Abstract
Whenever a vulnerability is detected by the testing team, it is described based on its characteristics and a detailed overview of the vulnerability is given by the testing team. Usually, there are certain features or keywords that points towards the possible severity level of a vulnerability. Using these keywords in the vulnerability description, a possible estimation of the severity level of vulnerabilities can be given just by their description. In this paper, we are eliminating the need for generating a severity score for software vulnerabilities by using the description of a vulnerability for their prioritization. This study makes use of word embedding and convolution neural network (CNN). The CNN is trained with sufficient samples vulnerability descriptions from all the categories, so that it can capture discriminative words and features for the categorization task. The proposed system helps to channelize the efforts of the testing team by prioritizing the newly found vulnerabilities in three categories based on previous data. The dataset includes three data samples from three different vendors and two mixed vendor data samples.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Anjum M, Agarwal V, Kapur PK, Khatri SK (2020) Two-phase methodology for prioritization and utility assessment of software vulnerabilities. Int J Syst Assur Eng Manag. https://doi.org/10.1007/s13198-020-00957-0
Bozorgi M, Saul LK, Savage S, Voelker GM (2010) Beyond heuristics: learning to classify vulnerabilities and predict exploits. In: Proceedings of the 16th ACM SIGKDD international conference on knowledge discovery and data mining, pp 105–114
Conneau A, Schwenk H, Barrault L, Lecun Y (2016) Very deep convolutional networks for text classification. arXiv preprint https://arXiv.org/arXiv:1606.01781
CVE Details (2019) The ultimate security vulnerability data source, www.cvedetails.com. [Online]
Fruhwirth C, Mannisto T (2009) Improving CVSS-based vulnerability prioritization and response with context information. In: 2009 3rd International symposium on empirical software engineering and measurement, pp 535–544. IEEE
Han Z, Li X, Xing Z, Liu H, Feng Z (2017) Learning to predict severity of software vulnerability using only vulnerability description. In: 2017 IEEE international conference on software maintenance and evolution (ICSME), pp 125–136. IEEE
https://www.wildml.com/2015/12/implementing-a-cnn-for-text-classification-in-tensorflow/, last Accessed 9 May 2020
Ibidapo AO, Zavarsky P, Lindskog D, Ruhl R (2011) An analysis of CVSS v2 environmental scoring. In: 2011 IEEE 3rd international conference on privacy, security, risk and trust and 2011 IEEE third international conference on social computing, pp 1125–1130. IEEE
Jacobs J, Romanosky S, Adjerid I, Baker W (2019) Improving vulnerability remediation through better exploit prediction. In: 2019 workshop on the economics of information security
Jacobs J, Romanosky S, Edwards B, Roytman M, Adjerid I (2019) Exploit prediction scoring system (EPSS). arXiv preprint https://arXiv.org/arXiv:1908.04856
Kim Y (2014) Convolutional neural networks for sentence classification. arXiv preprint https://arXiv.org/arXiv:1408.5882
Kapur PK, Yadavali VS, Shrivastava AK (2015) A comparative study of vulnerability discovery modeling and software reliability growth modeling. In: 2015 International conference on futuristic trends on computational analysis and knowledge management (ABLAZE), pp 246–251). IEEE
Kudjo, PK, Chen J, Mensah S, Amankwah R, Kudjo C (2020) The effect of Bellwether analysis on software vulnerability severity prediction models. Softw Qual J. https://doi.org/10.1007/s11219-019-09490-1
Liu Q, Zhang Y, Kong Y, Wu Q (2012) Improving VRSS-based vulnerability prioritization using analytic hierarchy process. J Syst Softw 85(8):1699–1708
Liu Q, Zhang Y (2011) VRSS: a new system for rating and scoring vulnerabilities. Comput Commun 34(3):264–273
Mell P, Scarfone K, Romanosky S (2006) Common vulnerability scoring system. IEEE Secur Priv 4(6):85–89
Mell P, Scarfone K, Romanosky S (2007) A complete guide to the common vulnerability scoring system version 2.0. FIRST-Forum of Incident Response and Security Teams, North Carolina, vol 1, p 23
Narang S, Kapur PK, Damodaran D, Shrivastava AK (2018) Bi-criterion problem to determine optimal vulnerability discovery and patching time. Int J Reliab Qual Saf Eng 25(01):1850002
Narang S, Kapur PK, Damodaran D, Shrivastava AK (2017). User-based multi-upgradation vulnerability discovery model. In: 2017 6th international conference on reliability, infocom technologies and optimization (Trends and Future Directions) (ICRITO), pp 400–405. IEEE
Peng H, Li J, He Y, Liu Y, Bao M, Wang L, Yang Q (2018) Large-scale hierarchical text classification with recursively regularized deep graph-cnn. In: Proceedings of the 2018 world wide web conference, pp 1063–1072
Pennington J, Socher R, Manning C (2014) Glove: global vectors for word representation. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp 1532–1543
Scarfone Karen, and Peter Mell (2009) An analysis of CVSS version 2 vulnerability scoring. In: Proceedings of the 2009 3rd international symposium on empirical software engineering and measurement. IEEE computer society
Schiffman M, Cisco CIAG (2005) A complete guide to the common vulnerability scoring system (CVSS). Forum incident response and security teams. https://www.first.org/
Sharma R, Sibal R, Shrivastava AK (2016) Vulnerability discovery modeling for open and closed source software. Int J Secure Softw Eng (IJSSE) 7(4):19–38
Sharma R, Singh RK (2018) An improved scoring system for software vulnerability prioritization. In: Kapur PK, Kumar U, Verma AK (eds) Quality IT and business operations. Springer, Singapore, pp 33–43
Sharma R, Sibal R, Sabharwal S (2018a) Change point modelling in the vulnerability discovery process. In: International conference on advanced informatics for computing research. Springer, Singapore, pp 559–568
Sharma R, Sibal R, Sabharwal S (2019) Software Vulnerability Prioritization: a comparative study using TOPSIS and VIKOR techniques. In: Kapur PK, Klochkov Y, Verma AK, Singh G (eds) System performance and management analytics. Springer, Singapore, pp 405–418
Shrivastava AK, Sharma R, Kapur PK (2015) Vulnerability discovery model for a software system using stochastic differential equation. In; 2015 International conference on futuristic trends on computational analysis and knowledge management (ABLAZE), pp 199–205. IEEE
Shrivastava AK, Sharma R (2018) Modeling vulnerability discovery and patching with fixing lag. In: International conference on advanced informatics for computing research. Springer, Singapore, pp 569–578
Shrivastava AK, Kapur PK, Bhatt M (2019) Vulnerability discovery and patch modeling: a state of the art. In: Ram M (ed) Mathematics and reliability engineering. Taylor & Francis, London, pp 401–419
Sibal R, Sharma R, Sabharwal S (2017) Prioritizing software vulnerability types using multi-criteria decision-making techniques. Life Cycle Reliab Saf Eng 6(1):57–67
Singh UK, Joshi C, Kanellopoulos D (2019) A framework for zero-day vulnerabilities detection and prioritization. J Inform Secur Appl 46:164–172
Spanos G, Angelis L (2015) Impact metrics of security vulnerabilities: analysis and weighing. Inform Secur J: A Global Perspect 24(1–3):57–71
Spanos G, Sioziou A, Angelis L (2013) WIVSS: a new methodology for scoring information systems vulnerabilities. In: Proceedings of the 17th panhellenic conference on informatics, pp 83–90. ACM
Wang S, Huang M, Deng Z (2018) Densely connected CNN with multi-scale feature attention for text classification. In: IJCAI, pp 4468–4474
Wang Y, Yang Y (2012) PVL: a novel metric for single vulnerability rating and its application in IMS. J Comput Inform Syst 8(2):579–590
Zhang Y, Wallace B (2015) A sensitivity analysis of (and practitioners' guide to) convolutional neural networks for sentence classification. arXiv preprint https://arXiv.org/arXiv:1510.03820
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Sharma, R., Sibal, R. & Sabharwal, S. Software vulnerability prioritization using vulnerability description. Int J Syst Assur Eng Manag 12, 58–64 (2021). https://doi.org/10.1007/s13198-020-01021-7
Received:
Revised:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s13198-020-01021-7