Affiliations: Department of Electrical and Computer Engineering, Yazd University, Yazd, Iran
Correspondence:
[*]
Corresponding author. Atefeh Khazaei, Department of Electrical and Computer Engineering, Yazd University, Yazd, Iran.Tel.: +98 35 31232359; Fax: +98 35 31232357; E-mail: [email protected].
Abstract: In this paper we introduce an objective method for CVSS score calculation. CVSS is a well known and mostly used method for giving priority to software vulnerabilities. Currently it is being calculated by some slightly subjective methods which require enough skill and knowledge. This research shows how we can benefit from natural language description of vulnerabilities for CVSS calculation. The data that were used for implementation and evaluation of the proposed models consists of the available CVE vulnerability descriptions and their corresponding CVSS scores from the OSVDB database. First, feature vectors were extracted using text mining tools and techniques, and then the SVM and Random-Forest algorithms as well as fuzzy systems were examined to predict the concerned CVSS scores. In spite of the fact that SVM and Random-Forest are mostly used and trusted methods in prediction, results of this research bear a witness that using fuzzy systems can give comparable and even better results. In addition, implementation of the fuzzy based system is much easier and faster. Although so far, there have been so little efforts in using the information embedded in textual materials regarding vulnerabilities, this research shows that it will be valuable to utilize them in systems security establishment.
Keywords: Description of software vulnerability, Common Vulnerability Scoring System (CVSS), Support Vector Machine (SVM), Random-Forest, fuzzy systems
