A Character-Level Convolutional Neural Network for Predicting Exploitability of Vulnerability

The continuous discovery of software vulnerabilities have brought great challenges to the cyber security, which will lead to severe systematical or individual losses after being exploited. But the harshly increasing of software vulnerabilities overwhelms the time consuming vulnerability analysis. Security experts must pay more attention to the ones which have the highest priority to be repaired. In general, both severity and exploitability determine the severity of a software vulnerability. Compared with the severity evaluated by the Common Vulnerability Scoring System (CVSS score), the exploitability is still lack of a well-accepted standard. Furthermore, based on the perspective of attack and defense, we found that the exploitability of vulnerabilities is more attractive to hackers so that system or individual is severely affected by the exploitability rather than the severity. In this paper, we propose a deep learning based approach to predict the exploitability of the vulnerability by using the correlated textual description and characteristics. Specifically, our approach takes character-level Convolutional Neural Network (charCNN) to fetch more fine-grained character-level features from the vulnerability description instead of the word-level features considered by the previous literatures. And we highlight the importance of vulnerability characteristics such as Confidentiality Impact, Integrity Impact, Attack Vector etc. during the determination of vulnerability exploitability. Extensive experiments are set to prove the effectiveness of the given charCNN approach through the comparison on both different levels of features and different neural network models. Our approach achieves the best F1 values 93.1% (at least 2.2% more than the baselines). And we also investigate the efficiency of charCNN trained by historical vulnerability when predicting the exploitability of the newly published vulnerabilities. Finally, we further explore the robustness of the proposed model by changing the scale of training sets. For the prediction of vulnerability exploitability, we recommend to adopt 40.0% to 50.0% vulnerabilities to train a robust charCNN model.