The number of security failure discovered and disclosed publicly are increasing at a pace like never before. Wherein, a small fraction of vulnerabilities encountered in the operational phase are exploited in the wild. It is difficult to find vulnerabilities during the early stages of software development cycle, as security aspects are often not known adequately. To counter these security implications, firms usually provide patches such that these security flaws are not exploited. It is a daunting task for a security manager to prioritize patches for vulnerabilities that are likely to be exploitable. This paper fills this gap by applying different machine learning techniques to classify the vulnerabilities based on previous exploit‐history. Our work indicates that various vulnerability characteristics such as severity, type of vulnerabilities, different software configurations, and vulnerability scoring parameters are important features to be considered in judging an exploit. Using such methods, it is possible to predict exploit‐prone vulnerabilities with an accuracy >85%. Finally, with this experiment, we conclude that supervised machine learning approach can be a useful technique in predicting exploit‐prone vulnerabilities.

中文翻译：

---

软件漏洞的可利用性预测

公开发现和公开的安全失败的数量正以前所未有的速度增长。其中，在运营阶段遇到的一小部分漏洞是在野外利用的。在软件开发周期的早期阶段很难找到漏洞，因为安全方面的知识通常不为人所知。为了应对这些安全隐患，公司通常会提供补丁程序，以使这些安全漏洞不会被利用。对于安全经理来说，为可能被利用的漏洞确定补丁的优先级是一项艰巨的任务。本文通过应用不同的机器学习技术根据以前的利用历史对漏洞进行分类，填补了这一空白。我们的工作表明各种漏洞特征，例如严重性，漏洞类型，不同的软件配置和漏洞评分参数是判断漏洞利用时要考虑的重要功能。使用这样的方法，可以预测出容易利用漏洞的漏洞，其准确度> 85％。最后，通过该实验，我们得出结论，监督式机器学习方法可以在预测容易利用漏洞的漏洞方面有用。