Research On Software Vulnerability Severity Prediction Method Based On Deep Learning

The severity of software vulnerabilities can help test developers to reasonably allocate limited resources and prioritize repairing more serious vulnerabilities.However,there is a time lag between the release of the vulnerability and the manual evaluation of its severity,which may lead to a "zero-day attack" problem.Therefore,it is of practical significance to automatically,timely and accurately predict the severity of software vulnerabilities by using information such as vulnerability descriptions and source codes.The existing methods have the following problems:(1)The amount of CVE vulnerability description data for each project is small,and the vulnerability description language styles of different projects are quite different;(2)The shared information between multiple CVSS vulnerability characteristics is ignored;(3)In some application scenarios,the vulnerability description is lacking or the vulnerability description is inaccurate,and only the vulnerability source code data exists;(4)The dual-modal vulnerability data of the vulnerability description and the corresponding vulnerability source code is not fully utilized.For application scenarios with only vulnerability descriptions,in order to reduce the difference in data distribution between different projects and alleviate the problem of insufficient training data for a single project,this article uses domain adaptive neural networks,deep domain confusion models,and deep adaptive networks to extract CVE vulnerability descriptions.In the characteristics,then the severity assessment.In addition,this paper additionally introduces a multi-task learning method to jointly learn 7 vulnerability features to make full use of the shared information between different vulnerability features and reduce the risk of model overfitting.Experiments prove that the method proposed in this paper improves the performance of the cross-project software vulnerability severity prediction task.Aiming at the application scenarios where the vulnerability description is lacking or the vulnerability description is inaccurate,this paper uses code data enhancement and code pre-training methods to represent the source code,mining the semantic information in the vulnerability code,and predicting the severity of the software vulnerability.Experiments have proved that the method proposed in this paper effectively solves the problem of small amount of vulnerability code data and difficulty in feature representation.For application scenarios where there are both vulnerability descriptions and corresponding source codes,in order to make full use of the vulnerability information in the bimodal data,this article uses the Code BERT model pre-trained on the natural language-programming language corpus to represent the vulnerability description and the corresponding source code.,And learn unified vulnerability features through bimodal feature fusion.Experiments show that,compared with single-modal data,richer vulnerability characteristics can be learned from bimodal data,thereby effectively improving the performance of software vulnerability severity prediction.