Categorizing and predicting invalid vulnerabilities on common vulnerabilities and exposures

Qiuyuan Chen, Lingfeng Bao, Li Li, Xin Xia, Liang Cai

Research output: Chapter in Book/Report/Conference proceedingConference PaperResearch

4 Citations (Scopus)

Abstract

To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.
Original languageEnglish
Title of host publicationProceedings - 25th Asia-Pacific Software Engineering Conference, APSEC 2018
Subtitle of host publication4–7 December 2018 Nara, Japan
EditorsHironori Washizaki, Hongyu Zhang
Place of PublicationPiscataway NJ USA
PublisherIEEE, Institute of Electrical and Electronics Engineers
Pages345-354
Number of pages10
ISBN (Electronic)9781728119700
ISBN (Print)9781728119717
DOIs
Publication statusPublished - 2018
EventAsia-Pacific Software Engineering Conference 2018 - Nara, Japan
Duration: 4 Dec 20187 Dec 2018
Conference number: 25th
https://ieeexplore.ieee.org/xpl/conhome/8716285/proceeding (Proceedings)

Conference

ConferenceAsia-Pacific Software Engineering Conference 2018
Abbreviated titleAPSEC 2018
CountryJapan
CityNara
Period4/12/187/12/18
Internet address

Keywords

  • invalid CVE
  • prediction model
  • reason categorization

Cite this