1 research outputs found
Generating Informative CVE Description From ExploitDB Posts by Extractive Summarization
ExploitDB is one of the important public websites, which contributes a large
number of vulnerabilities to official CVE database. Over 60\% of these
vulnerabilities have high- or critical-security risks. Unfortunately, over 73\%
of exploits appear publicly earlier than the corresponding CVEs, and about 40\%
of exploits do not even have CVEs. To assist in documenting CVEs for the
ExploitDB posts, we propose an open information method to extract 9 key
vulnerability aspects (vulnerable product/version/component, vulnerability
type, vendor, attacker type, root cause, attack vector and impact) from the
verbose and noisy ExploitDB posts. The extracted aspects from an ExploitDB post
are then composed into a CVE description according to the suggested CVE
description templates, which is must-provided information for requesting new
CVEs. Through the evaluation on 13,017 manually labeled sentences and the
statistically sampling of 3,456 extracted aspects, we confirm the high accuracy
of our extraction method. Compared with 27,230 reference CVE descriptions. Our
composed CVE descriptions achieve high ROUGH-L (0.38), a longest common
subsequence based metric for evaluating text summarization methods