: Explainable natural language processing to determine the severity of a computer security vulnerability from its description. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 1600–1607. IEEE (2021)

    Google Scholar 

  24. Snæbjarnarson, V., Símonarson, H.B., Ragnarsson, P.O., Ingólfsdóttir, S., Jónsson, H.P., Þorsteinsson, V., Einarsson, H.: A warm start and a clean crawled corpus-a recipe for good language models. arXiv preprint arXiv:2201.05601 (2022)

  25. U.S. Department of Commerce : NVD - Vulnerability Metrics, https://nvd.nist.gov/vuln-metrics/cvss

  26. Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Pprocessing Systems, vol. 30 (2017)

    Google Scholar 

  27. Yamamoto, Y., Miyamoto, D., Nakayama, M.: Text-mining approach for estimating vulnerability score. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 67–73. IEEE (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. CROW, University of Waikato, Hamilton, WK, 3216, New Zealand

    Zijing Zhang, Vimal Kumar, Michael Mayo & Albert Bifet

Authors
  1. Zijing Zhang
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Vimal Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michael Mayo
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Albert Bifet
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Zijing Zhang .

Editor information

Editors and Affiliations

  1. Guangzhou University, Guangzhou, China

    Guojun Wang

  2. University of Texas at San Antonio, San Antonio, TX, USA

    Kim-Kwang Raymond Choo

  3. Temple University, Philadelphia, PA, USA

    Jie Wu

  4. Khalifa University of Science and Technology, Abu Dhabi, United Arab Emirates

    Ernesto Damiani

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Zhang, Z., Kumar, V., Mayo, M., Bifet, A. (2023). Assessing Vulnerability from Its Description. In: Wang, G., Choo, KK.R., Wu, J., Damiani, E. (eds) Ubiquitous Security. UbiSec 2022. Communications in Computer and Information Science, vol 1768. Springer, Singapore. https://doi.org/10.1007/978-981-99-0272-9_9

Download citation

  • DOI: https://doi.org/10.1007/978-981-99-0272-9_9

  • Published:

  • Publisher Name: Springer, Singapore

  • Print ISBN: 978-981-99-0271-2

  • Online ISBN: 978-981-99-0272-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation