Automated Software Vulnerability Assessment with Concept Drift

by   Triet H. M. Le, et al.

Software Engineering researchers are increasingly using Natural Language Processing (NLP) techniques to automate Software Vulnerabilities (SVs) assessment using the descriptions in public repositories. However, the existing NLP-based approaches suffer from concept drift. This problem is caused by a lack of proper treatment of new (out-of-vocabulary) terms for the evaluation of unseen SVs over time. To perform automated SVs assessment with concept drift using SVs' descriptions, we propose a systematic approach that combines both character and word features. The proposed approach is used to predict seven Vulnerability Characteristics (VCs). The optimal model of each VC is selected using our customized time-based cross-validation method from a list of eight NLP representations and six well-known Machine Learning models. We have used the proposed approach to conduct large-scale experiments on more than 100,000 SVs in the National Vulnerability Database (NVD). The results show that our approach can effectively tackle the concept drift issue of the SVs' descriptions reported from 2000 to 2018 in NVD even without retraining the model. In addition, our approach performs competitively compared to the existing word-only method. We also investigate how to build compact concept-drift-aware models with much fewer features and give some recommendations on the choice of classifiers and NLP representations for SVs assessment.


Adversarial Validation Approach to Concept Drift Problem in Automated Machine Learning Systems

In automated machine learning systems, concept drift in input data is on...

DeepCVA: Automated Commit-level Vulnerability Assessment with Deep Multi-task Learning

It is increasingly suggested to identify Software Vulnerabilities (SVs) ...

A Survey on Concept Drift in Process Mining

Concept drift in process mining (PM) is a challenge as classical methods...

Multi-DoF Time Domain Passivity Approach based Drift Compensation for Telemanipulation

When, in addition to stability, position synchronization is also desired...

SySeVR: A Framework for Using Deep Learning to Detect Software Vulnerabilities

The detection of software vulnerabilities (or vulnerabilities for short)...

Automated Mapping of Vulnerability Advisories onto their Fix Commits in Open Source Repositories

The lack of comprehensive sources of accurate vulnerability data represe...

V2W-BERT: A Framework for Effective Hierarchical Multiclass Classification of Software Vulnerabilities

Weaknesses in computer systems such as faults, bugs and errors in the ar...

Code Repositories


Reproduction package for the paper "Automated Software Vulnerability Assessment with Concept Drift" in Mining Software Repositories 2019.

view repo