Advanced

Automated CPE Labeling of CVE Summaries with Machine Learning

Wåreus, Emil LU and Hell, Martin LU (2020) 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020 In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) 12223 LNCS. p.3-22
Abstract

Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine... (More)

Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.

(Less)
Please use this url to cite or link to this publication:
author
and
organization
publishing date
type
Chapter in Book/Report/Conference proceeding
publication status
published
subject
keywords
CPE, CVE, Machine learning, Open source, Vulnerabilities
host publication
Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings
series title
Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
editor
Maurice, Clémentine ; Bilge, Leyla ; Stringhini, Gianluca and Neves, Nuno
volume
12223 LNCS
pages
20 pages
publisher
Springer
conference name
17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020
conference location
Lisbon, Portugal
conference dates
2020-06-24 - 2020-06-26
external identifiers
  • scopus:85088508164
ISSN
0302-9743
1611-3349
ISBN
9783030526825
DOI
10.1007/978-3-030-52683-2_1
language
English
LU publication?
yes
id
55a6bc35-97e0-4b67-b7c8-a4c0c9bedf77
date added to LUP
2020-08-05 10:27:36
date last changed
2020-08-12 09:09:35
@inproceedings{55a6bc35-97e0-4b67-b7c8-a4c0c9bedf77,
  abstract     = {<p>Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.</p>},
  author       = {Wåreus, Emil and Hell, Martin},
  booktitle    = {Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings},
  editor       = {Maurice, Clémentine and Bilge, Leyla and Stringhini, Gianluca and Neves, Nuno},
  isbn         = {9783030526825},
  issn         = {0302-9743},
  language     = {eng},
  pages        = {3--22},
  publisher    = {Springer},
  series       = {Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)},
  title        = {Automated CPE Labeling of CVE Summaries with Machine Learning},
  url          = {http://dx.doi.org/10.1007/978-3-030-52683-2_1},
  doi          = {10.1007/978-3-030-52683-2_1},
  volume       = {12223 LNCS},
  year         = {2020},
}