Security Vulnerability Information Service with Natural Language Query Support

  • Carlos RodriguezEmail author
  • Shayan Zamanirad
  • Reza Nouri
  • Kirtana Darabal
  • Boualem Benatallah
  • Mortada Al-Banna
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 11483)


The huge data breaches and attacks reported in the past years (e.g., the cases of Yahoo and Equifax) have significantly raised the concerns on the security of software used and developed by companies for their day-to-day operations. In this context, becoming aware about existing security vulnerabilities and taking preventive actions is of paramount importance for security professionals to help keep software secure. The increasingly large number of vulnerabilities discovered every year and the scattered and heterogeneous nature of vulnerability-related information make this, however, a non-trivial task. This paper aims at mitigating this problem by making security vulnerability information timely available and easily searchable. We propose to enrich and index security vulnerability information collected from publicly available sources on the Web. To make this information easily queryable we propose a natural language interface that allows users to query this index using plain English. The evaluation results of our proposal demonstrate that our solution can effectively answer questions typically asked in the security vulnerability domain.


Security vulnerability Indexing Natural language interfaces Information integration 



We acknowledge Data to Decisions CRC (D2D-CRC) for funding this research.


  1. 1.
    Al-Banna, M.: Crowdsourcing software vulnerability discovery: expertise indicators, organizations perceptions and quality control. Ph.D. thesis, Computer Science and Engineering, Faculty of Engineering, UNSW (2018)Google Scholar
  2. 2.
    Coronel, C., Morris, S.: Database Systems: Design, Implementation, & Management. Cengage Learning, Boston (2016)Google Scholar
  3. 3.
    Darabal, K.: Vulnerability exploration and understanding services. Master thesis, Computer Science and Engineering, Faculty of Engineering, UNSW (2018)Google Scholar
  4. 4.
    Ferrara, E., De Meo, P., Fiumara, G., Baumgartner, R.: Web data extraction, applications and techniques: a survey. Knowl. Based Syst. 70, 301–323 (2014)CrossRefGoogle Scholar
  5. 5.
    Hirschberg, J., Manning, C.D.: Advances in natural language processing. Science 349(6245), 261–266 (2015)MathSciNetCrossRefGoogle Scholar
  6. 6.
    Hitzler, P., Krotzsch, M., Rudolph, S.: Foundations of Semantic Web Technologies. CRC Press, Boca Raton (2009)CrossRefGoogle Scholar
  7. 7.
    Kampanakis, P.: Security automation and threat information-sharing options. IEEE Secur. Priv. 12(5), 42–51 (2014)CrossRefGoogle Scholar
  8. 8.
    Kaufmann, E., Bernstein, A., Zumstein, R.: Querix: a natural language interface to query ontologies based on clarification dialogs. In: ISWC, pp. 980–981 (2006)Google Scholar
  9. 9.
    Li, F., Jagadish, H.V.: NaLIR: an interactive natural language interface for querying relational databases. In: ACM SIGMOD, pp. 709–712. ACM (2014)Google Scholar
  10. 10.
    Lopez, V., Fernández, M., Motta, E., Stieler, N.: PowerAqua: supporting users in querying and exploring the semantic web. Semant. Web 3(3), 249–265 (2012)Google Scholar
  11. 11.
    Manning, C., Surdeanu, M., Bauer, J., Finkel, J., Bethard, S., McClosky, D.: The Stanford CoreNLP natural language processing toolkit. In: ACL, pp. 55–60 (2014)Google Scholar
  12. 12.
    Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. In: Advances in Neural Information Processing Systems, pp. 3111–3119 (2013)Google Scholar
  13. 13.
    Popescu, A.M., Etzioni, O., Kautz, H.: Towards a theory of natural language interfaces to databases. In: IUI 2003, pp. 149–157. ACM (2003)Google Scholar
  14. 14.
    Pruski, P., Lohar, S., Goss, W., Rasin, A., Cleland-Huang, J.: TiQi: answering unstructured natural language trace queries. Requirements Eng. 20(3), 215–232 (2015)CrossRefGoogle Scholar
  15. 15.
    Schütze, H., Manning, C.D., Raghavan, P.: Introduction to Information Retrieval, vol. 39. Cambridge University Press, Cambridge (2008)zbMATHGoogle Scholar
  16. 16.
    Smith, J., Johnson, B., Murphy-Hill, E., Chu, B., Lipford, H.R.: Questions developers ask while diagnosing potential security vulnerabilities with static analysis. In: ESEC/SIGSOFT FSE 2015, pp. 248–259. ACM (2015)Google Scholar
  17. 17.
    Speer, R., Havasi, C.: Representing general relational knowledge in ConceptNet 5. In: LREC, pp. 3679–3686 (2012)Google Scholar
  18. 18.
    Tablan, V., Damljanovic, D., Bontcheva, K.: A natural language query interface to structured information. In: Bechhofer, S., Hauswirth, M., Hoffmann, J., Koubarakis, M. (eds.) ESWC 2008. LNCS, vol. 5021, pp. 361–375. Springer, Heidelberg (2008). Scholar
  19. 19.
    Zhao, M., Grossklags, J., Liu, P.: An empirical study of web vulnerability discovery ecosystems. In: ACM SIGSAC, pp. 1105–1117. ACM (2015)Google Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  • Carlos Rodriguez
    • 1
    Email author
  • Shayan Zamanirad
    • 1
  • Reza Nouri
    • 1
    • 2
  • Kirtana Darabal
    • 1
  • Boualem Benatallah
    • 1
  • Mortada Al-Banna
    • 1
  1. 1.UNSW SydneySydneyAustralia
  2. 2.QANTAS AirwaysSydneyAustralia

Personalised recommendations