Predicting the Severity and Exploitability of Vulnerability Reports using Convolutional Neural Nets

Common Vulnerability and Exposure (CVE) reports published by Vulnerability Management Systems (VMSs) are used to evaluate the severity and exploitability of software vulnerabilities. Public vulnerability databases such as NVD uses the Common Vulnerability Scoring System (CVSS) to assign various scores to CVEs to evaluate their base severity, impact, and exploitability. Previous studies have shown that vulnerability databases rely on a manual, labor-intensive and error-prone process which may lead to inconsistencies in the CVE data and delays in the releasing of new CVEs. Furthermore, it was shown that CVSS scoring is based on complex calculations and may not be accurate enough in assessing the potential severity and exploitability of vulnerabilities in real life. This work uses Convolutional Neural Networks (CNN) to train text classification models to automate the prediction of the severity and exploitability of CVEs, and proposes a new exploitability scoring method by creating a Product Hygiene Index based on the Common Product Enumeration (CPE) catalog. Using CVE descriptions published by the NVD and the exploits identified by exploit databases, it trains CNN models to predict the base severity and exploitability of CVEs. Preliminary experiment results and the conducted case study indicate that the severity of CVEs can be predicted automatically with high confidences, and the proposed exploitability scoring method achieves better results compared to the exploitability scoring provided by the NVD.