Abstract
This paper shows an end-to-end Artificial Intelligence (AI) system to estimate the severity level and the various Common Vulnerability Scoring System (CVSS) components from natural language descriptions without reproducing the vulnerability. This natural language processing-based approach can estimate the CVSS from only the Common Vulnerabilities and Exposures description without the need to reproduce the vulnerability environment. We present an Error Grid Analysis for the CVSS base score prediction task. Experiments on CVSS 2.0 and CVSS 3.1 show that state-of-the-art deep learning models can predict the CVSS scoring components with high accuracy. The low-cost Universal Sentence Encoder (large) model outperforms the Generative Pre-trained Transformer-3 (GPT-3) and the Support Vector Machine baseline on the majority of the classification tasks with a lower computation overhead than the GPT-3.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Universal-sentence-encoder. https://tfhub.dev/google/universal-sentence-encoder-large/5
Abadi, M., et al.: TensorFlow: Large-scale machine learning on heterogeneous systems (2015). https://www.tensorflow.org/, software available from tensorflow.org
Beck, A., Rass, S.: Using neural networks to aid cvss risk aggregation-an empirically validated approach. J. Innov. Digital Ecosyst. 3(2), 148–154 (2016)
Brown, T., et al.: Language models are few-shot learners. Adv. Neural Inform. Process. Syst. 33, 1877–1901 (2020)
Cer, D., et al.: Universal sentence encoder. arXiv preprint arXiv:1803.11175 (2018)
Clarke, W.L.: The original clarke error grid analysis (ega). Diabetes Technol. Therap. 7(5), 776–779 (2005)
Costa, J.C., Roxo, T., Sequeiros, J.B., Proença, H., Inácio, P.R.: Predicting cvss metric via description interpretation. IEEE Access (2022)
FIRST, E.: Common vulnerability scoring system version 3.1: Specification document (2019)
Harris, C.R., et al.: Array programming with NumPy. Nature 585(7825), 357–362 (2020). https://doi.org/10.1038/s41586-020-2649-2
IBM: Common Vulnerability Scoring System (CVSS). https://www.ibm.com/docs/en/qradar-on-cloud?topic=vulnerabilities-common-vulnerability-scoring-system-cvss
Iosif, A.C., Gasiba, T.E., Zhao, T., Lechner, U., Pinto-Albuquerque, M.: A large-scale study on the security vulnerabilities of cloud deployments. In: The First International Conference on Ubiquitous Security (UbiSec 2021), pp. 171–188. Springer (2021). https://doi.org/10.1007/978-981-19-0468-4_13
Iyyer, M., Manjunatha, V., Boyd-Graber, J., Daumé III, H.: Deep unordered composition rivals syntactic methods for text classification. In: Proceedings of the 53rd Annual Meeting of the Association for Computational Linguistics and the 7th International Joint Conference on Natural Language Processing (volume 1: Long papers), pp. 1681–1691 (2015)
Joachims, T.: A probabilistic analysis of the rocchio algorithm with tfidf for text categorization. Carnegie-mellon univ pittsburgh pa dept of computer science, Tech. rep. (1996)
Kibriya, A.M., Frank, E., Pfahringer, B., Holmes, G.: Multinomial Naive Bayes for text categorization revisited. In: Webb, G.I., Yu, X. (eds.) AI 2004. LNCS (LNAI), vol. 3339, pp. 488–499. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-30549-1_43
Kitaev, N., Kaiser, Ł., Levskaya, A.: Reformer: The efficient transformer. arXiv preprint arXiv:2001.04451 (2020)
Kramer, O.: Machine Learning for Evolution Strategies. SBD, vol. 20. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-33383-0
Mell, P., Scarfone, K., Romanosky, S., et al.: A complete guide to the common vulnerability scoring system version 2.0. In: Published by FIRST-forum of incident response and security teams. vol. 1, p. 23 (2007)
Noble, W.S.: What is a support vector machine? Nature Biotechnol. 24(12), 1565–1567 (2006)
Nowak, M., Walkowski, M., Sujecki, S.: Machine learning algorithms for conversion of CVSS base score from 2.0 to 3.x. In: Paszynski, M., Kranzlmüller, D., Krzhizhanovskaya, V.V., Dongarra, J.J., Sloot, P.M.A. (eds.) ICCS 2021. LNCS, vol. 12744, pp. 255–269. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-77967-2_21
NVD, N.: National vulnerability database (2022)
Pedregosa, F., et al.: Scikit-learn: Machine learning in python. J. Mach. Learn. Res. 12, 2825–2830 (2011)
Ruohonen, J.: A look at the time delays in cvss vulnerability scoring. Appl. Comput. Inform. 15(2), 129–135 (2019)
Shahid, M.R., Debar, H.: Cvss-bert: Explainable natural language processing to determine the severity of a computer security vulnerability from its description. In: 2021 20th IEEE International Conference on Machine Learning and Applications (ICMLA), pp. 1600–1607. IEEE (2021)
Snæbjarnarson, V., Símonarson, H.B., Ragnarsson, P.O., Ingólfsdóttir, S., Jónsson, H.P., Þorsteinsson, V., Einarsson, H.: A warm start and a clean crawled corpus-a recipe for good language models. arXiv preprint arXiv:2201.05601 (2022)
U.S. Department of Commerce : NVD - Vulnerability Metrics, https://nvd.nist.gov/vuln-metrics/cvss
Vaswani, A., et al.: Attention is all you need. In: Advances in Neural Information Pprocessing Systems, vol. 30 (2017)
Yamamoto, Y., Miyamoto, D., Nakayama, M.: Text-mining approach for estimating vulnerability score. In: 2015 4th International Workshop on Building Analysis Datasets and Gathering Experience Returns for Security (BADGERS), pp. 67–73. IEEE (2015)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Zhang, Z., Kumar, V., Mayo, M., Bifet, A. (2023). Assessing Vulnerability from Its Description. In: Wang, G., Choo, KK.R., Wu, J., Damiani, E. (eds) Ubiquitous Security. UbiSec 2022. Communications in Computer and Information Science, vol 1768. Springer, Singapore. https://doi.org/10.1007/978-981-99-0272-9_9
Download citation
DOI: https://doi.org/10.1007/978-981-99-0272-9_9
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-99-0271-2
Online ISBN: 978-981-99-0272-9
eBook Packages: Computer ScienceComputer Science (R0)