Authors:
Massimiliano Albanese
;
Olutola Adebiyi
and
Frank Onovae
Affiliation:
Center for Secure Information Systems, George Mason University, Fairfax, U.S.A.
Keyword(s):
Vulnerabilities, Vulnerability Classification, Security Metrics, Software Weaknesses.
Abstract:
Vulnerabilities in software systems are inevitable, but proper mitigation strategies can greatly reduce the risk to organizations. The Common Vulnerabilities and Exposures (CVE) list makes vulnerability information readily available and organizations rely on this information to effectively mitigate vulnerabilities in their systems. CVEs are classified into Common Weakness Enumeration (CWE) categories based on their underlying weaknesses and semantics. This classification provides an understanding of software flaws, their potential impacts, and means to detect, fix and prevent them. This understanding can help security administrators efficiently allocate resources to address critical security issues. However, mapping of CVEs to CWEs is mostly a manual process. To address this limitation, we introduce CVE2CWE, an automated approach for mapping Common Vulnerabilities and Exposures (CVEs) to Common Weakness Enumeration (CWE) entries. Leveraging natural language processing techniques, CVE
2CWE extracts relevant information from CVE descriptions and maps them to corresponding CWEs. The proposed method utilizes TF-IDF vector representations to model CWEs and CVEs and assess the semantic similarity between CWEs and previously unseen CVEs, facilitating accurate and efficient mapping. Experimental results demonstrate the effectiveness of CVE2CWE in automating the vulnerability-to-weakness mapping process, thereby aiding cybersecurity professionals in prioritizing and addressing software vulnerabilities more effectively. Additionally, we study the similarities and overlaps between CWEs and quantitatively assess their impact on the classification process.
(More)