Poster: Analyzing and Correcting Inaccurate CVE-CWE Mappings in the National Vulnerability Database
Authors: 
Şevval Şimşek, Zhenpeng Shi, Howell Xia, David Sastre Medina, David StarobinskiAuthors Info & Claims
Pages 5042 - 5044
Abstract
We conduct a longitudinal study of the National Vulnerability Database (NVD), focusing on the mappings between vulnerabilities (CVEs) and weaknesses (CWEs). Surprisingly, the study reveals that a significant portion of CVEs, fluctuating between 15% and 30% over the years, lack proper CWE mapping, and that almost 40% of the updates are non-informative. We introduce a methodology, based on knowledge graphs, for automating root cause weakness mapping for CVEs and for fixing existing inaccurate mappings. We showcase promising preliminary results toward this end.
References
[1]
Daniel Alfasi, Tal Shapira, and Anat Bremler Barr. 2024. Unveiling Hidden Links Between Unseen Security Entities. arxiv: 2403.02014 [cs.CR] https://arxiv.org/abs/2403.02014
[2]
Antoine Bordes, Nicolas Usunier, Alberto Garcia-Duran, Jason Weston, and Oksana Yakhnenko. 2013. Translating embeddings for modeling multi-relational data. Advances in neural information processing systems, Vol. 26 (2013).
[3]
Luca Costabello, Sumit Pai, Chan Le Van, Rory McGrath, Nick McCarthy, and Pedro Tabacof. 2019. AmpliGraph: a Library for Representation Learning on Knowledge Graphs. https://doi.org/10.5281/zenodo.2595043
[4]
MITRE. 2024. Chains and Composites. https://cwe.mitre.org/data/reports/chains_and_composites.html#chains. Accessed = 09-01--2024.
[5]
MITRE. 2024. CWE Research Concepts View. https://cwe.mitre.org/data/graphs/1000.html. Accessed = 09-01--2024.
[6]
MITRE. 2024. CWE VIEW: Weaknesses for Simplified Mapping of Published Vulnerabilities. https://cwe.mitre.org/data/definitions/1003.html.
[7]
MITRE. 2024. Supplemental Details - 2022 CWE Top 25, Details of Problematic Mappings. https://cwe.mitre.org/top25/archive/2022/2022_cwe_top25_supplemental.html#problematicMappingDetails.
[8]
Zhenpeng Shi, Nikolay Matyunin, Kalman Graffi, and David Starobinski. 2024. Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs. ACM Trans. Priv. Secur., Vol. 27, 1, Article 13 (feb 2024), 26 pages. https://doi.org/10.1145/3641819
[9]
Théo Trouillon, Johannes Welbl, Sebastian Riedel, Éric Gaussier, and Guillaume Bouchard. 2016. Complex embeddings for simple link prediction. In International conference on machine learning. PMLR, 2071--2080.
[10]
Bishan Yang, Wen tau Yih, Xiaodong He, Jianfeng Gao, and Li Deng. 2015. Embedding Entities and Relations for Learning and Inference in Knowledge Bases. arxiv: 1412.6575 [cs.CL] https://arxiv.org/abs/1412.6575
Index Terms
- Poster: Analyzing and Correcting Inaccurate CVE-CWE Mappings in the National Vulnerability Database
Recommendations
Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs
Security assessment relies on public information about products, vulnerabilities, and weaknesses. So far, databases in these categories have rarely been analyzed in combination. Yet, doing so could help predict unreported vulnerabilities and identify ...
Vulnerability severity scoring and bounties: why the disconnect?
SWAN 2016: Proceedings of the 2nd International Workshop on Software AnalyticsThe Common Vulnerability Scoring System (CVSS) is the de facto standard for vulnerability severity measurement today and is crucial in the analytics driving software fortification. Required by the U.S. National Vulnerability Database, over 75,000 ...
A taxonomy for attack graph generation and usage in network security
Attack graphs model possible paths that a potential attacker can use to intrude into a target network. They can be used in determining both proactive and reactive security measures. Attack graph generation is a process that includes vulnerability ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2024
5188 pages
ISBN:9798400706363
DOI:10.1145/3658644
- General Chairs:
- Bo Luo,
- Xiaojing Liao,
- Jun Xu,
- Program Chairs:
- Engin Kirda,
- David Lie
Copyright © 2024 Owner/Author.
Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Poster
Funding Sources
- Red Hat
- Red Hat
Conference
CCS '24
Sponsor:
CCS '24: ACM SIGSAC Conference on Computer and Communications Security
October 14 - 18, 2024
UT, Salt Lake City, USA
Acceptance Rates
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%
Upcoming Conference
CCS '25
- Sponsor:
- sigsac
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 130Total Downloads
- Downloads (Last 12 months)130
- Downloads (Last 6 weeks)40
Reflects downloads up to 04 Feb 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in