Mapping Common Vulnerabilities and Exposures (CVEs) to the related Common Weakness Enumerations (CWE) is crucial in cybersecurity because this link allows categorizing vulnerabilities, prioritizing remediation efforts, and improving mitigation strategies. However, this process often requires manual effort to understand and connect a CVE to its CWE, which is undesirable due to its time-consuming nature. Existing automated approaches typically rely on vectorizing CVE descriptions using embedding techniques followed by machine learning classifiers. However, little attention has been given to evaluating whether CVE descriptions are the most effective starting point for automated classification, as these descriptions often contain irrelevant details that do not contribute to CVE-to-CWE mapping. Our research investigates to what extent we can automatically extract key information from CVE descriptions required to perform such mapping and evaluates how this technique improves existing methods for identifying related weaknesses using this extracted information. To this end, we present an approach that automates extracting key terms of CVEs through Large Language Models and evaluate the effect of focusing on various parts of the CVE description. We show that our key term extraction technique improves the F1-score of transformer-based classification of CVEs into CWEs up to 8.88% while providing a modest increase for more traditional mapping approaches.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

What Matters Most in Vulnerabilities? Key Term Extraction for CVE-to-CWE Mapping with LLMs

  • Stefano Simonetto,
  • Ronan Oosteven,
  • Thijs Van Ede,
  • Peter Bosch,
  • Willem Jonker

摘要

Mapping Common Vulnerabilities and Exposures (CVEs) to the related Common Weakness Enumerations (CWE) is crucial in cybersecurity because this link allows categorizing vulnerabilities, prioritizing remediation efforts, and improving mitigation strategies. However, this process often requires manual effort to understand and connect a CVE to its CWE, which is undesirable due to its time-consuming nature. Existing automated approaches typically rely on vectorizing CVE descriptions using embedding techniques followed by machine learning classifiers. However, little attention has been given to evaluating whether CVE descriptions are the most effective starting point for automated classification, as these descriptions often contain irrelevant details that do not contribute to CVE-to-CWE mapping. Our research investigates to what extent we can automatically extract key information from CVE descriptions required to perform such mapping and evaluates how this technique improves existing methods for identifying related weaknesses using this extracted information. To this end, we present an approach that automates extracting key terms of CVEs through Large Language Models and evaluate the effect of focusing on various parts of the CVE description. We show that our key term extraction technique improves the F1-score of transformer-based classification of CVEs into CWEs up to 8.88% while providing a modest increase for more traditional mapping approaches.