Abstract
Vulnerable third-party libraries pose significant threats to software applications that reuse these libraries. At an industry scale of reuse, manual analysis of third-party library vulnerabilities can be easily overwhelmed by the sheer number of vulnerabilities continually collected from diverse sources for thousands of reused libraries. Our study of four large-scale, actively maintained vulnerability databases (NVD, IBM X-Force, ExploitDB, and Openwall) reveals the wide presence of information discrepancies, in terms of seven vulnerability aspects, i.e., product, version, component, vulnerability type, root cause, attack vector, and impact, between the reports for the same vulnerability from heterogeneous sources. It would be beneficial to integrate and cross-validate multi-source vulnerability information, but it demands automatic aspect extraction and aspect discrepancy detection. In this work, we experimented with a wide range of NLP methods to extract named entities (e.g., product) and free-form phrases (e.g., root cause) from textual vulnerability reports and to detect semantically different aspect mentions between the reports. Our experiments confirm the feasibility of applying NLP methods to automate aspect-level vulnerability analysis and identify the need for domain customization of general NLP methods. Based on our findings, we propose a discrepancy-aware, aspect-level vulnerability knowledge graph and a KG-based web portal that integrates diversified vulnerability key aspect information from heterogeneous vulnerability databases. Our conducted user study proves the usefulness of our web portal. Our study opens the door to new types of vulnerability integration and management, such as vulnerability portraits of a product and explainable prediction of silent vulnerabilities.
- [1] . 2021. SHARD: Fine-grained kernel specialization with context-aware hardening. In 30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Vancouver, B.C.Google Scholar
- [2] . 2020. Utilizing data from cvedetails.com, I created this graph to easily compare the amount of AMD and Intel vulnerabilities. https://www.reddit.com/r/Amd/comments/ek6m1q/utilizing_data_from_cvedetailscom_i_created_this/.
Accessed: 2022-06-17. Google Scholar - [3] , Ahmed Abusnaina, Songqing Chen, Frank Li, and David Mohaisen. 2021. Cleaning the NVD: Compre-hensive quality assessment, improvements, and analyses. In 19th Transactions on Dependable and Secure Computing.Google Scholar
- [4] . 2020. https://support.apple.com/en-us/HT209106.
Accessed: 2020-12-31. Google Scholar - [5] . 2017. Venerable variadic vulnerabilities vanquished. In 26th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 17). 186–198.Google Scholar
- [6] . 1991. CERT advisory CA-91:21. Published electronically athttp://www.cert.org/advisories/CA-1991-21.htmlGoogle Scholar
- [7] . 2020. https://www.kb.cert.org/vuls/.
Accessed: 2020-12-31. Google Scholar - [8] . 2019. Information extraction based on named entity for tourism corpus. In 2019 16th International Joint Conference on Computer Science and Software Engineering (JCSSE). IEEE, 187–192.Google ScholarCross Ref
- [9] . 2021. Joint BERT model based cybersecurity named entity recognition. In 2021 The 4th International Conference on Software Engineering and Information Management. 236–242.Google ScholarDigital Library
- [10] . 2020. https://cve.mitre.org/index.html.
Accessed: 2020-12-31. Google Scholar - [11] . 2020. https://cwe.mitre.org/.
Accessed: 2020-12-31. Google Scholar - [12] . 2022. https://cas.codenotary.com/#sbom.
Accessed: 2022-03-31. Google Scholar - [13] . 2023. https://www.cvedetails.com/.
Accessed: 2023-05-25. Google Scholar - [14] . 2023. https://www.cve.org/ProgramOrganization/CNAs.
Accessed: 2023-05-25. Google Scholar - [15] . 2020. http://cveproject.github.io/docs/content/key-details-phrasing.pdf.
Accessed: 2020-12-31. Google Scholar - [16] . 2021. Industrial Control Systems. https://us-cert.cisa.gov/ics.
Accessed: 2020-12-31. Google Scholar - [17] . 2022. https://github.com/dependabot/dependabot-core.
Accessed: 2022-03-31. Google Scholar - [18] . 2019. BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers). Association for Computational Linguistics, 4171–4186.Google Scholar
- [19] . 2019. Towards the detection of inconsistencies in public security vulnerability reports. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 869–885.Google Scholar
- [20] . 2022. https://docs.python.org/3/library/xml.etree.elementtree.html.
Accessed: 2022-06-17. Google Scholar - [21] . 2020. https://www.exploit-db.com/.
Accessed: 2020-12-31. Google Scholar - [22] . 2019. Understanding and securing device vulnerabilities through automated bug report analysis. In 28th USENIX Security Symposium (USENIX Security 19). USENIX Association, Santa Clara, CA, 887–903.Google Scholar
- [23] . 2021. Data and knowledge-driven named entity recognition for cyber security. Cybersecurity 4, 1 (2021), 1–13.Google ScholarCross Ref
- [24] . 2016. Fine-grained control-flow integrity for kernel software. In 2016 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 179–194.Google ScholarCross Ref
- [25] . 2019. Joint prediction of multiple vulnerability characteristics through multi-task learning. In 2019 24th International Conference on Engineering of Complex Computer Systems (ICECCS). 31–40.Google ScholarCross Ref
- [26] . 2022. Detecting and augmenting missing key aspects in vulnerability descriptions. ACM Transactions on Software Engineering and Methodology (TOSEM) 31, 3 (2022), 1–27.Google ScholarDigital Library
- [27] . 2017. Learning to predict severity of software vulnerability using only vulnerability description. In 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME). 125–136.Google ScholarCross Ref
- [28] . 2017. Mining readme files to support automatic building of Java projects in software repositories. In 2017 IEEE/ACM 39th International Conference on Software Engineering Companion (ICSE-C). IEEE, 277–279.Google ScholarDigital Library
- [29] . 2021. A large-scale empirical study on Java library migrations: Prevalence, trends, and rationales. In Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 478–490.Google ScholarDigital Library
- [30] . 2015. An improved non-monotonic transition system for dependency parsing. In Proceedings of the 2015 Conference on Empirical Methods in Natural Language Processing. Association for Computational Linguistics, Lisbon, Portugal, 1373–1378.Google ScholarCross Ref
- [31] . 2020. https://exchange.xforce.ibmcloud.com/activity/list?filter=Vulnerabilities.
Accessed: 2020-12-31. Google Scholar - [32] . 1999. Online database x-force. Published electronically athttp://xforce.iss.net/Google Scholar
- [33] . 2023. https://www.kaspersky.com.au/.
Accessed: 2023-05-25. Google Scholar - [34] . 2020. Our CVE Story: Using the CVE Program to Provide Reliable Vulnerability Information. https://cve.mitre.org/blog/December152020_Our_CVE_Story_Using_the_CVE_Program_to_Provide_Reliable_Vulnerability_Information.html.
Accessed: 2020-12-31. Google Scholar - [35] . 2015. From word embeddings to document distances. In Proceedings of the 32nd International Conference on International Conference on Machine Learning - Volume 37 (ICML’15). JMLR.org, 957–966.Google Scholar
- [36] . 2001. Conditional random fields: Probabilistic models for segmenting and labeling sequence data. In Proceedings of the Eighteenth International Conference on Machine Learning (ICML ’01). Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 282–289.Google Scholar
- [37] . 2016. Neural architectures for named entity recognition. In Proceedings of the 2016 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies. Association for Computational Linguistics, San Diego, California, 260–270.Google ScholarCross Ref
- [38] . 2019. Reading the tea leaves: A comparative analysis of threat intelligence. In 28th USENIX Security Symposium (USENIX Security 19). 851–867.Google Scholar
- [39] . 1982. Least squares quantization in PCM. IEEE Transactions on Information Theory 28, 2 (1982), 129–137.Google ScholarDigital Library
- [40] . 2019. Detecting missing-check bugs via semantic-and context-aware criticalness and constraints inferences. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 1769–1786.Google Scholar
- [41] . 2019. Easy-to-deploy API extraction by multi-level feature embedding and transfer learning. IEEE Transactions on Software Engineering (2019), 1–1.Google Scholar
- [42] . 1999. Towards a common enumeration of vulnerabilities. In 2nd Workshop on Research with Security Vulnerability Databases, Purdue University, West Lafayette, Indiana.Google Scholar
- [43] . 2003. Integrating your information security vulnerability management capabilities through industry standards (CVE OVAL). In SMC’03 Conference Proceedings. 2003 IEEE International Conference on Systems, Man and Cybernetics. Conference Theme - System Security and Assurance (Cat. No.03CH37483), Vol. 2.Google ScholarCross Ref
- [44] . 2020. https://msrc.microsoft.com/update-guide/vulnerability.
Accessed: 2020-12-31. Google Scholar - [45] . 2013. Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781 (2013).Google Scholar
- [46] . 2018. Understanding the reproducibility of crowd-reported security vulnerabilities. In 27th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 18). 919–936.Google Scholar
- [47] . 2020. https://nvd.nist.gov/.
Accessed: 2020-12-31. Google Scholar - [48] . 1999. Proprietary Vulnerability Database for CyberCop Scanner 2.4.Google Scholar
- [49] . 2023. https://au.norton.com/.
Accessed: 2023-05-25. Google Scholar - [50] . 2020. https://www.openwall.com/lists/oss-security/.
Accessed: 2020-12-31. Google Scholar - [51] . 2014. GloVe: Global vectors for word representation. In Proceedings of the 2014 Conference on Empirical Methods in Natural Language Processing (EMNLP). Association for Computational Linguistics, Doha, Qatar, 1532–1543.Google ScholarCross Ref
- [52] . 2019. Steroids for DOPed applications: A compiler for automated data-oriented programming. In 2019 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 111–126.Google ScholarCross Ref
- [53] . 2019. Kernel protection against just-in-time code reuse. ACM Transactions on Privacy and Security (TOPS) 22, 1 (2019), 1–28.Google ScholarDigital Library
- [54] . 2020. xMP: Selective memory protection for kernel and user space. In 2020 IEEE Symposium on Security and Privacy (SP). 584–598.Google Scholar
- [55] . 2020. QA4IE: A question answering based system for document-level general information extraction. IEEE Access 8 (2020), 29677–29689.Google ScholarCross Ref
- [56] . 2018. QA4IE: A question answering based framework for information extraction. In International Semantic Web Conference. Springer, 198–216.Google ScholarDigital Library
- [57] . 2020. The sound of silence: Mining security vulnerabilities from secret integration channels in open-source projects. In Proceedings of the 2020 ACM SIGSAC Conference on Cloud Computing Security Workshop (CCSW’20). Association for Computing Machinery, New York, NY, USA, 147–157.Google ScholarDigital Library
- [58] . 2019. Sentence-BERT: Sentence embeddings using Siamese BERT-networks. In Proceedings of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP). Association for Computational Linguistics, Hong Kong, China, 3982–3992.Google ScholarCross Ref
- [59] . 2020. QuAChIE: Question answering based Chinese information extraction system. In Proceedings of the 43rd International ACM SIGIR Conference on Research and Development in Information Retrieval. 2177–2180.Google ScholarDigital Library
- [60] . 2018. A practical approach to the automatic classification of security-relevant commits. 2018 IEEE International Conference on Software Maintenance and Evolution (ICSME) (2018), 579–582.Google ScholarCross Ref
- [61] . 2022. https://secureteam.co.uk/.
Accessed: 2022-03-31. Google Scholar - [62] . 2013. Why so complicated? Simple term filtering and weighting for location-based bug report assignment recommendation. In 2013 10th Working Conference on Mining Software Repositories (MSR). IEEE, 2–11.Google ScholarCross Ref
- [63] . 2016. Data quality challenges and future research directions in threat intelligence sharing practice. In Proceedings of the 2016 ACM on Workshop on Information Sharing and Collaborative Security. 65–70.Google ScholarDigital Library
- [64] . 2013. Elements of Practical Geography. Kalyani Publishers.Google Scholar
- [65] . 2022. https://snyk.io/.
Accessed: 2022-03-31. Google Scholar - [66] . 2022. https://www.sonatype.com/.
Accessed: 2022-03-31. Google Scholar - [67] . 2018. SYNODE: Understanding and automatically preventing injection attacks on NODE. JS. In NDSS.Google Scholar
- [68] . 2021. Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization.
arxiv:cs.LG/2101.01431 Google Scholar - [69] . 2022. Heterogeneous vulnerability report traceability recovery by vulnerability aspect matching. 2022 IEEE International Conference on Software Maintenance and Evolution (ICSME).Google ScholarCross Ref
- [70] . (n.d.).Google Scholar
- [71] . 2021. Combining graph-based learning with automated data collection for code vulnerability detection. IEEE Transactions on Information Forensics and Security 16 (2021), 1943–1958.Google ScholarDigital Library
- [72] . 2020. A framework for software diversification with \(\lbrace\)ISA\(\rbrace\) heterogeneity. In 23rd International Symposium on Research in Attacks, Intrusions and Defenses (\(\lbrace\)RAID\(\rbrace\) 2020). 427–442.Google Scholar
- [73] . 2023. https://web-mind.io/cyber-security/windows-vs-linux-which-is-safer/.
Accessed: 2023-05-25. Google Scholar - [74] . 2020. Precisely characterizing security impact in a flood of patches via symbolic rule comparison. In Network and Distributed System Security Symposium (NDSS).Google Scholar
- [75] . 2019. \(\lbrace\)KEPLER\(\rbrace\): Facilitating control-flow hijacking primitive evaluation for Linux kernel vulnerabilities. In 28th \(\lbrace\)USENIX\(\rbrace\) Security Symposium (\(\lbrace\)USENIX\(\rbrace\) Security 19). 1187–1204.Google Scholar
- [76] . 2019. Embedding and predicting software security entity relationships: A knowledge graph based approach. In International Conference on Neural Information Processing. Springer, 50–63.Google ScholarDigital Library
- [77] . 2016. Predicting semantically linkable knowledge in developer online forums via convolutional neural network. In 2016 31st IEEE/ACM International Conference on Automated Software Engineering (ASE). 51–62.Google ScholarDigital Library
- [78] . 2018. Precise and scalable detection of double-fetch bugs in OS kernels. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 661–678.Google ScholarCross Ref
- [79] . 2021. SolarWinds software supply chain security: Better protection with enforced policies and technologies. In International Conference on Software Engineering, Artificial Intelligence, Networking and Parallel/Distributed Computing. Springer, 43–58.Google Scholar
- [80] . 2016. Software-specific named entity recognition in software engineering social content. In 2016 IEEE 23rd International Conference on Software Analysis, Evolution, and Reengineering (SANER), Vol. 1. 90–101.Google ScholarCross Ref
- [81] . 2021. Automatic part-of-speech tagging for security vulnerability descriptions. In 18th International Conference on Mining Software Repositories (MSR).Google ScholarCross Ref
- [82] . 2019. Profuzzer: On-the-fly input type probing for better zero-day vulnerability discovery. In 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 769–786.Google ScholarCross Ref
- [83] . 2017. SemFuzz: Semantics-based automatic generation of proof-of-concept exploits. 2139–2154. Google Scholar
- [84] . 2020. A question answering-based framework for one-step event argument extraction. IEEE Access 8 (2020), 65420–65431.Google ScholarCross Ref
- [85] . 2020. Automatically identifying performance issue reports with heuristic linguistic patterns. In Proceedings of the 28th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering. 964–975.Google ScholarDigital Library
Index Terms
- Aspect-level Information Discrepancies across Heterogeneous Vulnerability Reports: Severity, Types and Detection Methods
Recommendations
Vulnerability severity scoring and bounties: why the disconnect?
SWAN 2016: Proceedings of the 2nd International Workshop on Software AnalyticsThe Common Vulnerability Scoring System (CVSS) is the de facto standard for vulnerability severity measurement today and is crucial in the analytics driving software fortification. Required by the U.S. National Vulnerability Database, over 75,000 ...
Predicting the severity and exploitability of vulnerability reports using convolutional neural nets
EnCyCriS '22: Proceedings of the 3rd International Workshop on Engineering and Cybersecurity of Critical SystemsCommon Vulnerability and Exposure (CVE) reports published by Vulnerability Management Systems (VMSs) are used to evaluate the severity and exploitability of software vulnerabilities. Public vulnerability databases such as NVD uses the Common ...
Empirical Analysis of System-Level Vulnerability Metrics through Actual Attacks
The Common Vulnerability Scoring System (CVSS) is a widely used and well-established standard for classifying the severity of security vulnerabilities. For instance, all vulnerabilities in the US National Vulnerability Database (NVD) are scored ...
Comments