Skip to main content
SpringerLink
Log in

Software Vulnerability Classification Using Learning Techniques

  • Conference paper
  • First Online:
Applications of Computational Intelligence in Management & Mathematics (ICCM 2022)

Part of the book series: Springer Proceedings in Mathematics & Statistics ((PROMS,volume 417))

  • 156 Accesses

Abstract

As the software becomes a more complex, diversified, and integral part of human life, the attacks through exploitable software vulnerabilities have become significant security risks to the host computing system. These vulnerabilities pose several threats to individuals and nations across the globe and have even cost the world economy up to 5 trillion USD by 2025 itself. We have implemented learning approaches to classify and score multi-class severity levels of software vulnerability using vulnerability description along with other data metrics (such as user privilege required, availability metrics, etc.). We have used machine learning algorithms such as linear regressor, decision tree regressor, random forest regressor, etc. to propose a framework for classifying the software vulnerabilities and their severity using two techniques; one is statistical and another one is NLP based. The performance of the classifiers is assessed based on explained variance (0.9973), r-squared (0.9973), mean absolute error (0.0052), mean squared error (0.0035), and root mean squared error values (0.0594). GridSearchCV has been used for model selection and the result shows that the random forest gives the best result as 99.99%.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. K. Scarfone and P. Mell, “An analysis of CVSS version 2 vulnerability scoring,” 2009 3rd Int. Symp. Empir. Softw. Eng. Meas. ESEM 2009, pp. 516–525, 2009, https://doi.org/10.1109/ESEM.2009.5314220.

  2. S. H. Houmb, V. N. L. Franqueira, and E. A. Engum, “Quantifying security risk level from CVSS estimates of frequency and impact,” in Journal of Systems and Software, Sep. 2010, vol. 83, no. 9, pp. 1622–1634, https://doi.org/10.1016/j.jss.2009.08.023.

  3. J. A. Wang, M. M. Guo, and J. Camargo, “An ontological approach to computer system security,” Inf. Secur. J., vol. 19, no. 2, pp. 61–73, 2010, https://doi.org/10.1080/19393550903404902.

    Article  Google Scholar 

  4. R. Syed, “Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system,” Inf. Manag., vol. 57, no. 6, Sep. 2020, https://doi.org/10.1016/j.im.2020.103334.

  5. Q. Xiao, K. Li, D. Zhang, and W. Xu, “Security risks in deep learning implementations,” Proc. - 2018 IEEE Symp. Secur. Priv. Work. SPW 2018, pp. 123–128, 2018, https://doi.org/10.1109/SPW.2018.00027.

  6. S. Chatterjee and S. Thekdi, “An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems,” Reliab. Eng. Syst. Saf., vol. 193, Jan. 2020, https://doi.org/10.1016/j.ress.2019.106664.

  7. H. Chen, J. Liu, R. Liu, N. Park, and V. S. Subrahmanian, “VEST: A system for vulnerability exploit scoring & timing,” IJCAI Int. Jt. Conf. Artif. Intell., vol. 2019-Augus, pp. 6503–6505, 2019, https://doi.org/10.24963/ijcai.2019/937.

  8. L. Allodi and F. Massacci, “A preliminary analysis of vulnerability scores for attacks in wild: The EKITS and SYM datasets,” Proc. ACM Conf. Comput. Commun. Secur., pp. 17–24, 2012, doi:https://doi.org/10.1145/2382416.2382427.

  9. G. Spanos and L. Angelis, “Impact Metrics of Security Vulnerabilities: Analysis and Weighing,” Inf. Secur. J., vol. 24, no. 1–3, pp. 57–71, Jul. 2015, https://doi.org/10.1080/19393555.2015.1051675.

  10. L. Allodi and F. Massacci, “Comparing vulnerability severity and exploits using case-control studies,” ACM Trans. Inf. Syst. Secur., vol. 17, no. 1, 2014, https://doi.org/10.1145/2630069.

  11. W. Zheng et al., “The impact factors on the performance of machine learning-based vulnerability detection: A comparative study,” J. Syst. Softw., vol. 168, Oct. 2020, https://doi.org/10.1016/j.jss.2020.110659.

  12. C. Frühwirth and T. Männistö, “Improving CVSS-based vulnerability prioritization and response with context information,” 2009 3rd Int. Symp. Empir. Softw. Eng. Meas. ESEM 2009, pp. 535–544, 2009, https://doi.org/10.1109/ESEM.2009.5314230.

  13. M. Abedin, S. Nessa, E. Al-Shaer, and L. Khan, “Vulnerability analysis For evaluating quality of protection of security policies,” Proc. 2nd ACM Work. Qual. Prot. QoP’06. Co-located with 13th ACM Conf. Comput. Commun. Secur. CCS’06, pp. 49–52, 2006, https://doi.org/10.1145/1179494.1179505.

  14. L. Gallon, “On the impact of environmental metrics on CVSS scores,” Proc. - Soc. 2010 2nd IEEE Int. Conf. Soc. Comput. PASSAT 2010 2nd IEEE Int. Conf. Privacy, Secur. Risk Trust, pp. 987–992, 2010, https://doi.org/10.1109/SocialCom.2010.146.

  15. P. Mell and K. Scarfone, “Improving the common vulnerability scoring system,” IET Inf. Secur., vol. 1, no. 3, pp. 119–127, 2007, https://doi.org/10.1049/iet-ifs:20060055.

    Article  Google Scholar 

  16. S. Huang, H. Tang, M. Zhang, and J. Tian, “Text clustering on national vulnerability database,” 2010 2nd Int. Conf. Comput. Eng. Appl. ICCEA 2010, vol. 2, pp. 295–299, 2010, https://doi.org/10.1109/ICCEA.2010.209.

  17. H. Holm, M. Ekstedt, and D. Andersson, “Empirical analysis of system-level vulnerability metrics through actual attacks,” IEEE Trans. Dependable Secur. Comput., vol. 9, no. 6, pp. 825–837, 2012, https://doi.org/10.1109/TDSC.2012.66.

    Article  Google Scholar 

  18. S. Zhang, X. Ou, and D. Caragea, “Predicting Cyber Risks through National Vulnerability Database,” Inf. Secur. J., vol. 24, no. 4–6, pp. 194–206, Dec. 2015, https://doi.org/10.1080/19393555.2015.1111961.

  19. K. Shuang, Z. Zhang, J. Loo, and S. Su, “Convolution–deconvolution word embedding: An end-to-end multi-prototype fusion embedding method for natural language processing,” Inf. Fusion, vol. 53, no. June 2019, pp. 112–122, 2020, https://doi.org/10.1016/j.inffus.2019.06.009.

    Article  Google Scholar 

  20. J. A. Morente-Molinera, X. Wu, A. Morfeq, R. Al-Hmouz, and E. Herrera-Viedma, “A novel multi-criteria group decision-making method for heterogeneous and dynamic contexts using multi-granular fuzzy linguistic modelling and consensus measures,” Inf. Fusion, vol. 53, no. June 2019, pp. 240–250, 2020, https://doi.org/10.1016/j.inffus.2019.06.028.

    Article  Google Scholar 

  21. D. Wijayasekara, M. Manic, and M. Mcqueen, “Vulnerability Identification and Classification Via Text Mining Bug Databases.”

    Google Scholar 

  22. T. Baltrusaitis, C. Ahuja, and L. P. Morency, “Multimodal Machine Learning: A Survey and Taxonomy,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 41, no. 2, pp. 423–443, 2019, https://doi.org/10.1109/TPAMI.2018.2798607.

    Article  Google Scholar 

  23. J. Chen, P. K. Kudjo, S. Mensah, S. A. Brown, and G. Akorfu, “An automatic software vulnerability classification framework using term frequency-inverse gravity moment and feature selection,” J. Syst. Softw., vol. 167, p. 110616, 2020, https://doi.org/10.1016/j.jss.2020.110616.

    Article  Google Scholar 

  24. V. E. Balas, Advances in Intelligent Systems and Computing 634 Soft Computing Applications, vol. 2, no. Sofa. 2016.

    Google Scholar 

  25. J. Liu, T. Li, P. Xie, S. Du, F. Teng, and X. Yang, “Urban big data fusion based on deep learning: An overview,” Inf. Fusion, vol. 53, no. June 2019, pp. 123–133, 2020, https://doi.org/10.1016/j.inffus.2019.06.016.

    Article  Google Scholar 

  26. G. Spanos and L. Angelis, “A multi-target approach to estimate software vulnerability characteristics and severity scores,” J. Syst. Softw., vol. 146, pp. 152–166, Dec. 2018, https://doi.org/10.1016/j.jss.2018.09.039.

  27. M. Anjum, P. K. Kapur, V. Agarwal, and S. K. Khatri, “A Framework for Prioritizing Software Vulnerabilities Using Fuzzy Best-Worst Method,” ICRITO 2020 - IEEE 8th Int. Conf. Reliab. Infocom Technol. Optim. (Trends Futur. Dir., pp. 311–316, 2020, https://doi.org/10.1109/ICRITO48877.2020.9197854.

  28. J. Ruohonen, “A look at the time delays in CVSS vulnerability scoring,” Appl. Comput. Informatics, vol. 15, no. 2, pp. 129–135, Jul. 2019, https://doi.org/10.1016/j.aci.2017.12.002.

  29. H. Holm and K. K. Afridi, “An expert-based investigation of the Common Vulnerability Scoring System,” Comput. Secur., vol. 53, pp. 18–30, Jun. 2015, https://doi.org/10.1016/j.cose.2015.04.012.

  30. P. Johnson, R. Lagerstrom, M. Ekstedt, and U. Franke, “Can the common vulnerability scoring system be trusted? A Bayesian analysis,” IEEE Trans. Dependable Secur. Comput., vol. 15, no. 6, pp. 1002–1015, Nov. 2018, https://doi.org/10.1109/TDSC.2016.2644614.

  31. L. Castrejon, Y. Aytar, C. Vondrick, H. Pirsiavash, and A. Torralba, “Learning Aligned Cross-Modal Representations from Weakly Aligned Data,” Proc. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit., vol. 2016-Decem, pp. 2940–2949, 2016, https://doi.org/10.1109/CVPR.2016.321.

Download references

Author information

Authors and Affiliations

  1. Banasthali Vidyapith, Jaipur, Rajasthan, India

    Birendra Kumar Verma & Ajay Kumar Yadav

  2. JSS Academy of Technical Education, Noida, Uttar Pradesh, India

    Vineeta Khemchandani

Authors
  1. Birendra Kumar Verma
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Ajay Kumar Yadav
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vineeta Khemchandani
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Birendra Kumar Verma .

Editor information

Editors and Affiliations

  1. Electronics & Communication Engineering, North Eastern Regional Institute of Science and Technology (NERIST), Itanagar, Arunachal Pradesh, India

    Madhusudhan Mishra

  2. Department of Computer Science, Central University of Rajasthan, Ajmer, Rajasthan, India

    Nishtha Kesswani

  3. EMLYON Business School, Écully, France

    Imene Brigui

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Verma, B.K., Yadav, A.K., Khemchandani, V. (2023). Software Vulnerability Classification Using Learning Techniques. In: Mishra, M., Kesswani, N., Brigui, I. (eds) Applications of Computational Intelligence in Management & Mathematics. ICCM 2022. Springer Proceedings in Mathematics & Statistics, vol 417. Springer, Cham. https://doi.org/10.1007/978-3-031-25194-8_26

Download citation

Publish with us

Policies and ethics

Search

Navigation