Classification of Microsoft Office Vulnerabilities: A Step Ahead for Secure Software Development

Abstract

Classification of software vulnerability no doubt facilitates the understanding of security-related information and accelerates vulnerability analysis. In the absence of proper classification, it hinders its understanding and also renders the strategy of developing mitigation mechanism for clustered vulnerabilities. Now, software developers and researchers have agreed on the fact that incorporating security in software engineering phases including requirement and design may yield maximum benefits. In this paper, we have attempted to classify software vulnerabilities of Microsoft Office, so that this can help in building secure software. Vulnerabilities are firstly classified on well-established security properties like authentication and authorization. Vulnerability data is collected from various authentic sources, including Common Weakness Enumeration (CWE) and Common Vulnerabilities and Exposures (CVE). From these databases, only those vulnerabilities are included whose mitigation is possible at the design phase. Then, this vulnerability data is preprocessed to handle missing values and noise removal; further, the data is classified using various supervised machine learning techniques. Classification models are compared for three security metrics: integrity, confidentiality and availability. All the classifiers achieved highest accuracy for integrity.