Predicting Missing Information of Key Aspects in Vulnerability Reports

08/06/2020
by   Hao Guo, et al.
0

Software vulnerabilities have been continually disclosed and documented. An important practice in documenting vulnerabilities is to describe the key vulnerability aspects, such as vulnerability type, root cause, affected product, impact, attacker type and attack vector, for the effective search and management of fast-growing vulnerabilities. We investigate 120,103 vulnerability reports in the Common Vulnerabilities and Exposures (CVE) over the past 20 years. We find that 56 vulnerability type, root causes, attack vector and attacker type respectively. To help to complete the missing information of these vulnerability aspects, we propose a neural-network based approach for predicting the missing information of a key aspect of a vulnerability based on the known aspects of the vulnerability. We explore the design space of the neural network models and empirically identify the most effective model design. Using a large-scale vulnerability datas­et from CVE, we show that we can effectively train a neural-network based classifier with less than 20 model achieves the prediction accuracy 94 type, root cause, attacker type and attack vector, respectively. Our ablation study reveals the prominent correlations among vulnerability aspects and further confirms the practicality of our approach.

READ FULL TEXT

page 1

page 5

research
01/05/2021

Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization

ExploitDB is one of the important public websites, which contributes a l...
research
09/30/2019

Automated Characterization of Software Vulnerabilities

Preventing vulnerability exploits is a critical software maintenance tas...
research
03/19/2022

An Exploratory Study into Vulnerability Chaining Blindness Terminology and Viability

To tie together the concepts of linkage blindness and the inability to l...
research
12/02/2021

A Grounded Theory Based Approach to Characterize Software Attack Surfaces

The notion of Attack Surface refers to the critical points on the bounda...
research
02/07/2019

Shoulder Surfing: From An Experimental Study to a Comparative Framework

Shoulder surfing is an attack vector widely recognized as a real threat ...
research
02/15/2023

Silent Vulnerable Dependency Alert Prediction with Vulnerability Key Aspect Explanation

Due to convenience, open-source software is widely used. For beneficial ...
research
03/06/2019

Attack Graph Obfuscation

Before executing an attack, adversaries usually explore the victim's net...

Please sign up or login with your details

Forgot password? Click here to reset