Leveraging Generative AI to Enhance Automated Vulnerability Scoring
Seyedeh Leili Mirtaheri, Andrea Pugliese
Code Available — Be the first to reproduce this paper.
ReproduceCode
Abstract
Vulnerability assessment is an important and well-studied subject in software security. Traditional methods use expert knowledge, which is time-consuming. Considering the constantly increasing number of vulnerabilities, automated machine learning (ML)-based solutions have been proposed to assess the severity of vulnerabilities. Existing methods concentrate on predicting the Common Vulnerability Scoring System (CVSS) score or its vector metrics using available vulnerability information. The quality and diversity of the vulnerability description data can greatly affect the accuracy of these predictions. Studies report that less than 60% of such descriptions follow the formal template. On the other hand, the performance of ML-based vulnerability scoring approaches is highly dependent on the quality of the data and the model’s architecture. In this paper, we aim to improve the performance of existing ML-based solutions in vulnerability assessment. We use generative artificial intelligence (AI) and feed the CVSS descriptions to a large-language model. We use GPT3.5Turbo to generate descriptions and propose a fine-tuned BERT-CNN model to predict the CVSS vector metrics. We conduct several experiments to assess the performance of the proposed method against the state-of-the-art. We use both the original dataset (6,370 descriptions) and the descriptions generated by GPT3.5Turbo. Our experiments show that our proposed architecture considerably improves accuracy.