An Empirical Study on Using the National Vulnerability Database to Predict Software Vulnerabilities

  • Su Zhang
  • Doina Caragea
  • Xinming Ou
Part of the Lecture Notes in Computer Science book series (LNCS, volume 6860)


Software vulnerabilities represent a major cause of cyber-security problems. The National Vulnerability Database (NVD) is a public data source that maintains standardized information about reported software vulnerabilities. Since its inception in 1997, NVD has published information about more than 43,000 software vulnerabilities affecting more than 17,000 software applications. This information is potentially valuable in understanding trends and patterns in software vulnerabilities, so that one can better manage the security of computer systems that are pestered by the ubiquitous software security flaws. In particular, one would like to be able to predict the likelihood that a piece of software contains a yet-to-be-discovered vulnerability, which must be taken into account in security management due to the increasing trend in zero-day attacks. We conducted an empirical study on applying data-mining techniques on NVD data with the objective of predicting the time to next vulnerability for a given software application. We experimented with various features constructed using the information available in NVD, and applied various machine learning algorithms to examine the predictive power of the data. Our results show that the data in NVD generally have poor prediction capability, with the exception of a few vendors and software applications. By doing a large number of experiments and observing the data, we suggest several reasons for why the NVD data have not produced a reasonable prediction model for time to next vulnerability with our current approach.


data mining cyber-security vulnerability prediction 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Root relative squared error. Website,
  2. 2.
    Support vector machines. Website,
  3. 3.
    Alhazmi, O.H., Malaiya, Y.K.: Prediction capabilities of vulnerability discovery models. In: Annual Reliability and Maintainability Symposium, RAMS (2006)Google Scholar
  4. 4.
    Ammann, P., Wijesekera, D., Kaushik, S.: Scalable, graph-based network vulnerability analysis. In: 9th ACM Conference on Computer and Communications Security, CCS (2002)Google Scholar
  5. 5.
    Bouckaert, R.R., Frank, E., Hall, M., Kirkby, R., Reutemann, P., Seewald, A., Scuse, D.: WEKA Manual for Version 3.7. The University of Waikato (2010)Google Scholar
  6. 6.
    Buttner, A., Ziring, N.: Common platform enumeration (cpe) c specification. Technical report, The MITRE Corporation AND National Security Agency (2009)Google Scholar
  7. 7.
    Dacier, M., Deswarte, Y., Kaâniche, M.: Models and tools for quantitative assessment of operational security. In: IFIP SEC (1996)Google Scholar
  8. 8.
    Dawkins, J., Hale, J.: A systematic approach to multi-stage network attack analysis. In: Proceedings of Second IEEE International Information Assurance Workshop, pp. 48–56 (April 2004)Google Scholar
  9. 9.
    Dewri, R., Poolsappasit, N., Ray, I., Whitley, D.: Optimal security hardening using multi-objective optimization on attack tree models of networks. In: 14th ACM Conference on Computer and Communications Security, CCS (2007)Google Scholar
  10. 10.
    Ingols, K., Chu, M., Lippmann, R., Webster, S., Boyer, S.: Modeling modern network attacks and countermeasures using attack graphs. In: 25th Annual Computer Security Applications Conference, ACSAC (2009)Google Scholar
  11. 11.
    Ingols, K., Lippmann, R., Piwowarski, K.: Practical attack graph generation for network defense. In: 22nd Annual Computer Security Applications Conference (ACSAC), Miami Beach, Florida (December 2006)Google Scholar
  12. 12.
    Jajodia, S., Noel, S., O’Berry, B.: Topological analysis of network attack vulnerability. In: Kumar, V., Srivastava, J., Lazarevic, A. (eds.) Managing Cyber Threats: Issues, Approaches and Challanges, ch. 5. Kluwer Academic Publisher, Dordrecht (2003)Google Scholar
  13. 13.
    Lippmann, R., Ingols, K.W.: An annotated review of past papers on attack graphs. Technical report, MIT Lincoln Laboratory (March 2005)Google Scholar
  14. 14.
    Massacci, F., Nguyen, V.H.: Which is the right source for vulnerability studies? an empirical analysis on mozilla firefox. In: MetriSec (2010)Google Scholar
  15. 15.
    McQueen, M., McQueen, T., Boyer, W., Chaffin, M.: Empirical estimates and observations of 0day vulnerabilities. In: 42nd Hawaii International Conference on System Sciences (2009)Google Scholar
  16. 16.
    Nguyen, V.H., Tran, L.M.S.: Predicting vulnerable software components with dependency graphs. In: MetriSec (2010)Google Scholar
  17. 17.
    Ou, X., Boyer, W.F., McQueen, M.A.: A scalable approach to attack graph generation. In: 13th ACM Conference on Computer and Communications Security (CCS), pp. 336–345 (2006)Google Scholar
  18. 18.
    Ozment, A.: Improving vulnerability discovery models analyzer. In: QoP 2007 (2007)Google Scholar
  19. 19.
    Ozment, A.: Vulnerability Discovery & Software Security. PhD thesis, University of Cambridge (2007)Google Scholar
  20. 20.
    Phillips, C., Swiler, L.P.: A graph-based system for network-vulnerability analysis. In: NSPW 1998: Proceedings of the 1998 Workshop on New Security Paradigms, pp. 71–79. ACM Press, New York (1998)Google Scholar
  21. 21.
    Schiffman, M., Eschelbeck, G., Ahmad, D., Wright, A., Romanosky, S.: CVSS: A Common Vulnerability Scoring System. National Infrastructure Advisory Council (NIAC) (2004)Google Scholar
  22. 22.
    Sheyner, O., Haines, J., Jha, S., Lippmann, R., Wing, J.M.: Automated generation and analysis of attack graphs. In: Proceedings of the 2002 IEEE Symposium on Security and Privacy, pp. 254–265 (2002)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2011

Authors and Affiliations

  • Su Zhang
    • 1
  • Doina Caragea
    • 1
  • Xinming Ou
    • 1
  1. 1.Kansas State UniversityUSA

Personalised recommendations