ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data

Wen, Tao; Zhang, Yuqing; Wu, Qingyun; Yang, Gang

doi:10.12720/jcm.10.2.107-116

Cited by 16 publications

(9 citation statements)

References 27 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Therefore, data is used from the CWE database only for the 102 weaknesses that are present also in NVD indirectly via CVE mappings. Although the present context is weaknesses, the idea here is similar to the enforcement of "one-to-one vulnerabilities" between vulnerability databases [35]. In contrast to some previous studies [10], all textual information is used for constructing the corpora.…”

Section: Data Sourcesmentioning

confidence: 99%

“…To contribute toward sealing some of these gaps, this paper tentatively examines the validity of common textual information retrieval techniques for extracting CWEs from vulnerability databases. The extraction itself has practical value because many vulnerability databases do not catalog weaknesses, partially due to the complexity of the CWE framework and the manual work required [35]. By superseding the manual assignment of security bug reports to CWEs [8], automatic extraction can also facilitate empirical security research.…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Ruohonen

Leppänen

2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

This paper presents a preliminary validation of common textual information retrieval techniques for mapping unstructured software vulnerability information to distinct software weaknesses. The validation is carried out with a dataset compiled from four software repositories tracked in the Snyk vulnerability database. According to the results, the information retrieval techniques used perform unsatisfactorily compared to regular expression searches. Although the results vary from a repository to another, the preliminary validation presented indicates that explicit referencing of vulnerability and weakness identifiers is preferable for concrete vulnerability tracking. Such referencing allows the use of keyword-based searches, which currently seem to yield more consistent results compared to information retrieval techniques. Further validation work is required for improving the precision of the techniques, however.

show abstract

Section: Data Sourcesmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Ruohonen

Leppänen

2018

Communications in Computer and Information Science

View full text Add to dashboard Cite

show abstract

“…Chi-squared and info gain feature selection were used to rank features for use in classifying configuration bug reports [36]. Feature selection was also used for dimensionality reduction to categorize bug reports based on CWE standards [34]. Unlike related works, this work focuses on improving the vocabulary of the feature vectors to classify software bug reports to security related and non-security related.…”

Section: Research Questions and Contributionsmentioning

confidence: 99%

“…A successful automated identification of security bug reports has been done on NASA projects through machine learning approaches [11]. Automated classification of security bug reports has also been attempted on other datasets [30], [9], [34].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Security Bug Report Classification using Feature Selection, Clustering, and Deep Learning

Gantzer¹

View full text Add to dashboard Cite

As the numbers of software vulnerabilities and cybersecurity threats increase, it is becoming more difficult and time consuming to classify bug reports manually. This thesis is focused on exploring techniques that have potential to improve the performance of automated classification of software bug reports as security or non-security related. Using supervised learning, feature selection was used to engineer new feature vectors to be used in machine learning. Feature selection changes the vocabulary used by selecting words with the greatest impact on classification. Feature selection was able to increase the F-Score across the datasets by increasing the precision. We also explored unsupervised classification based on clustering. A distribution of software issues was created using variational autoencoders, where the majority of security related issues were closely related. However, a portion of nonsecurity issues also ended up in the distribution. Furthermore, we explored recent advances in text mining classification based on deep learning. Specifically, we used recurrent networks for supervised and semi-supervised classification. LSTM networks outperformed the Naive Bayes classifier in projects with a high ratio of security related issues. Sequence autoencoders were trained on unlabeled data and tuned with labeled data. The results showed that using unlabeled software issues different from the testing datasets degraded the results. Sequence autoencoders may be used on large datasets, where labeled data is scarce.

show abstract

Automatic software vulnerability classification by extracting vulnerability triggers

Sun

et al. 2022

J Software Evolu Process

View full text Add to dashboard Cite

Vulnerability classification is a significant activity in software development and software maintenance. Natural Language Processing (NLP) techniques, which utilize the descriptions in public repositories, are widely used in automatic software vulnerability classification. However, vulnerability descriptions are ordinarily short and contain many technical terms, making them difficult for machines to automatically comprehend. In this paper, we present an approach based on vulnerability triggers to automatically classify vulnerabilities. First, we extract vulnerability triggers with Bert Question and Answer (Bert Q&A). Then, we use Recurrent Convolutional Neural Networks for Text classification (TextRCNN) to classify vulnerabilities based on Common Weakness Enumeration (CWE). We statistically perform an analysis of vulnerability triggers and comprehensively evaluate the classification performance of our approach on a set of 4769 prelabeled vulnerability entries, as well as compare it with state‐of‐the‐art vulnerability classification approaches. Experiment results show that our approach can achieve a F1‐measure of 95% on extraction and 80.8% on classification.

show abstract

ASVC: An Automatic Security Vulnerability Categorization Framework Based on Novel Features of Vulnerability Data

Cited by 16 publications

References 27 publications

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Toward Validation of Textual Information Retrieval Techniques for Software Weaknesses

Security Bug Report Classification using Feature Selection, Clustering, and Deep Learning

Automatic software vulnerability classification by extracting vulnerability triggers

Contact Info

Product

Resources

About