Patch or Exploit? NVD Assisted Classification of Vulnerability-Related GitHub Pages.

This paper presents a semi-automated approach to distinguish between patches and exploits published on GitHub, by using the National Vulnerability Database (NVD) as a reference. For this purpose, we leverage two interpretable algorithms, FP-Growth rule mining and decision trees, to extract patterns from the data and provide insights into the relationships between variables. To mitigate the risk of overfitting, we use more than 30,000 GitHub pages labeled by NVD as ground truth and focus on simple models. Among our findings, we discover that it is feasible to semi-automatically identify GitHub webpages containing patches and exploits. In particular, after pre-filtering webpages of interest, we discovered that most commits refer to patches, whereas URLs containing screenshots correspond to exploits showcasing how to exploit a given target system. Our results suggest that NVD is valuable to bootstrap machine learning algorithms for assisting in the analysis of increasingly larger amounts of cybersecurity data shared over the Internet.