Log In Sign Up

Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization

by   Jiamou Sun, et al.

ExploitDB is one of the important public websites, which contributes a large number of vulnerabilities to official CVE database. Over 60% of these vulnerabilities have high- or critical-security risks. Unfortunately, over 73% of exploits appear publicly earlier than the corresponding CVEs, and about 40% of exploits do not even have CVEs. To assist in documenting CVEs for the ExploitDB posts, we propose an open information method to extract 9 key vulnerability aspects (vulnerable product/version/component, vulnerability type, vendor, attacker type, root cause, attack vector and impact) from the verbose and noisy ExploitDB posts. The extracted aspects from an ExploitDB post are then composed into a CVE description according to the suggested CVE description templates, which is must-provided information for requesting new CVEs. Through the evaluation on 13,017 manually labeled sentences and the statistically sampling of 3,456 extracted aspects, we confirm the high accuracy of our extraction method. Compared with 27,230 reference CVE descriptions. Our composed CVE descriptions achieve high ROUGH-L (0.38), a longest common subsequence based metric for evaluating text summarization methods.


Predicting Missing Information of Key Aspects in Vulnerability Reports

Software vulnerabilities have been continually disclosed and documented....

Enriching Vulnerability Reports Through Automated and Augmented Description Summarization

Security incidents and data breaches are increasing rapidly, and only a ...

Automated Characterization of Software Vulnerabilities

Preventing vulnerability exploits is a critical software maintenance tas...

Harvest – An Open Source Toolkit for Extracting Posts and Post Metadata from Web Forums

Automatic extraction of forum posts and metadata is a crucial but challe...

ThreatZoom: CVE2CWE using Hierarchical Neural Network

The Common Vulnerabilities and Exposures (CVE) represent standard means ...

Autosploit: A Fully Automated Framework for Evaluating the Exploitability of Security Vulnerabilities

The existence of a security vulnerability in a system does not necessari...