RESEARCH
/2020/Towards prioritizing vulnerability testing
A machine learning approach to accelerate vulnerability scanning by prioritizing security tests based on web page features.
PUBLISHED:QRS-C 2020
KEYWORDS:
+7
In the field of #vulnerability-assessment, scanners often face a trade-off between coverage and speed. Standard tools crawl a website and run their full repository of test cases against every page they find. Since modern websites can contain thousands of pages and scanners hold thousands of tests, this "brute force" approach creates a significant bottleneck.
In this paper, we propose a method to accelerate this process by prioritizing security tests. Our approach is inspired by a simple observation: "similar" web pages tend to possess "similar" vulnerabilities. Experienced security experts can often predict potential flaws just by glancing at a URL or page layout. We conjecture that by automating this intuition using #machine-learning, we can predict the most likely vulnerabilities for a given page and prioritize the relevant tests, revealing flaws much faster than arbitrary scanning.
The Approach
We model the problem of #test-prioritization as a multi-class classification task. Rather than running every test blindly, we analyze the web page first to predict which vulnerabilities are statistically most probable.
- •Feature Extraction: For every web page, we extract 50 binary features related to the URL structure, HTTP request/response contents, server headers, and authentication methods.
- •Multi-Class Prediction: Using a #neural-network, we generate a ranked list of all possible #vulnerability classes (#CWE indices), ordered from most probable to least probable.
- •Prioritization: We select the top predictions (e.g., Top 5, Top 15) and prioritize the specific security tests designed to reveal those vulnerabilities.
The prioritization flow is visualized below:
Loading diagram...
Feasibility and Performance
To validate this approach, we conducted experiments using 2,927 distinct web pages collected from 80 different websites, using Netsparker scans to establish ground truth. We trained a Keras MultiClass Classifier to predict the vulnerabilities present on each page.
The results strongly supported our hypothesis that page features correlate with specific vulnerabilities:
- •Top-8 Accuracy: When prioritizing the top 8 predicted vulnerabilities, the model successfully covered 86.9% of the actual flaws.
- •Top-15 Accuracy: When expanding to the top 15 predictions, the coverage reached 98.4%.
This offers massive efficiency gains. By focusing on just the top 15 predictions, which represents a tiny fraction (approx. 1.8%) of all possible weakness types, the scanner can detect nearly all actual vulnerabilities while significantly reducing the number of unnecessary tests executed. This demonstrates that #automated-testing can be optimized to be both fast and comprehensive.