Download pdf
Refining CVE-to-CWE mapping with enhanced attention in BERT-based models
- 1 Bowling Green State University, OH, USA
- 2 Bowling Green State University, OH, USA
* Author to whom correspondence should be addressed.
Abstract
In this study, we introduce CySecBERT-ARD, an advanced approach for classifying software vulnerabilities that maps Common Vulnerabilities and Exposures (CVE) to Common Weakness Enumerations (CWE). Our approach is to use a pretrained transformer-based model CySecBERT tailored for cybersecurity contexts, the model is enhanced with additive attention and relative position encoding which allow for a deeper understanding of the vulnerability descriptions of CVE by capturing the contextual relationships. Our approach achieves an impressive accuracy of 91.34% and F1-score of 91.32% during the evaluation and testing phase compared to the base models. The results demonstrate the potential of CySecBERT-ARD in enhancing the efficiency and effectiveness of vulnerability classification.
Keywords
BERT, Transformers, Cybersecurity, Vulnerability Classification
[1]. Bayer M, Kuehn P, Shanehsaz R, Reuter C. Cysecbert: A domain-adapted language model for the cybersecurity domain. ACM Transactions on Privacy and Security. 2024 Apr 8;27(2):1-20.
[2]. Elmishali A, Stern R, Kalech M. Diagnosing software system exploits. IEEE Intell Syst. 2020;35:7-15. doi: 10.1109/MIS.2020.2965496.
[3]. Charmanas K, Mittas N, Angelis L. Predicting the existence of exploitation concepts linked to software vulnerabilities using text mining. In: Proceedings of the 25th Pan-Hellenic Conference on Informatics; 2021. doi: 10.1145/3503823.3503888.
[4]. Younis A A, Malaiya Y. Using software structure to predict vulnerability exploitation potential. In: 2014 IEEE Eighth International Conference on Software Security and Reliability-Companion; 2014. p. 13-18. doi: 10.1109/SERE-C.2014.17.
[5]. Bullough B L, Yanchenko A K, Smith CL, Zipkin J R. Predicting exploitation of disclosed software vulnerabilities using open-source data. In: Proceedings of the 3rd ACM on International Workshop on Security And Privacy Analytics; 2017. doi: 10.1145/3041008.3041009.
[6]. Bhatt N, Anand A, Yadavalli V. Exploitability prediction of software vulnerabilities. Qual Reliab Eng Int. 2020;37:648-663. doi: 10.1002/qre.2754.
[7]. Younis A A, Malaiya Y, Ray I. Assessing vulnerability exploitability risk using software properties. Softw Qual J. 2016;24:159-202. doi: 10.1007/s11219-015-9274-6.
[8]. Almukaynizi M, Nunes E, Dharaiya K, Senguttuvan M, Shakarian J, Shakarian P. Patch before exploited: An approach to identify targeted software vulnerabilities. In: AI in Cybersecurity. Springer; 2018. doi: 10.1007/978-3-319-98842-9_4.
[9]. Iannone E, Guadagni R, Ferrucci F, De Lucia A, Palomba F. The secret life of software vulnerabilities: A large-scale empirical study. IEEE Trans Softw Eng. 2023;49:44-63. doi: 10.1109/TSE.2022.3140868.
[10]. Aghaei S, Others. Manual CVE to CWE mapping: Challenges and expert solutions. J Cybersecur Res. 2023;9(1):45-59.
[11]. Kanakogi H, Others. Applying NLP techniques to classify CVE entries into CAPEC categories. J Inf Secur Appl. 2021;59:102717.
[12]. Das S S, Serra E, Halappanavar M, Pothen A, Al-Shaer E. V2w-bert: A framework for effective hierarchical multiclass classification of software vulnerabilities. In: 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA); 2021. p. 1-12. doi: 10.1109/DSAA53316.2021.9564227.
Cite this article
Su,J.;Wu,Y. (2024). Refining CVE-to-CWE mapping with enhanced attention in BERT-based models. Applied and Computational Engineering,71,107-112.
Data availability
The datasets used and/or analyzed during the current study will be available from the authors upon reasonable request.
Disclaimer/Publisher's Note
The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of EWA Publishing and/or the editor(s). EWA Publishing and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.
About volume
Volume title: Proceedings of the 6th International Conference on Computing and Data Science
© 2024 by the author(s). Licensee EWA Publishing, Oxford, UK. This article is an open access article distributed under the terms and
conditions of the Creative Commons Attribution (CC BY) license. Authors who
publish this series agree to the following terms:
1. Authors retain copyright and grant the series right of first publication with the work simultaneously licensed under a Creative Commons
Attribution License that allows others to share the work with an acknowledgment of the work's authorship and initial publication in this
series.
2. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the series's published
version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgment of its initial
publication in this series.
3. Authors are permitted and encouraged to post their work online (e.g., in institutional repositories or on their website) prior to and
during the submission process, as it can lead to productive exchanges, as well as earlier and greater citation of published work (See
Open access policy for details).