Severity Prediction of Software Vulnerabilities based on their Text Description

Babalau, Ion; Corlatescu, Dragos; Grigorescu, Octavian; Sandescu, Cristian; Dascălu, Mihai

doi:10.1109/synasc54541.2021.00037

Cited by 8 publications

(4 citation statements)

References 11 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Gong et al (2019) leveraged a Bi-LSTM as a shared feature extractor with multiple classifiers to predict different Common Vulnerability Scoring System (CVSS) characteristics based on vulnerability description. Babalau et al (2021) used a shared BERT architecture with two prediction heads to learn a multi-task model which supports CVSS severity score classification and regression. Some of these studies leveraged a shared architecture (Babalau et al, 2021;Gong et al, 2019;Takerngsaksiri et al, 2022) that can learn from labels of different tasks that are cor-related, hence may help improve the model performance.…”

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

“…Babalau et al (2021) used a shared BERT architecture with two prediction heads to learn a multi-task model which supports CVSS severity score classification and regression. Some of these studies leveraged a shared architecture (Babalau et al, 2021;Gong et al, 2019;Takerngsaksiri et al, 2022) that can learn from labels of different tasks that are cor-related, hence may help improve the model performance. Nevertheless, all of these studies relied on the weighted summation of loss functions during gradient descent, i.e., (1) averaging the loss of each task (Le et al, 2021), (2) tuning loss weights of each task (Babalau et al, 2021), (3) summarizing loss of each task (Gong et al, 2019).…”

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

“…Some of these studies leveraged a shared architecture (Babalau et al, 2021;Gong et al, 2019;Takerngsaksiri et al, 2022) that can learn from labels of different tasks that are cor-related, hence may help improve the model performance. Nevertheless, all of these studies relied on the weighted summation of loss functions during gradient descent, i.e., (1) averaging the loss of each task (Le et al, 2021), (2) tuning loss weights of each task (Babalau et al, 2021), (3) summarizing loss of each task (Gong et al, 2019). Such a weighted summation approach may not find the optimal solution when updating the shared model, for instance, the updated parameters are better for one task but not the other as discussed in Section 3.1.3.…”

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

See 2 more Smart Citations

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Fu,

Tantithamthavorn,

et al. 2023

Empir Software Eng

View full text Add to dashboard Cite

Many Machine Learning(ML)-based approaches have been proposed to automatically detect, localize, and repair software vulnerabilities. While ML-based methods are more effective than program analysis-based vulnerability analysis tools, few have been integrated into modern Integrated Development Environments (IDEs), hindering practical adoption. To bridge this critical gap, we propose in this article AIBugHunter, a novel Machine Learning-based software vulnerability analysis tool for C/C++ languages that is integrated into the Visual Studio Code (VS Code) IDE. AIBugHunter helps software developers to achieve real-time vulnerability detection, explanation, and repairs during programming. In particular, AIBugHunter scans through developers’ source code to (1) locate vulnerabilities, (2) identify vulnerability types, (3) estimate vulnerability severity, and (4) suggest vulnerability repairs. We integrate our previous works (i.e., LineVul and VulRepair) to achieve vulnerability localization and repairs. In this article, we propose a novel multi-objective optimization (MOO)-based vulnerability classification approach and a transformer-based estimation approach to help AIBugHunter accurately identify vulnerability types and estimate severity. Our empirical experiments on a large dataset consisting of 188K+ C/C++ functions confirm that our proposed approaches are more accurate than other state-of-the-art baseline methods for vulnerability classification and estimation. Furthermore, we conduct qualitative evaluations including a survey study and a user study to obtain software practitioners’ perceptions of our AIBugHunter tool and assess the impact that AIBugHunter may have on developers’ productivity in security aspects. Our survey study shows that our AIBugHunter is perceived as useful where 90% of the participants consider adopting our AIBugHunter during their software development. Last but not least, our user study shows that our AIBugHunter can enhance developers’ productivity in combating cybersecurity issues during software development. AIBugHunter is now publicly available in the Visual Studio Code marketplace.

show abstract

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

Section: Multi-task Learning For Software Vulnerability Predictionmentioning

confidence: 99%

See 1 more Smart Citation

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Fu,

Tantithamthavorn,

et al. 2023

Empir Software Eng

View full text Add to dashboard Cite

show abstract

“…From the perspective of time and probability, the author provides some analysis criteria for vulnerability analysis, including average time to vulnerability, local risk rate, average risk rate and total risk value. Ion Babalau [17] proposed a deep learning method, which used only textual descriptions of vulnerabilities to predict the severity level of vulnerabilities and other indicators of vulnerabilities. The authors use a multi-tasking learning architecture combined with BERT model, and then calculate the vector space representation of sentence words.…”

Section: Introductionmentioning

confidence: 99%

Research on intelligent recognition method of software vulnerability severity based on event extraction

Wen

Lin

et al. 2023

Preprint

View full text Add to dashboard Cite

The number of vulnerability reports is rapidly increasing, and relying on human resources for vulnerability analysis will become more difficult. In addition, the current vulnerability report research is mainly based on general vulnerability disclosure (CVE) or other foreign open source projects, and there are few researches on Chinese vulnerability reports. With the development of deep learning, the research on event extraction has also been greatly developed. In order to contribute to the vulnerability analysis of Chinese vulnerability report, this paper adopts the method of event extraction to automatically mine the vulnerability report of the National Information security Vulnerability Sharing platform (CNVD). A new vulnerability analysis method is proposed, that is, the severity level of vulnerability report is evaluated by the vulnerability description information and the event information. At the same time, a convolutional neural network method named EICNN is proposed to realize this new vulnerability analysis method by integrating event information. An application that obtains the vulnerability reporting event information and evaluates the vulnerability severity at the end.

show abstract

Text mining based an automatic model for software vulnerability severity prediction

Malhotra,

Vidushi

2024

Int J Syst Assur Eng Manag

View full text Add to dashboard Cite

Severity Prediction of Software Vulnerabilities based on their Text Description

Cited by 8 publications

References 11 publications

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

AIBugHunter: A Practical tool for predicting, classifying and repairing software vulnerabilities

Research on intelligent recognition method of software vulnerability severity based on event extraction

Text mining based an automatic model for software vulnerability severity prediction

Contact Info

Product

Resources

About