Joint Prediction of Multiple Vulnerability Characteristics Through Multi-Task Learning

Abstract

Software vulnerabilities seriously affect the security of computing systems and they are continuously disclosed and reported. When documenting software vulnerabilities, characterizing the severity, exploitability and impact of a vulnerability is critical for effective triaging and management of software vulnerabilities. Faced with ever-growing number of new vulnerabilities, we observe a significant lag between the disclosure of a vulnerability and the specification of its characteristics. This lag calls for automated, reliable assessment of vulnerability characteristics to assist security analysts in allocating their limited efforts to potentially most serious vulnerabilities. Existing automated techniques for vulnerability assessment require hand-crafted features and balanced data, and consider each specific characteristic independently at a time. In this paper, we propose a multi-task machine learning approach for the joint prediction of multiple vulnerability characteristics based on the vulnerability descriptions. Our approach gets rid of the requirement of balanced data, and it relies on neural networks that learn to extract features from training data. Using the large-scale vulnerability data in the Common Vulnerabilities and Exposure(CVE) database, we conduct extensive experiments to compare different configurations of neural network feature extractors, study the impact of multi-task learning versus independent-task learning, and investigate the performance of our approach for predicting the characteristics of newly disclosed vulnerabilities and the minimum requirement of historical vulnerability data for training reliable prediction model.