Description Of Vulnerability Research Articles

Automating the Generation of NVD CVE Fixes using Generative AI and RAG

As modern software applications increase, the challenge of addressing security vulnerabilities [1] will increase. Generating fixes for these vulnerabilities rely on manual intervention—a process that can be both timeconsuming and difficult to scale. In this paper, we propose an automated approach to CVE fix generation, leveraging data from the National Vulnerability Database (NVD) [2], a local vector database for efficient storage, and Generative AI to produce relevant fixes based on vulnerability descriptions. Our approach involves first loading all publicly available CVE data into a vector database, indexed by CVE ID and metadata for efficient retrieval. When a query for a CVE fix is made, then using Generative AI using custom prompts to provide fixes based on the vulnerability descriptions stored in the database. The generated solutions are stored back in the database for future use, or for review. In the methodology section, we demonstrate how this system can automate the generation of effective CVE fixes in a matter of seconds, streamlining a traditionally manual and time-consuming process. With the findings suggest that the proposed system can reduce the manual/time consuming effort on the teams while enhancing the speed and accuracy of vulnerability remediation

Refining CVE-to-CWE mapping with enhanced attention in BERT-based models

In this study, we introduce CySecBERT-ARD, an advanced approach for classifying software vulnerabilities that maps Common Vulnerabilities and Exposures (CVE) to Common Weakness Enumerations (CWE). Our approach is to use a pretrained transformer-based model CySecBERT tailored for cybersecurity contexts, the model is enhanced with additive attention and relative position encoding which allow for a deeper understanding of the vulnerability descriptions of CVE by capturing the contextual relationships. Our approach achieves an impressive accuracy of 91.34% and F1-score of 91.32% during the evaluation and testing phase compared to the base models. The results demonstrate the potential of CySecBERT-ARD in enhancing the efficiency and effectiveness of vulnerability classification.

BVTED: A Specialized Bilingual (Chinese–English) Dataset for Vulnerability Triple Extraction Tasks

Extracting knowledge from cyber threat intelligence is essential for understanding cyber threats and implementing proactive defense measures. However, there is a lack of open datasets in the Chinese cybersecurity field that support both entity and relation extraction tasks. This paper addresses this gap by analyzing vulnerability description texts, which are standardized and knowledge-dense, to create a vulnerability knowledge ontology comprising 13 entities and 15 relations. We annotated 27,311 unique vulnerability description sentences from the China National Vulnerability Database, resulting in a dataset named BVTED for cybersecurity knowledge triple extraction tasks. BVTED contains 97,391 entities and 69,614 relations, with entities expressed in a mix of Chinese and English. To evaluate the dataset’s value, we trained five deep learning-based named entity recognition models, two relation extraction models, and two joint entity–relation extraction models on BVTED. Experimental results demonstrate that models trained on this dataset achieve excellent performance in vulnerability knowledge extraction tasks. This work enhances the extraction of cybersecurity knowledge triples from mixed Chinese and English threat intelligence corpora by providing a comprehensive ontology and a new dataset, significantly aiding in the mining, analysis and utilization of the knowledge embedded in cyber threat intelligence.

Prediction of vulnerability severity using vulnerability description with natural language processing and deep learning

One of the most critical aspects of a software piece is its vulnerabilities. Regardless of the years of experience, type of project, or the size of the team, it is impossible to avoid introducing vulnerabilities while developing or maintaining software. This aspect becomes crucial when the software is deployed in production or released to the final users. At that point finding vulnerabilities becomes a race between the developers and malicious intruders, whoever finds it first can either exploit it or fix it. Acknowledging this situation and using the tools and standards that we have available in the field, such as common vulnerability exposures and common vulnerability scoring systems, and based on modern researches, in this study, we propose to have an approach different from the common practices of manual classification, using a 2-layer convolutional neuronal network (CNN) to automatize the classification of vulnerabilities, speeding up this process and enabling developers to have a faster response towards vulnerabilities, producing safer software. The experimental results obtained in this study suggest that pre-trained word embeddings contributed to an increase in accuracy of approximately 2% and the overall accuracy become 0.816%.

Evaluating Zero-Shot Chatgpt Performance on Predicting CVE Data From Vulnerability Descriptions

Vulnerability management is a critical industry activity driven by compliance and regulations aiming to allocate best-fitted resources to address vulnerabilities efficiently. The increasing number of vulnerabilities reported and discovered by a diverse community results in varying quality of the reports and differing perspectives. To tackle this, machine learning (ML) has shown promise in automating vulnerability assessments. While some existing ML approaches have demonstrated feasibility, there is room for improvement. Additionally, gaps remain in the literature to understand how the specific terminology used in vulnerability databases and reports influences ML interpretation. Large Language Model (LLM) systems, such as ChatGPT, are praised for their versatility and high applicability to any domain. However, how well or poorly a state-of-the-art LLM system performs on existing vulnerability datasets at a large scale and across different scoring metrics needs to be clarified or well-researched. This paper aims to close several such gaps and present a more precise and comprehensive picture of how ChatGPT performs on predicting vulnerability metrics based on NVD's CVE vulnerability database. We analyze the responses from ChatGPT on a set of 113,228 (~50% out of all NVD vulnerabilities) CVE vulnerability descriptions and measure its performance against NVD-CVE as ground truth. We measure and analyze the predictions for several vulnerabilities in metadata and calculate performance statistics.

Automated Labeling of Entities in CVE Vulnerability Descriptions with Natural Language Processing

Automated Labeling of Entities in CVE Vulnerability Descriptions with Natural Language Processing

A vulnerability severity prediction method based on bimodal data and multi-task learning

Facing the increasing number of software vulnerabilities, the automatic analysis of vulnerabilities has become an important task in the field of software security. However, the existing severity prediction methods are mainly based on vulnerability descriptions and ignore the relevant features of vulnerability code, which only includes unimodal information and result in low prediction accuracy. This paper proposes a vulnerability severity prediction method based on bimodal data and multi-task learning. First the bimodal data, which consists of the description and source code of each vulnerability, is preprocessed. Next the GraphCodeBert is used for the word embedding module to extract different vulnerability features from the bimodal data. Then the Bi-GRU with attention mechanism is adopted for further feature extraction of vulnerability severity. Considering the strong correlation between the two tasks of vulnerability severity prediction and exploitability prediction, this paper proposes a multi-task learning approach, which allows the model to learn the connection and shared information between different tasks through a hard parameter sharing strategy, so as to achieve more accurate and reliable prediction of vulnerability severity. Experimental results show that the severity prediction method proposed in this paper outperforms state-of-the-art methods, and can achieve an average F1 score of 93.83 % on the public vulnerability dataset.

Battlefield informatization: some possibilities and possible problems

The subject of the study is informatization in military affairs, the object of the study is possible ways to control the enemy through intentional and targeted distortion of information about their troops, goals and conditions of action. The author examines in detail such aspects of modern warfare as multi-domain, with a significant shift in emphasis in the sphere of information warfare. As the experience of local wars and armed conflicts of the last decade shows, the forms of their conduct differ significantly from the "classic" wars waged until the end of the XX century. The informatization of the battlefield made it possible to switch to such form of use of troops (forces) as network-centric actions. But the expansion of capabilities, the improvement of technologies of warfare, in accordance with the laws of dialectics, generates certain vulnerabilities. These vulnerabilities manifest themselves in the same area where the strengths are located – in the field of informatization of military operations. Based on this, special attention is paid to assessing the impact of informatization on the adequacy of decisions, primarily in terms of possible vulnerabilities of the management process. Using general scientific research methods: analysis and synthesis, the author, based on the analysis of the main trends of modern armed confrontation, synthesized a description of possible vulnerabilities when using automated control systems, formulated the task of developing a mathematical apparatus for the formation and evaluation of the reliability of information about the opposing systems. This is not about physically changing information in the automated control systems of the enemy: this task is technically difficult, but relatively simple from the point of view of algorithmization. And not about the trivial misleading of a decision-maker, as it has been done many times before. The article deals with the situation of decision-making management through the management of the directed submission of information using vulnerabilities by its automated processing in the automated control system.

DeKeDVer: A deep learning-based multi-type software vulnerability classification framework using vulnerability description and source code

DeKeDVer: A deep learning-based multi-type software vulnerability classification framework using vulnerability description and source code

A Statistical Relational Learning Approach Towards Products, Software Vulnerabilities and Exploits

Data on software vulnerabilities, products, and exploits are typically collected from multiple non-structured sources. Valuable information, e.g., on which products are affected by which exploits, is conveyed by matching data from those sources, i.e., through their relations. In this paper, we leverage this simple albeit unexplored observation to introduce a statistical relational learning (SRL) approach for the analysis of vulnerabilities, products, and exploits. In particular, we focus on the problem of determining the existence of an exploit for a given product, given information about the relations between products and vulnerabilities, and vulnerabilities and exploits, focusing on Industrial Control Systems (ICS), the National Vulnerability Database, and ExploitDB. Using RDN-Boost, we were able to reach an AUC ROC of 0.80 and an AUC PR of 0.65 for the problem at hand. To reach that performance, we indicate that it is instrumental to include textual features, e.g., extracted from the description of vulnerabilities, as well as structured information, e.g., about product categories. In addition, using interpretable relational, we report simple rules that shed insight on factors impacting the weaponization of ICS products.

Extraction of Phrase-based Concepts in Vulnerability Descriptions through Unsupervised Labeling

Software vulnerabilities, once disclosed, can be documented in vulnerability databases, which have great potential to advance vulnerability analysis and security research. People describe the key characteristics of software vulnerabilities in natural language mixed with domain-specific names and concepts. This textual nature poses a significant challenge for the automatic analysis of vulnerability knowledge embedded in text. Automatic extraction of key vulnerability aspects is highly desirable but demands significant effort to manually label data for model training. In this article, we propose unsupervised methods to label and extract important vulnerability concepts in textual vulnerability descriptions (TVDs). We focus on six types of phrase-based vulnerability concepts (vulnerability type, vulnerable component, root cause, attacker type, impact, and attack vector) as they are much more difficult to label and extract than name- or number-based entities (i.e., vendor, product, and version). Our approach is based on a key observation that the same-type of phrases, no matter how they differ in sentence structures and phrase expressions, usually share syntactically similar paths in the sentence parsing trees. Specifically, we present a source-target neural architecture that learns the Part-of-Speech (POS) tagging to identify a token’s functional role within TVDs, where the source neural model is trained to capture common features found in the TVD corpus, and the target model is trained to identify linguistically malformed words specific to the security domain. Our evaluation confirms that the proposed tagger outperforms (4.45%–5.98%) the taggers designed on natural language notions and identifies a broad set of TVDs and natural language contents. Then, based on the key observations, we propose two path representations (absolute paths and relative paths) and use an auto-encoder to encode such syntactic similarities. To address the discrete nature of our paths, we enhance the traditional Variational Auto-encoder (VAE) with Gumble-Max trick for categorical data distribution and thus create a Categorical VAE (CaVAE). In the latent space of absolute and relative paths, we further apply unsupervised clustering techniques to generate clusters of the same-type of concepts. Our evaluation confirms the effectiveness of our CaVAE, which achieves a small (85.85) log-likelihood for encoding path representations and the accuracy (83%–89%) of vulnerability concepts in the resulting clusters. The resulting clusters accurately label six types of vulnerability concepts from a TVD corpus in an unsupervised way. Furthermore, these labeled vulnerability concepts can be mapped back to the corresponding phrases in the original TVDs, which produce labels of six types of vulnerability concepts. The resulting labeled TVDs can be used to train concept extraction models for other TVD corpora. In this work, we present two concept extraction methods (concept classification and sequence labeling model) to demonstrate the utility of the unsupervisedly labeled concepts. Our study shows that models trained with our unsupervisedly labeled vulnerability concepts outperform (3.9%–5.14%) those trained with the two manually labeled TVD datasets from previous work due to the consistent boundary and typing by our unsupervised labeling method.

Exploitation of Vulnerabilities: A Topic-Based Machine Learning Framework for Explaining and Predicting Exploitation

Security vulnerabilities constitute one of the most important weaknesses of hardware and software security that can cause severe damage to systems, applications, and users. As a result, software vendors should prioritize the most dangerous and impactful security vulnerabilities by developing appropriate countermeasures. As we acknowledge the importance of vulnerability prioritization, in the present study, we propose a framework that maps newly disclosed vulnerabilities with topic distributions, via word clustering, and further predicts whether this new entry will be associated with a potential exploit Proof Of Concept (POC). We also provide insights on the current most exploitable weaknesses and products through a Generalized Linear Model (GLM) that links the topic memberships of vulnerabilities with exploit indicators, thus distinguishing five topics that are associated with relatively frequent recent exploits. Our experiments show that the proposed framework can outperform two baseline topic modeling algorithms in terms of topic coherence by improving LDA models by up to 55%. In terms of classification performance, the conducted experiments—on a quite balanced dataset (57% negative observations, 43% positive observations)—indicate that the vulnerability descriptions can be used as exclusive features in assessing the exploitability of vulnerabilities, as the “best” model achieves accuracy close to 87%. Overall, our study contributes to enabling the prioritization of vulnerabilities by providing guidelines on the relations between the textual details of a weakness and the potential application/system exploits.

Automatic software vulnerability assessment by extracting vulnerability elements

Software vulnerabilities take threats to software security. When faced with multiple software vulnerabilities, the most urgent ones need to be fixed first. Therefore, it is critical to assess the severity of vulnerabilities in advance. However, increasing number of vulnerability descriptions do not use templates, which reduces the performance of the existing software vulnerability assessment approaches. In this paper, we propose an automated vulnerability assessment approach that using vulnerability elements for predicting the severity of six vulnerability metrics (i.e., Access Vector, Access Complexity, Authentication, Confidentiality Impact, Integrity Impact and Availability Impact). First, we use BERT-MRC to extract vulnerability elements from vulnerability descriptions. Second, we assess six metrics using vulnerability elements instead of full descriptions. We conducted experiments on our manually labeled dataset. The experimental results show that our approach has an improvement of 12.03%, 14.37%, and 38.65% on Accuracy over three baselines.

Automated event extraction of CVE descriptions

The dramatically increasing number of vulnerabilities makes manual vulnerability analysis increasingly more difficult. Automatic extraction of vulnerability information can help improve vulnerability analysis. However, the existing vulnerability information extraction methods do not extract from the perspective of events, and the existing event extraction methods do not consider the unique sentence structure characteristics of vulnerability descriptions, which makes it difficult to extract vulnerability information effectively. To extract vulnerability information, we treat each vulnerability as an event, and propose an approach, VE-Extractor, to automatically perform vulnerability event extraction from textual descriptions in vulnerability reports for vulnerability analysis, including extraction of vulnerability event trigger (cause) and event arguments (e.g., consequence, operation). First, we propose a new labeling method BIOFR (Begin, Inside, Outside, Front, Rear) to construct an event-perspective vulnerability data benchmark. Then, we design a question template based on event trigger, to automatically extract vulnerability event arguments through the BERT Q&A model. Experiments show the effectiveness of VE-Extractor for automatically extracting events from vulnerability description, with significant performance improvement over state-of-the-art techniques, e.g., F1-score is increased by 45.12% and 21.02% in vulnerability consequence and operation extraction, respectively. The proposed VE-Extractor achieves a higher precision and accuracy than the state-of-the-art methods. Experiments results show that our approach is effective in extracting vulnerability event information and can be used to assist vulnerability analysis, such as vulnerability classification.

EVALUATING THE PHYSICAL VULNERABILITY OF PUBLIC SCHOOL BUILDINGS AGAINST FLOODING IN METRO MANILA, PHILIPPINES

Vulnerability analysis has always been an integral part of disaster risk assessment. This study aims to assess the physical vulnerability of public school buildings against flooding. It discusses the vulnerable elements or attributes, the extent of damages incurred during flood events, the damage response, and the future steps that must be taken to increase flood resiliency. The study used empirical data collection using semi-structured interviews to characterize the common types of public schools and to collate the damage responses. Quantity surveying was performed to measure the amount of damages related to different flood depths. Structural damages to public school buildings are not expected for flood heights ranging from ground level up to ten (10) m. However, damages are incurred by building finishes and fixtures. Floors, walls, and septic system are cosmetically damaged. Vulnerable components include wooden elements like doors, cabinets, blackboards and ceiling, and electrical fixtures such as wiring, lighting, outlets, switches, and fire alarm system. Comprehensive vulnerability description of public school buildings were represented as curves of flood depth vs. damage index. The damage ratio decreases as the number of floors increase. Maximum damage to one-story building is 23.6% while at 15.02% for four-story school building. This study is an attempt to promote further research of the subject matter in developing countries towards flood resiliency in the built environment.

Empirical Validation of Automated Vulnerability Curation and Characterization

Prior research has shown that public vulnerability systems such as US National Vulnerability Database (NVD) rely on a manual, time-consuming, and error-prone process which has led to inconsistencies and delays in releasing final vulnerability results. This work provides an approach to curate vulnerability reports in real-time and map textual vulnerability reports to machine readable structured vulnerability attribute data. Designed to support the time consuming human analysis done by vulnerability databases, the system leverages the Common Vulnerabilities and Exposures (CVE) list of vulnerabilities and the vulnerability attributes described by the National Institute of Standards and Technology (NIST) Vulnerability Description Ontology (VDO) framework. Our work uses Natural Language Processing (NLP), Machine Learning (ML) and novel Information Theoretical (IT) methods to provide automated techniques for near real-time publishing, and characterization of vulnerabilities using 28 attributes in 5 domains. Experiment results indicate that vulnerabilities can be evaluated up to 95 hours earlier than using manual methods, they can be characterized with F-Measure values over 0.9, and the proposed automated approach could save up to 47% of the time spent for CVE characterization.

VulDistilBERT: A CPS Vulnerability Severity Prediction Method Based on Distillation Model

With the vigorous development of the Internet, the ecosystem of cyber-physical systems is also developing at a high speed, but cyber-physical systems may be accompanied by unknown vulnerabilities in the process of concrete implementation. Thus, the number of vulnerabilities in cyber-physical systems has been increasing year by year. The vulnerability evaluation speed cannot keep up with the vulnerability exposure speed. The traditional manual evaluation method can no longer effectively deal with such large-scale vulnerabilities, resulting in a backlog of vulnerabilities. Therefore, the vulnerability evaluation results have a certain lag. To address this problem, the paper proposes a vulnerability severity assessment method based on the distillation model. The method first uses data augmentation and integration of optimal subsets to improve the amount of information in the vulnerability description text, then uses the DistilBERT model to characterize the text of the vulnerability description text, and then the characterized feature vectors are classified based on the linear layer to achieve the purpose of assessing vulnerability severity. Compared with the current method of manual assessment based on the CVSS metric system, this method can automate the assessment of vulnerabilities based on vulnerability description text, which improves the speed of vulnerability assessment, and the assessment accuracy and other metrics achieved by this method are improved compared with similar studies. This approach provides an automated solution for cyber-physical systems vulnerability assessment and can better address the current situation where cyber-physical systems vulnerabilities are being exposed at an accelerated rate.

An automatic vulnerability classification framework based on BiGRU-TextCNN

Common Vulnerabilities and Exposures (CVE) records known vulnerabilities and provides standardized descriptions. By utilizing Common Weakness Enumeration (CWE) to classify vulnerabilities, it can provide richer background knowledge and more detailed mitigation measures for the vulnerability. However, due to the negligence on manual classification and the evolution of vulnerabilities, the accuracy of vulnerabilities classification needs urgent improvement. Additionally, the large and ever-increasing number of vulnerabilities poses a huge challenge to the efficiency and accuracy of vulnerabilities manual classification. To address that, we propose a vulnerability classification framework based on BiGRU-TextCNN, which processes, trains, predicts to automatically classify vulnerabilities into weaknesses based on the description of vulnerability. To verify the performance and feasibility of the proposed framework, we first conducting comparison experiments on different text classification models, and then predicting the corresponding weakness with the description of vulnerability utilizing the proposed framework.

Formal Matters on the Topic of Risk Mitigation: A Mathematical Perspective

How (in)formal should the classic expression describing risk as the product of hazard, exposure, and vulnerability be considered? What would be the most complete way to describe the process of risk mitigation? These are the questions we try to answer here, using a formal, mathematically sound yet abstract description of hazard, exposure, vulnerability, and risk. We highlight the elements that can be affected for the purpose of mitigation and show how this can improve the quantitative assessment of the procedural aspects of risk mitigation, both long- and short-term, down to the timescale of emergency response.

An automatic classification algorithm for software vulnerability based on weighted word vector and fusion neural network

To address the problem that the traditional vectored representation of software vulnerability data has high-dimensional sparsity and leads to unsatisfactory automatic classification, this paper proposes an automatic classification algorithm for software vulnerabilities based on weighted word vectors and fusion neural network. Firstly, the Term Frequency-Inverse Document Frequency (TF-IDF) algorithm is improved to generate the weighted word vector with low dimension and density according to the category distribution. Secondly, the vulnerability classification model TCNN-BiGRU consists of TextCNN (TCNN) and Bidirectional GRU (BiGRU) is constructed, which has made full use of the advantages of convolutional neural network (CNN) and gate recurrent unit neural network (GRU). TextCNN is used to extract local features of vulnerability description text, BiGRU is used to extract global features of vulnerability description text, and the output feature vectors are fused to achieve dimensionality reduction. Finally, the Dropout method and Early Stopping method are introduced to suppress overfitting, and a Softmax classifier is used to classify the vulnerability category. The classification performance of the proposed algorithm is verified by ablation experiments, sparsity problem expriments and comparative experiments on the vulnerability data from NVD dataset on the indicators of accuracy, macro precision rate, macro recall rate and macro F1-score.