FixV2W: Correcting Invalid CVE-CWE Mappings with Knowledge Graph Embeddings
Sevval Simsek, Varsha Athreya, David Starobinski
TL;DR
FixV2W is a knowledge graph embedding-based method that enhances the accuracy of CVE to CWE mappings in the NVD, aiding vulnerability management.
Contribution
It introduces a novel approach leveraging hierarchical relationships and historical trends to improve CVE-CWE mapping accuracy.
Findings
FixV2W predicts correct CWE mappings for 69% of exploited vulnerabilities with previous invalid CWEs.
It significantly improves ML model performance, increasing MRR from 0.174 to 0.608.
The approach effectively identifies and prevents emerging security threats.
Abstract
Accurate mapping between Common Vulnerabilities and Exposures (CVE) and Common Weakness Enumeration (CWE) entries is critical for effective vulnerability management and risk assessment. However, public databases, such as the National Vulnerability Database (NVD), suffer from inconsistent and incomplete CVE to CWE mappings, complicating automated analysis and remediation. We introduce FixV2W, a lightweight approach that leverages knowledge graph embeddings and longitudinal trends to improve mapping accuracy of the NVD. FixV2W systematically analyzes historical remapping patterns and leverages hierarchical relationships within NVD and CWE data to predict more precise CWE mappings for vulnerabilities linked to Prohibited or Discouraged categories. We run extensive experimental evaluation of FixV2W, based on test data set collected between August 2021 and December 2024. Considering the Top…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.