What is it about?
Detecting vulnerabilities are important for software security. In our work we aim to correct data related to vulnerabilities by detecting falsely mapped weaknesses, and predicting the correct weakness associated with the vulnerability. Since this is a time consuming task, we use an automated machine learning method called knowledge graphs. We use vulnerability metadata such as affected products and weakness mappings to train the model to learn associations between these 3 type of data.
Featured Image
Photo by Ilya Pavlov on Unsplash
Why is it important?
Our results show that this method is suitable for use in real life vulnerability reporting and updating processes, carried out by private security advisories and public databases such as CVE.org or the NVD. We show that our results are promising for automating the root cause weakness detection of existing or new vulnerabilities.
Perspectives
I hope by reading this short paper, the reader gets curious about the projects that they are working on and/or the software that they are using, and how probably there are many vulnerabilities that cannot be detected since the information about them are mostly incomplete or incorrect. I believe we need a collective effort, from the software development and security teams to fix the incorrect data and report vulnerabilities more consciously, realizing how much it affects the whole ecosystem of cyber security.
Sevval Simsek
Read the Original
This page is a summary of: Poster: Analyzing and Correcting Inaccurate CVE-CWE Mappings in the National Vulnerability Database, December 2024, ACM (Association for Computing Machinery),
DOI: 10.1145/3658644.3691375.
You can read the full text:
Contributors
The following have contributed to this page
