An Automatic Software Vulnerability Classification Framework

Security defects are common in large software systems because of their size and complexity. Although efficient development processes, testing, and maintenance policies are applied to software systems, there are still a large number of vulnerabilities that can remain, despite these measures. Developers need to know more about characteristics and types of residual vulnerabilities in systems to adopt suitable countermeasures in current and next versions. We propose an automatic vulnerability classification framework based on conditions that activate vulnerabilities with the goal of helping developers to design appropriate corrective actions (the most costly part of the development and maintenance phases). Different machine learning techniques (Random Forest, C4.5 Decision Tree, Logistic Regression, and Naive Bayes) are employed to construct a classifier with the highest F-measure in labelling an unseen vulnerability by the framework. We evaluate the effectiveness of the classification by analysing 580 software security defects of the Firefox project. The achieved results show that C4.5 Decision Tree is able to identify the category of unseen vulnerabilities with 69% F-measure.