Severity prediction of software vulnerabilities using convolutional neural networks

PurposeThe continuous influx of software vulnerabilities poses a significant challenge to organizations, necessitating effective resource allocation for threat mitigation. A key factor in this process is assessing the severity of vulnerabilities to prioritize which issues require immediate attention. This paper aims to automate the prediction of common vulnerability scoring system (CVSS) metrics from textual descriptions of vulnerabilities, reducing the reliance on manual expert analysis.Design/methodology/approachThis study applies machine learning and natural language processing techniques, particularly convolutional neural networks (CNNs), to predict CVSS base metrics such as attack vectors, attack complexity and required privileges. The CNN models are trained on vulnerability descriptions and evaluated for their accuracy in predicting these metrics, which are then used to compute overall severity base scores.FindingsThe CNN models demonstrated high accuracy in predicting CVSS base metrics from textual descriptions. The predicted severity base scores closely align with those provided by human experts, showing the model's potential to streamline the vulnerability assessment process.Practical implicationsAutomating CVSS metric prediction could significantly reduce the time and effort required for vulnerability severity assessment. This would enable security teams to quickly identify and prioritize critical vulnerabilities, improving response times in cybersecurity management.Originality/valueThis research provides an innovative approach to vulnerability management by automating CVSS metric prediction, reducing the need for manual expert analysis and therefore accelerating security assessments.