Vulnerability management is crucial for companies with compliance requirements and regulations. The goal is to allocate the most appropriate resources to address vulnerabilities efficiently. The growing number of vulnerabilities discovered by various contributors leads to reports of varying quality and differing perspectives. To address this challenge, machine learning (ML) has shown potential in automating vulnerability assignments. Nevertheless, there remains room for further development. Additionally, more research is needed to explore how the specific terminology used in vulnerability databases and reports affects ML performance. In this chapter, we aim to address several of these gaps. First, we present a systematic approach leveraging the RoBERTa transformer architecture to automatically assign the information related to Common Weakness Enumeration (CWE) to vulnerability descriptions. Second, we apply our models to retroactively and automatically assign CWEs to unassigned entries in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), enhancing the quality of open data. Finally, we utilize the attention mechanism within the transformer architecture to identify common keywords in the vulnerability descriptions in the NIST NVD. Our results are comparable to the state-of-the-art while achieving greater classification granularity and scalability.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

VulnBERTa-XAI: Towards Explainable AI for Automating CWE Weakness Assignment and Improving the Quality of Cybersecurity CVE

  • Hannu Turtiainen,
  • Andrei Costin,
  • Timo Hämäläinen

摘要

Vulnerability management is crucial for companies with compliance requirements and regulations. The goal is to allocate the most appropriate resources to address vulnerabilities efficiently. The growing number of vulnerabilities discovered by various contributors leads to reports of varying quality and differing perspectives. To address this challenge, machine learning (ML) has shown potential in automating vulnerability assignments. Nevertheless, there remains room for further development. Additionally, more research is needed to explore how the specific terminology used in vulnerability databases and reports affects ML performance. In this chapter, we aim to address several of these gaps. First, we present a systematic approach leveraging the RoBERTa transformer architecture to automatically assign the information related to Common Weakness Enumeration (CWE) to vulnerability descriptions. Second, we apply our models to retroactively and automatically assign CWEs to unassigned entries in the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), enhancing the quality of open data. Finally, we utilize the attention mechanism within the transformer architecture to identify common keywords in the vulnerability descriptions in the NIST NVD. Our results are comparable to the state-of-the-art while achieving greater classification granularity and scalability.