A Survey on Data-driven Software Vulnerability Assessment and Prioritization

Le, Triet Huynh Minh; Chen, Huaming; Babar, M. Ali

doi:10.48550/arxiv.2107.08364

Cited by 3 publications

(9 citation statements)

References 124 publications

(265 reference statements)

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Bugzilla reports are usually assigned a severity score by the reporter of the SV. There are four classes of severity that may be assigned 5 : blocker, the bug significantly impacts users or causes data loss; critical/major, the bug severely impairs functionality and a satisfactory workaround does not exist; normal, the bug blocks non-critical functionality and a workaround exists; and minor, the bug has low or no impact to users.…”

Section: A Software Vulnerability Reporting Practicesmentioning

confidence: 99%

“…Other than impacts to SV prioritization, severity data inconsistency can also impact researchers who analyse severity data. One such task that has been regularly investigated is severity prediction [5]. selected stage for prediction, e.g., for bug reports [9] or SV databases [18].…”

Section: A Research Questionsmentioning

confidence: 99%

“…Without existing standardization, we similarly encourage researchers to investigate more varied severity data sources. Whilst much research has been done regarding severity prediction for NVD, very little work has been performed on SV severity prediction for bug reports or vendor advisories [5]. Existing bug report severity research only focuses on regular software defects [32].…”

Section: B For Researchersmentioning

confidence: 99%

“…Hence, SV severity assessment data is vital information provided by SV reporting sources that allows for better prioritization of fixing and patching efforts [4]. The severity of an SV is often influenced by exploitability and impact factors [5]; an SV that is both highly exploitable and has significant impacts should be considered critically severe. Severity rankings provide a natural ordering of SVs that can be used for initial prioritization.…”

Section: Introductionmentioning

confidence: 99%

“…Prior research efforts have used SV data to derive development insights [8], or to develop automatic assessment approaches [9]. Particularly, SV severity prediction has been a commonly explored task [5]. With conflicting information present in the available data sources however, the reliability and validity of such research is uncertain.…”

Section: Introductionmentioning

confidence: 99%

See 4 more Smart Citations

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

Croft¹,

Babar²,

Li³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Software Vulnerability (SV) severity assessment is a vital task for informing SV remediation and triage. Ranking of SV severity scores is often used to advise prioritization of patching efforts. However, severity assessment is a difficult and subjective manual task that relies on expertise, knowledge, and standardized reporting schemes. Consequently, different data sources that perform independent analysis may provide conflicting severity rankings. Inconsistency across these data sources affects the reliability of severity assessment data, and can consequently impact SV prioritization and fixing. In this study, we investigate severity ranking inconsistencies over the SV reporting lifecycle. Our analysis helps characterize the nature of this problem, identify correlated factors, and determine the impacts of inconsistency on downstream tasks. Our findings observe that SV severity often lacks consideration or is underestimated during initial reporting, and such SVs consequently receive lower prioritization. We identify six potential attributes that are correlated to this misjudgment, and show that inconsistency in severity reporting schemes can severely degrade the performance of downstream severity prediction by up to 77%. Our findings help raise awareness of SV severity data inconsistencies and draw attention to this data quality problem. These insights can help developers better consider SV severity data sources, and improve the reliability of consequent SV prioritization. Furthermore, we encourage researchers to provide more attention to SV severity data selection.

show abstract

Section: A Software Vulnerability Reporting Practicesmentioning

confidence: 99%

Section: A Research Questionsmentioning

confidence: 99%

Section: B For Researchersmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

Croft¹,

Babar²,

Li³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

show abstract

Automated Security Assessment for the Internet of Things

Duan¹,

Ge²,

Le³

et al. 2021

Preprint

Self Cite

View full text Add to dashboard Cite

Internet of Things (IoT) based applications face an increasing number of potential security risks, which need to be systematically assessed and addressed. Expert-based manual assessment of IoT security is a predominant approach, which is usually inefficient. To address this problem, we propose an automated security assessment framework for IoT networks. Our framework first leverages machine learning and natural language processing to analyze vulnerability descriptions for predicting vulnerability metrics. The predicted metrics are then input into a two-layered graphical security model, which consists of an attack graph at the upper layer to present the network connectivity and an attack tree for each node in the network at the bottom layer to depict the vulnerability information. This security model automatically assesses the security of the IoT network by capturing potential attack paths. We evaluate the viability of our approach using a proof-of-concept smart building system model which contains a variety of real-world IoT devices and potential vulnerabilities. Our evaluation of the proposed framework demonstrates its effectiveness in terms of automatically predicting the vulnerability metrics of new vulnerabilities with more than 90% accuracy, on average, and identifying the most vulnerable attack paths within an IoT network. The produced assessment results can serve as a guideline for cybersecurity professionals to take further actions and mitigate risks in a timely manner.

show abstract

Data Preparation for Software Vulnerability Prediction: A Systematic Literature Review

Croft¹,

Xie²,

Babar³

2021

Preprint

Self Cite

View full text Add to dashboard Cite

Software Vulnerability Prediction (SVP) is a data-driven technique for software quality assurance that has recently gained considerable attention in the Software Engineering research community. However, the difficulties of preparing Software Vulnerability (SV) related data remains as the main barrier to industrial adoption. Despite this problem, there have been no systematic efforts to analyse the existing SV data preparation techniques and challenges. Without such insights, we are unable to overcome the challenges and advance this research domain. Hence, we are motivated to conduct a Systematic Literature Review (SLR) of SVP research to synthesize and gain an understanding of the data considerations, challenges and solutions that SVP researchers provide. From our set of primary studies, we identify the main practices for each data preparation step. We then present a taxonomy of 16 key data challenges relating to six themes, which we further map to six categories of solutions. However, solutions are far from complete, and there are several ill-considered issues. We also provide recommendations for future areas of SV data research. Our findings help illuminate the key SV data practices and considerations for SVP researchers and practitioners, as well as inform the validity of the current SVP approaches.

show abstract

A Survey on Data-driven Software Vulnerability Assessment and Prioritization

Cited by 3 publications

References 124 publications

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

An Investigation into Inconsistency of Software Vulnerability Severity across Data Sources

Automated Security Assessment for the Internet of Things

Data Preparation for Software Vulnerability Prediction: A Systematic Literature Review

Contact Info

Product

Resources

About