Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Empirical Validation of Automated Vulnerability Curation and Characterization

Published

Author(s)

Ahmet Okutan, Peter Mell, Medhi Mirakhorli, Igor Khokhlov, Joanna Santos, Danielle Gonzalez, Steven Simmons

Abstract

Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This work provides an approach to curate vulnerability reports in real-time and map textual vulnerability reports to machine readable structured vulnerability attribute data. Designed to support the time consuming human analysis done by vulnerability databases, the system leverages the Common Vulnerabilities and Exposures (CVE) list of vulnerabilities and the vulnerability attributes described by the National Institute of Standards and Technology (NIST) Vulnerability Description Ontology (VDO) framework. Our work uses Natural Language Processing (NLP), Machine Learning (ML) and novel Information Theoretical (IT) methods to provide automated techniques for near real-time publishing, and characterization of vulnerabilities using 28 attributes in 5 domains. Experiment results indicate that vulnerabilities can be evaluated up to 95 hours earlier than using manual methods, they can be characterized with F-Measure values over 0.9, and the proposed automated approach could save up to 47% of the time spent for CVE characterization.
Citation
IEEE Transactions on Software Engineering
Volume
49
Issue
5

Keywords

CVE, NIST vulnerability description ontology, software vulnerability, vulnerability characterization

Citation

Okutan, A. , Mell, P. , Mirakhorli, M. , Khokhlov, I. , Santos, J. , Gonzalez, D. and Simmons, S. (2023), Empirical Validation of Automated Vulnerability Curation and Characterization, IEEE Transactions on Software Engineering, [online], https://doi.org/10.1109/TSE.2023.3250479, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=932075 (Accessed May 21, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created February 28, 2023, Updated October 30, 2023