Knowing your weaknesses is your greatest strength:Mapping CVE to CWE by leveraging CWE Hierarchy and LLMs

Engineering notes

Engineering notes will be added by the aipentium editorial team.

Chinese explanation / 中文解读

中文解读待补充：本站会优先为大语言模型、生成式AI、ChatGPT相关技术、计算机视觉、深度学习等高价值论文补充中文说明。

Original abstract

Effective defense against threat actors requires that security professionals accurately identify the underlying weaknesses associated with common vulnerabilities and exposures (CVEs). This under standing is crucial for deploying appropriate defensive mechanisms and prioritizing remediation efforts. However, manually mapping CVEs to common weakness enumerations (CWEs) has become increasingly impractical due to the rapid increase of new CVEs and<br/>the extensive, complex CWE taxonomy. In 2025, the number of CVEs awaiting analysis exceeded 25,000.<br/><br/>To automate the mapping between CVEs and CWEs, we propose to leverage two insights. To harness the power of large language models, we first fine-tune different language models to perform this mapping based on the vulnerability-to-weakness relation. Second, we propose a supervised framework leveraging the hierarchical structure of CWEs, where we first categorize vulnerabilities into<br/>broad CWE classes (e.g., Injection, Buffer Overflow), which helps capture high-level patterns, and then utilizes specialized subnet works to distinguish fine-grained differences within each class.<br/><br/>Evaluated on a benchmarkthat covers 95% of all CVEs associated with a CWE, our approach improves F1-score by 5% over the best prior supervised method, demonstrating the value of combining model fine-tuning with hierarchy-aware classification.

Links and sources

• PDF from original source

Comments