Automation of Vulnerability Classification from its Description using Machine Learning

Vulnerability reports play an important role in cybersecurity. Mitigation of software vulnerabilities that can be exploited by attackers depends on disclosure of vulnerabilities. Information on vulnerability types or identifiers facilitates automation of vulnerability management, statistical analysis of vulnerability trends, and secure software development. Labeling of reports with vulnerability identifiers has thus far been performed manually and has therefore suffered from human-induced errors and scalability issues due to the shortage of security experts. In this paper, we propose a scheme that automatically classifies each vulnerability description by type using machine learning. We experimentally demonstrated the performance of our proposed scheme compared to other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. We experimentally demonstrated the performance of the proposed scheme in comparison with other algorithms, analyzed cases of misclassification, and revealed the potential for numerous human errors. Furthermore, we tried to correct these errors.