VulnBERTa-XAI: Towards Explainable AI for Automating CWE Weakness Assignment and Improving the Quality of Cybersecurity CVE
摘要
Vulnerability management is crucial for companies with compliance requirements and regulations. The goal is to allocate the most appropriate resources to address vulnerabilities efficiently. The growing number of vulnerabilities discovered by various contributors leads to reports of varying quality and differing perspectives. To address this challenge, machine learning (ML) has shown potential in automating vulnerability assignments. Nevertheless, there remains room for further development. Additionally, more research is needed to explore how the specific terminology used in vulnerability databases and reports affects ML performance. In this chapter, we aim to address several of these gaps. First, we present a systematic approach leveraging the RoBERTa transformer architecture to automatically assign the information related to Common Weakness Enumeration (CWE) to vulnerability descriptions. Second, we apply our models to retroactively and automatically assign CWEs to unassigned entries in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), enhancing the quality of open data. Finally, we utilize the attention mechanism within the transformer architecture to identify common keywords in the vulnerability descriptions in the NIST NVD. Our results are comparable to the state-of-the-art while achieving greater classification granularity and scalability.