Abstract
As the software becomes a more complex, diversified, and integral part of human life, the attacks through exploitable software vulnerabilities have become significant security risks to the host computing system. These vulnerabilities pose several threats to individuals and nations across the globe and have even cost the world economy up to 5 trillion USD by 2025 itself. We have implemented learning approaches to classify and score multi-class severity levels of software vulnerability using vulnerability description along with other data metrics (such as user privilege required, availability metrics, etc.). We have used machine learning algorithms such as linear regressor, decision tree regressor, random forest regressor, etc. to propose a framework for classifying the software vulnerabilities and their severity using two techniques; one is statistical and another one is NLP based. The performance of the classifiers is assessed based on explained variance (0.9973), r-squared (0.9973), mean absolute error (0.0052), mean squared error (0.0035), and root mean squared error values (0.0594). GridSearchCV has been used for model selection and the result shows that the random forest gives the best result as 99.99%.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
K. Scarfone and P. Mell, “An analysis of CVSS version 2 vulnerability scoring,” 2009 3rd Int. Symp. Empir. Softw. Eng. Meas. ESEM 2009, pp. 516–525, 2009, https://doi.org/10.1109/ESEM.2009.5314220.
S. H. Houmb, V. N. L. Franqueira, and E. A. Engum, “Quantifying security risk level from CVSS estimates of frequency and impact,” in Journal of Systems and Software, Sep. 2010, vol. 83, no. 9, pp. 1622–1634, https://doi.org/10.1016/j.jss.2009.08.023.
J. A. Wang, M. M. Guo, and J. Camargo, “An ontological approach to computer system security,” Inf. Secur. J., vol. 19, no. 2, pp. 61–73, 2010, https://doi.org/10.1080/19393550903404902.
R. Syed, “Cybersecurity vulnerability management: A conceptual ontology and cyber intelligence alert system,” Inf. Manag., vol. 57, no. 6, Sep. 2020, https://doi.org/10.1016/j.im.2020.103334.
Q. Xiao, K. Li, D. Zhang, and W. Xu, “Security risks in deep learning implementations,” Proc. - 2018 IEEE Symp. Secur. Priv. Work. SPW 2018, pp. 123–128, 2018, https://doi.org/10.1109/SPW.2018.00027.
S. Chatterjee and S. Thekdi, “An iterative learning and inference approach to managing dynamic cyber vulnerabilities of complex systems,” Reliab. Eng. Syst. Saf., vol. 193, Jan. 2020, https://doi.org/10.1016/j.ress.2019.106664.
H. Chen, J. Liu, R. Liu, N. Park, and V. S. Subrahmanian, “VEST: A system for vulnerability exploit scoring & timing,” IJCAI Int. Jt. Conf. Artif. Intell., vol. 2019-Augus, pp. 6503–6505, 2019, https://doi.org/10.24963/ijcai.2019/937.
L. Allodi and F. Massacci, “A preliminary analysis of vulnerability scores for attacks in wild: The EKITS and SYM datasets,” Proc. ACM Conf. Comput. Commun. Secur., pp. 17–24, 2012, doi:https://doi.org/10.1145/2382416.2382427.
G. Spanos and L. Angelis, “Impact Metrics of Security Vulnerabilities: Analysis and Weighing,” Inf. Secur. J., vol. 24, no. 1–3, pp. 57–71, Jul. 2015, https://doi.org/10.1080/19393555.2015.1051675.
L. Allodi and F. Massacci, “Comparing vulnerability severity and exploits using case-control studies,” ACM Trans. Inf. Syst. Secur., vol. 17, no. 1, 2014, https://doi.org/10.1145/2630069.
W. Zheng et al., “The impact factors on the performance of machine learning-based vulnerability detection: A comparative study,” J. Syst. Softw., vol. 168, Oct. 2020, https://doi.org/10.1016/j.jss.2020.110659.
C. Frühwirth and T. Männistö, “Improving CVSS-based vulnerability prioritization and response with context information,” 2009 3rd Int. Symp. Empir. Softw. Eng. Meas. ESEM 2009, pp. 535–544, 2009, https://doi.org/10.1109/ESEM.2009.5314230.
M. Abedin, S. Nessa, E. Al-Shaer, and L. Khan, “Vulnerability analysis For evaluating quality of protection of security policies,” Proc. 2nd ACM Work. Qual. Prot. QoP’06. Co-located with 13th ACM Conf. Comput. Commun. Secur. CCS’06, pp. 49–52, 2006, https://doi.org/10.1145/1179494.1179505.
L. Gallon, “On the impact of environmental metrics on CVSS scores,” Proc. - Soc. 2010 2nd IEEE Int. Conf. Soc. Comput. PASSAT 2010 2nd IEEE Int. Conf. Privacy, Secur. Risk Trust, pp. 987–992, 2010, https://doi.org/10.1109/SocialCom.2010.146.
P. Mell and K. Scarfone, “Improving the common vulnerability scoring system,” IET Inf. Secur., vol. 1, no. 3, pp. 119–127, 2007, https://doi.org/10.1049/iet-ifs:20060055.
S. Huang, H. Tang, M. Zhang, and J. Tian, “Text clustering on national vulnerability database,” 2010 2nd Int. Conf. Comput. Eng. Appl. ICCEA 2010, vol. 2, pp. 295–299, 2010, https://doi.org/10.1109/ICCEA.2010.209.
H. Holm, M. Ekstedt, and D. Andersson, “Empirical analysis of system-level vulnerability metrics through actual attacks,” IEEE Trans. Dependable Secur. Comput., vol. 9, no. 6, pp. 825–837, 2012, https://doi.org/10.1109/TDSC.2012.66.
S. Zhang, X. Ou, and D. Caragea, “Predicting Cyber Risks through National Vulnerability Database,” Inf. Secur. J., vol. 24, no. 4–6, pp. 194–206, Dec. 2015, https://doi.org/10.1080/19393555.2015.1111961.
K. Shuang, Z. Zhang, J. Loo, and S. Su, “Convolution–deconvolution word embedding: An end-to-end multi-prototype fusion embedding method for natural language processing,” Inf. Fusion, vol. 53, no. June 2019, pp. 112–122, 2020, https://doi.org/10.1016/j.inffus.2019.06.009.
J. A. Morente-Molinera, X. Wu, A. Morfeq, R. Al-Hmouz, and E. Herrera-Viedma, “A novel multi-criteria group decision-making method for heterogeneous and dynamic contexts using multi-granular fuzzy linguistic modelling and consensus measures,” Inf. Fusion, vol. 53, no. June 2019, pp. 240–250, 2020, https://doi.org/10.1016/j.inffus.2019.06.028.
D. Wijayasekara, M. Manic, and M. Mcqueen, “Vulnerability Identification and Classification Via Text Mining Bug Databases.”
T. Baltrusaitis, C. Ahuja, and L. P. Morency, “Multimodal Machine Learning: A Survey and Taxonomy,” IEEE Trans. Pattern Anal. Mach. Intell., vol. 41, no. 2, pp. 423–443, 2019, https://doi.org/10.1109/TPAMI.2018.2798607.
J. Chen, P. K. Kudjo, S. Mensah, S. A. Brown, and G. Akorfu, “An automatic software vulnerability classification framework using term frequency-inverse gravity moment and feature selection,” J. Syst. Softw., vol. 167, p. 110616, 2020, https://doi.org/10.1016/j.jss.2020.110616.
V. E. Balas, Advances in Intelligent Systems and Computing 634 Soft Computing Applications, vol. 2, no. Sofa. 2016.
J. Liu, T. Li, P. Xie, S. Du, F. Teng, and X. Yang, “Urban big data fusion based on deep learning: An overview,” Inf. Fusion, vol. 53, no. June 2019, pp. 123–133, 2020, https://doi.org/10.1016/j.inffus.2019.06.016.
G. Spanos and L. Angelis, “A multi-target approach to estimate software vulnerability characteristics and severity scores,” J. Syst. Softw., vol. 146, pp. 152–166, Dec. 2018, https://doi.org/10.1016/j.jss.2018.09.039.
M. Anjum, P. K. Kapur, V. Agarwal, and S. K. Khatri, “A Framework for Prioritizing Software Vulnerabilities Using Fuzzy Best-Worst Method,” ICRITO 2020 - IEEE 8th Int. Conf. Reliab. Infocom Technol. Optim. (Trends Futur. Dir., pp. 311–316, 2020, https://doi.org/10.1109/ICRITO48877.2020.9197854.
J. Ruohonen, “A look at the time delays in CVSS vulnerability scoring,” Appl. Comput. Informatics, vol. 15, no. 2, pp. 129–135, Jul. 2019, https://doi.org/10.1016/j.aci.2017.12.002.
H. Holm and K. K. Afridi, “An expert-based investigation of the Common Vulnerability Scoring System,” Comput. Secur., vol. 53, pp. 18–30, Jun. 2015, https://doi.org/10.1016/j.cose.2015.04.012.
P. Johnson, R. Lagerstrom, M. Ekstedt, and U. Franke, “Can the common vulnerability scoring system be trusted? A Bayesian analysis,” IEEE Trans. Dependable Secur. Comput., vol. 15, no. 6, pp. 1002–1015, Nov. 2018, https://doi.org/10.1109/TDSC.2016.2644614.
L. Castrejon, Y. Aytar, C. Vondrick, H. Pirsiavash, and A. Torralba, “Learning Aligned Cross-Modal Representations from Weakly Aligned Data,” Proc. IEEE Comput. Soc. Conf. Comput. Vis. Pattern Recognit., vol. 2016-Decem, pp. 2940–2949, 2016, https://doi.org/10.1109/CVPR.2016.321.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Verma, B.K., Yadav, A.K., Khemchandani, V. (2023). Software Vulnerability Classification Using Learning Techniques. In: Mishra, M., Kesswani, N., Brigui, I. (eds) Applications of Computational Intelligence in Management & Mathematics. ICCM 2022. Springer Proceedings in Mathematics & Statistics, vol 417. Springer, Cham. https://doi.org/10.1007/978-3-031-25194-8_26
Download citation
DOI: https://doi.org/10.1007/978-3-031-25194-8_26
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-25193-1
Online ISBN: 978-3-031-25194-8
eBook Packages: Mathematics and StatisticsMathematics and Statistics (R0)