Research Article
ThreatZoom: Hierarchical Neural Network for CVEs to CWEs Classification
@INPROCEEDINGS{10.1007/978-3-030-63086-7_2, author={Ehsan Aghaei and Waseem Shadid and Ehab Al-Shaer}, title={ThreatZoom: Hierarchical Neural Network for CVEs to CWEs Classification}, proceedings={Security and Privacy in Communication Networks. 16th EAI International Conference, SecureComm 2020, Washington, DC, USA, October 21-23, 2020, Proceedings, Part I}, proceedings_a={SECURECOMM}, year={2020}, month={12}, keywords={Hierarchical neural network CVE to CWE classification Vulnerability analysis Proactive cyber defense}, doi={10.1007/978-3-030-63086-7_2} }- Ehsan Aghaei
Waseem Shadid
Ehab Al-Shaer
Year: 2020
ThreatZoom: Hierarchical Neural Network for CVEs to CWEs Classification
SECURECOMM
Springer
DOI: 10.1007/978-3-030-63086-7_2
Abstract
The Common Vulnerabilities and Exposures (CVE) represent standard means for sharing publicly known information security vulnerabilities. One or more CVEs are grouped into the Common Weakness Enumeration (CWE) classes for the purpose of understanding the software or configuration flaws and potential impacts enabled by these vulnerabilities and identifying means to detect or prevent exploitation.
As the CVE-to-CWE classification is mostly performed manually by domain experts, thousands of critical and new CVEs remain unclassified, yet they are unpatchable. This significantly limits the utility of CVEs and slows down proactive threat mitigation tremendously.
This paper presentsThreatZoom, as the first automatic tool to classify CVEs to CWEs.ThreatZoomuses a novel learning algorithm that employs an adaptive hierarchical neural network that adjusts its weights based on text analytic scores and classification errors. It automatically estimates the CWE classes corresponding to a CVE instance using both statistical and semantic features extracted from the description of a CVE.
This tool is rigorously tested by various datasets provided by MITRE and the National Vulnerability Database (NVD). The accuracy of classifying CVE instances to their correct CWE classes is(92\%)(fine-grain) and(94\%)(coarse-grain) for NVD dataset, and(75\%)(fine-grain) and(90\%)(coarse-grain) for MITRE dataset, despite the small corpus.
