CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions

Massimiliano Albanese; Olutola Adebiyi; Frank Onovae

doi:10.5220/0012770400003767

CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions

Massimiliano Albanese, Olutola Adebiyi, Frank Onovae

2024

Abstract

Vulnerabilities in software systems are inevitable, but proper mitigation strategies can greatly reduce the risk to organizations. The Common Vulnerabilities and Exposures (CVE) list makes vulnerability information readily available and organizations rely on this information to effectively mitigate vulnerabilities in their systems. CVEs are classified into Common Weakness Enumeration (CWE) categories based on their underlying weaknesses and semantics. This classification provides an understanding of software flaws, their potential impacts, and means to detect, fix and prevent them. This understanding can help security administrators efficiently allocate resources to address critical security issues. However, mapping of CVEs to CWEs is mostly a manual process. To address this limitation, we introduce CVE2CWE, an automated approach for mapping Common Vulnerabilities and Exposures (CVEs) to Common Weakness Enumeration (CWE) entries. Leveraging natural language processing techniques, CVE2CWE extracts relevant information from CVE descriptions and maps them to corresponding CWEs. The proposed method utilizes TF-IDF vector representations to model CWEs and CVEs and assess the semantic similarity between CWEs and previously unseen CVEs, facilitating accurate and efficient mapping. Experimental results demonstrate the effectiveness of CVE2CWE in automating the vulnerability-to-weakness mapping process, thereby aiding cybersecurity professionals in prioritizing and addressing software vulnerabilities more effectively. Additionally, we study the similarities and overlaps between CWEs and quantitatively assess their impact on the classification process.

Download

Paper Citation

in Harvard Style

Albanese M., Adebiyi O. and Onovae F. (2024). CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions. In Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT; ISBN 978-989-758-709-2, SciTePress, pages 500-507. DOI: 10.5220/0012770400003767

in Bibtex Style

@conference{secrypt24,
author={Massimiliano Albanese and Olutola Adebiyi and Frank Onovae},
title={CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions},
booktitle={Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT},
year={2024},
pages={500-507},
publisher={SciTePress},
organization={INSTICC},
doi={10.5220/0012770400003767},
isbn={978-989-758-709-2},
}

in EndNote Style

TY - CONF

JO - Proceedings of the 21st International Conference on Security and Cryptography - Volume 1: SECRYPT
TI - CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions
SN - 978-989-758-709-2
AU - Albanese M.
AU - Adebiyi O.
AU - Onovae F.
PY - 2024
SP - 500
EP - 507
DO - 10.5220/0012770400003767
PB - SciTePress