TY - GEN
T1 - Automation of Vulnerability Classification from its Description using Machine Learning
AU - Aota, Masaki
AU - Kanehara, Hideaki
AU - Kubo, Masaki
AU - Murata, Noboru
AU - Sun, Bo
AU - Takahashi, Takeshi
N1 - Funding Information:
ACKNOWLEDGMENT This work was partly supported by a grant from the Japan Society for the Promotion of Science (JSPS KAKENHI grant number 17K12699). In addition, we would like to thank Enago for the English language review.
Publisher Copyright:
© 2020 IEEE.
PY - 2020/7
Y1 - 2020/7
N2 - Vulnerability reports play an important role in cybersecurity. Mitigation of software vulnerabilities that can be exploited by attackers depends on disclosure of vulnerabilities. Information on vulnerability types or identifiers facilitates automation of vulnerability management, statistical analysis of vulnerability trends, and secure software development. Labeling of reports with vulnerability identifiers has thus far been per-formed manually and has therefore suffered from human-induced errors and scalability issues due to the shortage of security experts. In this paper, we propose a scheme that automatically classifies each vulnerability description by type using machine learning. We experimentally demonstrated the performance of our proposed scheme compared to other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. We experimentally demonstrated the performance of the proposed scheme in comparison with other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. Furthermore, we tried to correct these errors.
AB - Vulnerability reports play an important role in cybersecurity. Mitigation of software vulnerabilities that can be exploited by attackers depends on disclosure of vulnerabilities. Information on vulnerability types or identifiers facilitates automation of vulnerability management, statistical analysis of vulnerability trends, and secure software development. Labeling of reports with vulnerability identifiers has thus far been per-formed manually and has therefore suffered from human-induced errors and scalability issues due to the shortage of security experts. In this paper, we propose a scheme that automatically classifies each vulnerability description by type using machine learning. We experimentally demonstrated the performance of our proposed scheme compared to other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. We experimentally demonstrated the performance of the proposed scheme in comparison with other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. Furthermore, we tried to correct these errors.
KW - machine-learning
KW - security advisory
KW - security automation
KW - vulnerability
KW - vulnerability type
UR - http://www.scopus.com/inward/record.url?scp=85094126212&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=85094126212&partnerID=8YFLogxK
U2 - 10.1109/ISCC50000.2020.9219568
DO - 10.1109/ISCC50000.2020.9219568
M3 - Conference contribution
AN - SCOPUS:85094126212
T3 - Proceedings - IEEE Symposium on Computers and Communications
BT - 2020 IEEE Symposium on Computers and Communications, ISCC 2020
PB - Institute of Electrical and Electronics Engineers Inc.
T2 - 2020 IEEE Symposium on Computers and Communications, ISCC 2020
Y2 - 7 July 2020 through 10 July 2020
ER -