• 主题
高级搜索  >
历史搜索 清空历史
首页> 外文会议>IEEE International Conference on Software Maintenance and Evolution >Learning to Predict Severity of Software Vulnerability Using Only Vulnerability Description
【24h】

Learning to Predict Severity of Software Vulnerability Using Only Vulnerability Description

机译:仅使用漏洞描述预测软件漏洞的严重性

获取原文
页面导航
  • 摘要
  • 著录项
  • 相似文献
  • 相关主题

摘要

Software vulnerabilities pose significant security risks to the host computing system. Faced with continuous disclosure of software vulnerabilities, system administrators must prioritize their efforts, triaging the most critical vulnerabilities to address first. Many vulnerability scoring systems have been proposed, but they all require expert knowledge to determine intricate vulnerability metrics. In this paper, we propose a deep learning approach to predict multi-class severity level of software vulnerability using only vulnerability description. Compared with intricate vulnerability metrics, vulnerability description is the "surface level" information about how a vulnerability works. To exploit vulnerability description for predicting vulnerability severity, discriminative features of vulnerability description have to be defined. This is a challenging task due to the diversity of software vulnerabilities and the richness of vulnerability descriptions. Instead of relying on manual feature engineering, our approach uses word embeddings and a one-layer shallow Convolutional Neural Network (CNN) to automatically capture discriminative word and sentence features of vulnerability descriptions for predicting vulnerability severity. We exploit large amounts of vulnerability data from the Common Vulnerabilities and Exposures (CVE) database to train and test our approach.
机译:软件漏洞对主机计算系统构成了显着的安全风险。面对持续披露软件漏洞,系统管理员必须优先考虑他们的努力,将最关键的漏洞进行首先解决。已经提出了许多漏洞评分系统,但他们都需要专家知识来确定复杂的漏洞指标。在本文中,我们提出了一种深入的学习方法,只使用漏洞描述预测软件漏洞的多级严重性级别。与错综复杂的漏洞指标相比,漏洞描述是关于漏洞如何工作的“表面级”信息。为了利用用于预测漏洞严重性的漏洞描述,必须定义漏洞描述的判别特征。由于软件漏洞的多样性和漏洞描述的丰富性,这是一个具有挑战性的任务。我们的方法而不是依赖手动功能工程,而是使用Word Embeddings和一层浅卷积神经网络(CNN)来自动捕获漏洞描述的识别词和句子特征,以便预测漏洞严重性。我们从常见漏洞和公开(CVE)数据库中利用大量漏洞数据以培训和测试我们的方法。

著录项

相似文献

  • 外文文献
  • 中文文献
  • 专利
获取原文

客服邮箱:kefu@zhangqiaokeyan.com

京公网安备:11010802029741号 ICP备案号:京ICP备15016152号-6 六维联合信息科技 (北京) 有限公司©版权所有

  • 客服微信

  • 服务号