"Empirical Validation of Automated Vulnerability Curation and Characterization" accepted at TSE

Feb 14, 2023. | By: Joanna C. S. Santos

Our manuscript, “Empirical Validation of Automated Vulnerability Curation and Characterization”, got accepted at IEEE Transactions on Software Engineering (TSE). In this manuscript, we describe an approach to curate vulnerability reports in real-time and map textual vulnerability reports to machine readable structured vulnerability attribute data. Designed to support the time consuming human analysis done by vulnerability databases, our approach leverages the Common Vulnerabilities and Exposures (CVE) list of vulnerabilities and the vulnerability attributes described by the National Institute of Standards and Technology (NIST) Vulnerability Description Ontology (VDO) framework. Our work uses Natural Language Processing (NLP), Machine Learning (ML) and novel Information Theoretical (IT) methods to provide automated techniques for near real-time publishing, and characterization of vulnerabilities using 28 attributes in 5 domains. Our experiment results indicate that vulnerabilities can be evaluated up to 95 hours earlier than using manual methods, they can be characterized with F-Measure values over 0.9, and the proposed automated approach could save up to 47% of the time spent for CVE characterization.

BibTeX

@ARTICLE{10056768,
  author={Okutan, Ahmet and Mell, Peter and Mirakhorli, Mehdi and Khokhlov, Igor and Santos, Joanna C. S. and Gonzalez, Danielle and Simmons, Steven},
  journal={IEEE Transactions on Software Engineering}, 
  title={Empirical Validation of Automated Vulnerability Curation and Characterization}, 
  year={2023},
  volume={49},
  number={5},
  pages={3241-3260},
  keywords={Security;NIST;Databases;Virtual machine monitors;Software;Feature extraction;Codes;CVE;NIST vulnerability description ontology;software vulnerability;vulnerability characterization},
  doi={10.1109/TSE.2023.3250479}
}