Automatic CWE Assignment for Vulnerabilities with Graph Neural Networks

Abstract

Vulnerability reports are essential for improving software security since they record many key information of vulnerabilities. In a report, CWE denotes the weakness of the vulnerability and thus helps understand the cause of the vulnerability quickly. Therefore, CWE assignment useful for categorizing newly discovered vulnerabilities. In this paper, we propose an automatic CWE assignment method with Graph Neural Networks. First, we prepare a dataset that contains 3,394 real world vulnerabilities from Linux, OpenSSL, Wireshark and many other software. Then, we extract statements with vulnerability syntax features from these vulnerabilities and use program slicing to slice them according to the categories of syntax features. On top of slices, we represent these slices with graphs that characterize the data dependency and control dependency between statements. Finally, we employ the Graph Neural Network to learn the hidden information from these graphs, and leverage the Siamese Network to compute the similarity between vulnerability functions, thereby performing assignment of CWE ID for these vulnerabilities. The experimental results show that the proposed method is effective compared to existing methods.