Predicting Missing Information of Key Aspects in Vulnerability Reports
This work addresses the issue of incomplete vulnerability documentation for software security practitioners, enabling more effective search and management, but it is incremental as it applies existing neural network methods to a specific domain problem.
The paper tackles the problem of missing key aspects in vulnerability reports, such as vulnerability type and root cause, by proposing a neural-network based approach that predicts missing information using known aspects, achieving accuracies ranging from 70% to 94% on a dataset of 120,103 CVEs.
Software vulnerabilities have been continually disclosed and documented. An important practice in documenting vulnerabilities is to describe the key vulnerability aspects, such as vulnerability type, root cause, affected product, impact, attacker type and attack vector, for the effective search and management of fast-growing vulnerabilities. We investigate 120,103 vulnerability reports in the Common Vulnerabilities and Exposures (CVE) over the past 20 years. We find that 56%, 85%, 38% and 28% of CVEs miss vulnerability type, root causes, attack vector and attacker type respectively. To help to complete the missing information of these vulnerability aspects, we propose a neural-network based approach for predicting the missing information of a key aspect of a vulnerability based on the known aspects of the vulnerability. We explore the design space of the neural network models and empirically identify the most effective model design. Using a large-scale vulnerability datas\-et from CVE, we show that we can effectively train a neural-network based classifier with less than 20% of historical CVEs. Our model achieves the prediction accuracy 94%, 79%, 89%and 70% for vulnerability type, root cause, attacker type and attack vector, respectively. Our ablation study reveals the prominent correlations among vulnerability aspects and further confirms the practicality of our approach.