Abstract
To share vulnerability information across separate databases, tools, and services, newly identified vulnerabilities are recurrently reported to Common Vulnerabilities and Exposures (CVE) database.Unfortunately, not all vulnerability reports will be accepted. Some of them might get rejected or be accepted with disputations.In this work, we refer to those rejected or disputed CVEs as invalid vulnerability reports. Invalid vulnerability reports not only cause unnecessary efforts to confirm the vulnerability but also impact the reputation of the software vendors. In this paper, we aim to understand the root causes of invalid vulnerability reports and build a prediction model to automatically identify them.To this end, we first leverage card sorting to categorize invalid vulnerability reports, from which six main reasons are observed for rejected and disputed CVEs, respectively.Then, we propose a text mining approach to predict the invalid vulnerability reports. Our experiments reveal that the proposed text mining approach can achieve an AUC score of 0.87 for predicting invalid vulnerabilities. We also discuss the implications of our study: our categorization can be used to guide new committer to avoid these traps; some root causes of invalid CVEs can be avoided by using automatic techniques or optimizing reviewing mechanism; invalid vulnerability reports data should not be neglected.
Original language | English |
---|---|
Title of host publication | Proceedings - 25th Asia-Pacific Software Engineering Conference, APSEC 2018 |
Subtitle of host publication | 4–7 December 2018 Nara, Japan |
Editors | Hironori Washizaki, Hongyu Zhang |
Place of Publication | Piscataway NJ USA |
Publisher | IEEE, Institute of Electrical and Electronics Engineers |
Pages | 345-354 |
Number of pages | 10 |
ISBN (Electronic) | 9781728119700 |
ISBN (Print) | 9781728119717 |
DOIs | |
Publication status | Published - 2018 |
Event | Asia-Pacific Software Engineering Conference 2018 - Nara, Japan Duration: 4 Dec 2018 → 7 Dec 2018 Conference number: 25th https://ieeexplore.ieee.org/xpl/conhome/8716285/proceeding (Proceedings) |
Conference
Conference | Asia-Pacific Software Engineering Conference 2018 |
---|---|
Abbreviated title | APSEC 2018 |
Country/Territory | Japan |
City | Nara |
Period | 4/12/18 → 7/12/18 |
Internet address |
Keywords
- invalid CVE
- prediction model
- reason categorization