Automated CPE Labeling of CVE Summaries with Machine Learning

Emil Wåreus; Martin Hell

doi:10.1007/978-3-030-52683-2_1

Automated CPE Labeling of CVE Summaries with Machine Learning

Emil Wåreus, Martin Hell

debricked AB

Forskningsoutput: Kapitel i bok/rapport/Conference proceeding › Konferenspaper i proceeding › Peer review

Sammanfattning

Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.

Originalspråk	engelska
Titel på värdpublikation	Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings
Redaktörer	Clémentine Maurice, Leyla Bilge, Gianluca Stringhini, Nuno Neves
Förlag	Springer
Sidor	3-22
Antal sidor	20
ISBN (tryckt)	9783030526825
DOI	https://doi.org/10.1007/978-3-030-52683-2_1
Status	Published - 2020
Evenemang	17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020 - Lisbon, Portugal Varaktighet: 2020 juni 24 → 2020 juni 26

Publikationsserier

Namn	Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volym	12223 LNCS
ISSN (tryckt)	0302-9743
ISSN (elektroniskt)	1611-3349

Konferens

Konferens	17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020
Land/Territorium	Portugal
Ort	Lisbon
Period	2020/06/24 → 2020/06/26

Ämnesklassifikation (UKÄ)

Programvaruteknik

Tillgång till dokument

10.1007/978-3-030-52683-2_1

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden
Hell, M. (PI), Magnusson, B. (PI), Gehrmann, C. (CoI), Paladi, N. (Forskare), Karlsson, L. (Forskare), Sönnerup, J. (Forskare), Johnsson, B. A. (Forskare), Hedin, G. (Forskare), Nordahl, M. (Forskare), Pagnin, E. (Forskare), Kundu, R. (Forskare), Åkesson, A. (Forskare), Stankovski Wagner, P. (Forskare) & Ramezanian, S. (Forskare)
Stiftelsen för Strategisk Forskning, SSF
2018/03/01 → 2024/12/31
Projekt: Forskning

Citera det här

Wåreus, E., & Hell, M. (2020). Automated CPE Labeling of CVE Summaries with Machine Learning. I C. Maurice, L. Bilge, G. Stringhini, & N. Neves (Red.), Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings (s. 3-22). (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12223 LNCS). Springer. https://doi.org/10.1007/978-3-030-52683-2_1

Wåreus, Emil ; Hell, Martin. / Automated CPE Labeling of CVE Summaries with Machine Learning. Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings. redaktör / Clémentine Maurice ; Leyla Bilge ; Gianluca Stringhini ; Nuno Neves. Springer, 2020. s. 3-22 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)).

@inproceedings{55a6bc3597e04b67b7c8a4c0c9bedf77,

title = "Automated CPE Labeling of CVE Summaries with Machine Learning",

abstract = "Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.",

keywords = "CPE, CVE, Machine learning, Open source, Vulnerabilities",

author = "Emil W{\aa}reus and Martin Hell",

year = "2020",

doi = "10.1007/978-3-030-52683-2_1",

language = "English",

isbn = "9783030526825",

series = "Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)",

publisher = "Springer",

pages = "3--22",

editor = "Cl{\'e}mentine Maurice and Leyla Bilge and Gianluca Stringhini and Nuno Neves",

booktitle = "Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings",

address = "Germany",

note = "17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020 ; Conference date: 24-06-2020 Through 26-06-2020",

}

Wåreus, E & Hell, M 2020, Automated CPE Labeling of CVE Summaries with Machine Learning. i C Maurice, L Bilge, G Stringhini & N Neves (red), Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings. Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics), vol. 12223 LNCS, Springer, s. 3-22, 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020, Lisbon, Portugal, 2020/06/24. https://doi.org/10.1007/978-3-030-52683-2_1

Automated CPE Labeling of CVE Summaries with Machine Learning. / Wåreus, Emil; Hell, Martin.
Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings. red. / Clémentine Maurice; Leyla Bilge; Gianluca Stringhini; Nuno Neves. Springer, 2020. s. 3-22 (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics); Vol. 12223 LNCS).

Forskningsoutput: Kapitel i bok/rapport/Conference proceeding › Konferenspaper i proceeding › Peer review

TY - GEN

T1 - Automated CPE Labeling of CVE Summaries with Machine Learning

AU - Wåreus, Emil

AU - Hell, Martin

PY - 2020

Y1 - 2020

N2 - Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.

AB - Open Source Security and Dependency Vulnerability Management (DVM) has become a more vital part of the software security stack in recent years as modern software tend to be more dependent on open source libraries. The largest open source of vulnerabilities is the National Vulnerability Database (NVD), which supplies developers with machine-readable vulnerabilities. However, sometimes Common Vulnerabilities and Exposures (CVE) have not been labeled with a Common Platform Enumeration (CPE) -version, -product and -vendor. This makes it very hard to automatically discover these vulnerabilities from import statements in dependency files. We, therefore, propose an automatic process of matching CVE summaries with CPEs through the machine learning task called Named Entity Recognition (NER). Our proposed model achieves an F-measure of 0.86 with a precision of 0.857 and a recall of 0.865, outperforming previous research for automated CPE-labeling of CVEs.

KW - CPE

KW - CVE

KW - Machine learning

KW - Open source

KW - Vulnerabilities

U2 - 10.1007/978-3-030-52683-2_1

DO - 10.1007/978-3-030-52683-2_1

M3 - Paper in conference proceeding

AN - SCOPUS:85088508164

SN - 9783030526825

T3 - Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

SP - 3

EP - 22

BT - Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings

A2 - Maurice, Clémentine

A2 - Bilge, Leyla

A2 - Stringhini, Gianluca

A2 - Neves, Nuno

PB - Springer

T2 - 17th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, DIMVA 2020

Y2 - 24 June 2020 through 26 June 2020

ER -

Wåreus E, Hell M. Automated CPE Labeling of CVE Summaries with Machine Learning. I Maurice C, Bilge L, Stringhini G, Neves N, redaktörer, Detection of Intrusions and Malware, and Vulnerability Assessment - 17th International Conference, DIMVA 2020, Proceedings. Springer. 2020. s. 3-22. (Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)). doi: 10.1007/978-3-030-52683-2_1

Automated CPE Labeling of CVE Summaries with Machine Learning

Sammanfattning

Publikationsserier

Konferens

Ämnesklassifikation (UKÄ)

Tillgång till dokument

Fingeravtryck

Projekt

SMARTY: Säkra mjukvaruuppdateringar för den smarta staden

Citera det här