Key Aspects Augmentation of Vulnerability Description based on Multiple Security Databases

Abstract

Common Vulnerabilities and Exposures (CVE) is one of the most influential security databases. With the continuous disclosure of security vulnerabilities, the characteristics of them are documented as vulnerability reports, and it is discovered that their impact on computer systems is increasing. However, as our research continues to deepen, we find that the current lack of key aspects of CVE description is more serious than before. In response to this situation, our research focuses on how to correctly and completely extract key aspect descriptions from various security vulnerability databases to supplement the CVE reports. First, we fetch almost all of semi-structured vulnerability reports from the CVE, Security Focus, and IBM X-Force Exchange databases before November 2020. We then propose a customized NER (Named entity recognition) method based on deep neural networks to extract six key aspects from unstructured descriptions. Finally, we use the corresponding security vulnerability reports in other vulnerability databases to complete the missing key aspects in the correlated CVE description. We conduct sampling surveys on various aspects of this information, and verify the accuracy of extracting key aspects, and find that our method can extract key information from vulnerability descriptions. To demonstrate the usefulness of key aspects augmentation, after completing the missing affected product, root cause, attacker type, attack vector, impact, and vulnerability type in the CVE description, we verify the effectiveness of completing the key aspects of the vulnerability in predicting the severity of the security vulnerability.