VulnScopper: Unveiling Hidden Links Between Unseen Security Entities
Pages 33 - 40
Abstract
The Common Vulnerabilities and Exposures (CVE) system is crucial for cybersecurity, providing standardized identification of vulnerabilities. In February 2024, the National Vulnerability Database (NVD) announced it could no longer enrich new CVEs due to increasing volumes, significantly impacting global security efforts. This paper introduces VulnScopper, an innovative approach to automate and enhance vulnerability enrichment using Graph Neural Networks (GNNs). VulnScopper combines Knowledge Graphs (KG) with Natural Language Processing (NLP) by leveraging ULTRA, a GNN-based knowledge graph foundation model, alongside a Large Language Model (LLM). VulnScopper's inductive approach enables it to handle unseen entities, overcoming a crucial limitation of previous CVE enrichment methods. We evaluate VulnScopper on the NVD dataset in inductive and transductive setups for CVE to Common Platform Enumerations (CPE) linking. Our results show that VulnScopper outperforms state-of-the-art techniques, achieving up to 60% Hits@10 accuracy in linking CVEs to CPE on unseen CVE records. We demonstrate VulnScopper's effectiveness on unseen 2023 CVEs, showcasing its ability to uncover new vulnerable products and potentially reduce vulnerability remediation time.
References
[1]
Apple. 2023. About the security content of iOS and iPadOS. https://support.apple.com/en-us/HT214063.
[2]
Apple. 2023. About the security content of macOS Monterey 12.7.3. https://support.apple.com/en-us/HT214057.
[3]
Antoine Bordes, Nicolas Usunier, Alberto Garcia-Duran, Jason Weston, and Oksana Yakhnenko. 2013. Translating Embeddings for Modeling Multi-relational Data. In NeurIPS, Vol. 26. Curran Associates, Inc.
[4]
Anton Cheshkov, Pavel Zadorozhny, and Rodion Levichev. 2023. Evaluation of ChatGPT Model for Vulnerability Detection.
[5]
Siddhartha Shankar Das, Edoardo Serra, Mahantesh Halappanavar, Alex Pothen, and Ehab Al-Shaer. 2021. V2W-BERT: A Framework for Effective Hierarchical Multiclass Classification of Software Vulnerabilities. (2021).
[6]
Debian. 2023. CVE-2023--38545 - Debian Linux. https://security-tracker.debian.org/tracker/CVE-2023--38545.
[7]
Mikhail Galkin, Etienne Denis, Jiapeng Wu, and William L. Hamilton. 2022. NodePiece: Compositional and Parameter-Efficient Representations of Large Knowledge Graphs. In ICML.
[8]
Mikhail Galkin, Xinyu Yuan, Hesham Mostafa, Jian Tang, and Zhaocheng Zhu. 2023. Towards Foundation Models for Knowledge Graph Reasoning. (2023). arxiv: 2310.04562 [cs.CL]
[9]
Hao Guo, Zhenchang Xing, and Xiaohong Li. 2020. Predicting Missing Information of Key Aspects in Vulnerability Reports. arXiv preprint arXiv:2008.02456 (2020).
[10]
Z. Han, X. Li, H. Liu, Z. Xing, and Z. Feng. 2018. DeepWeak: Reasoning common software weaknesses via knowledge graph embedding. In 25th IEEE Int. SANER.
[11]
Red Hat. 2023. Red Hat - CVE-2023--38545 details. https://access.redhat.com/security/cve/CVE-2023--38545.
[12]
Red Hat. 2023. RHSA-2023:5309 - Security Advisory. https://access.redhat.com/errata/RHSA-2023:5309.
[13]
Microsoft. 2023. Microsoft: CVE-2023--38545 SOCKS5 heap buffer overflow. https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2023--38545.
[14]
Microsoft. 2023. Microsoft Edge security release notes. https://learn.microsoft.com/en-us/deployedge/microsoft-edge-relnotes-security##september-15--2023.
[15]
MITRE. 2023. CWE List Version 4.10. https://cwe.mitre.org/data/downloads.html.
[16]
Ryan Naraine. 2024. Two Years On, Log4Shell Vulnerability Still Being Exploited to Deploy Malware. https://www.securityweek.com/two-years-on-log4shell-vulnerability-still-being-exploited-to-deploy-malware/
[17]
National Institute of Standards and Technology. 2021. NVD - CVE-2021--44228. https://nvd.nist.gov/vuln/detail/CVE-2021--44228.
[18]
National Vulnerability Database. 2023. CVE-2023--4863 Detail. https://nvd.nist.gov/vuln/detail/CVE-2023--4863.
[19]
NVD. 2023. NVD - Developers - Vulnerabilities API. https://nvd.nist.gov/developers/vulnerabilities.
[20]
NVD. 2024. NVD Program Announcement. https://nvd.nist.gov/general/news/nvd-program-transition-announcement.
[21]
OpenAI. 2024. OpenAI embedding models. https://platform.openai.com/docs/models/embeddings.
[22]
QT. 2023. QT security advisory CVE-2023--4863. https://www.qt.io/blog/two-qt-security-advisorys-gdi-font-engine-webp-image-format.
[23]
Red Hat, Inc. 2023. CVE-2023--4863. https://access.redhat.com/security/cve/cve-2023--4863.
[24]
Zhenpeng Shi, Nikolay Matyunin, Kalman Graffi, and David Starobinski. 2024. Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs. ACM Transactions on Privacy and Security (Jan. 2024). https://doi.org/10.1145/3641819
[25]
snyk. 2023. Snyk CVE-2023--4863. https://snyk.io/blog/find-and-fix-webp-vulnerability-cve-2023--4863/.
[26]
Snyk. 2023. Snyk webp 0-day CVE-2023--4863. https://snyk.io/blog/critical-webp-0-day-cve-2023--4863/.
[27]
Tenable. 2023. Oracle MySQL Server 8.0.x 8.0.34 (October 2023 CPU). https://www.tenable.com/plugins/nessus/183394.
[28]
Ubuntu. 2023. Canonical Ubuntu - USN-6429--3: curl vulnerabilities. https://ubuntu.com/security/notices/USN-6429--3.
[29]
Ubuntu. 2023. Ubuntu security notes. https://ubuntu.com/security/CVE-2023--4863.
[30]
Guillem Cucurull, Arantxa Casanova, Adriana Romero, Pietro Liò, and Yoshua Bengio. 2018. Graph Attention Networks. arxiv: 1710.10903 [stat.ML]
[31]
Emil Wåreus and Martin Hell. 2020. Automated CPE Labeling of CVE Summaries with Machine Learning. In Detection of Intrusions and Malware, and Vulnerability Assessment. Springer International.
[32]
Hongbo Xiao, Zhenchang Xing, Xiaohong Li, and Hao Guo. 2019. Embedding and Predicting Software Security Entity Relationships: A Knowledge Graph Based Approach. In Neural Information Processing.
[33]
Bishan Yang, Wen tau Yih, Xiaodong He, Jianfeng Gao, and Li Deng. 2015. Embedding Entities and Relations for Learning and Inference in Knowledge Bases. arxiv: 1412.6575 [cs.CL]
[34]
Liu Yuan, Yude Bai, Zhenchang Xing, Sen Chen, Xiaohong Li, and Zhidong Deng. 2021. Predicting Entity Relations across Different Security Databases by Using Graph Attention Network. In COMPSAC.
[35]
Zhaocheng Zhu, Zuobai Zhang, Louis-Pascal A. C. Xhonneux, and Jian Tang. 2021. Neural Bellman-Ford Networks: A General Graph Neural Network Framework for Link Prediction. CoRR, Vol. abs/2106.06935 (2021). showeprint[arXiv]2106.06935 https://arxiv.org/abs/2106.06935
Index Terms
- VulnScopper: Unveiling Hidden Links Between Unseen Security Entities
Recommendations
ThreatZoom: neural network for automated vulnerability mitigation
HotSoS '19: Proceedings of the 6th Annual Symposium on Hot Topics in the Science of SecurityIncreasing the variety and quantity of cyber threats becoming the evident that traditional human-in-loop approaches are no longer sufficient to keep systems safe. To address this momentous moot point, forward-thinking pioneers propose new cyber security ...
On Privacy Weaknesses and Vulnerabilities in Software Systems
ICSE '23: Proceedings of the 45th International Conference on Software EngineeringIn this digital era, our privacy is under constant threat as our personal data and traceable online/offline activities are frequently collected, processed and transferred by many software applications. Privacy attacks are often formed by exploiting ...
Improving Software Security by Eliminating the CWE Top 25 Vulnerabilities
In January 2009, MITRE and SANS issued the "2009 CWE/SANS Top 25 Most Dangerous Programming Errors" to help make developers more aware of the bugs that can cause security compromises (http://cwe.mitre.org/top25). CWE, which stands for Common Weakness ...
Comments
Please enable JavaScript to view thecomments powered by Disqus.Information & Contributors
Information
Published In
December 2024
58 pages
ISBN:9798400712548
DOI:10.1145/3694811
- General Chairs:
- Pere Barlet-Ros,
- Pedro Casas,
- Franco Scarselli,
- José Suárez-Varela,
- Albert Cabellos
Copyright © 2024 ACM.
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].
Sponsors
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
Published: 09 December 2024
Check for updates
Author Tags
Qualifiers
- Research-article
Conference
CoNEXT '24
Sponsor:
CoNEXT '24: The 20th International Conference on emerging Networking EXperiments and Technologies
December 9 - 12, 2024
CA, Los Angeles, USA
Contributors
Other Metrics
Bibliometrics & Citations
Bibliometrics
Article Metrics
- 0Total Citations
- 32Total Downloads
- Downloads (Last 12 months)32
- Downloads (Last 6 weeks)32
Reflects downloads up to 05 Jan 2025
Other Metrics
Citations
View Options
Login options
Check if you have access through your login credentials or your institution to get full access on this article.
Sign in