检测跨数据库的重复漏洞记录

IF 1.4 4区计算机科学 Q3 COMPUTER SCIENCE, SOFTWARE ENGINEERING

Science of Computer Programming Pub Date : 2025-07-07 DOI:10.1016/j.scico.2025.103357

Kangliang Zhu , Wenhua Yang , Minxue Pan , Yu Zhou

{"title":"检测跨数据库的重复漏洞记录","authors":"Kangliang Zhu , Wenhua Yang , Minxue Pan , Yu Zhou","doi":"10.1016/j.scico.2025.103357","DOIUrl":null,"url":null,"abstract":"<div><div>Vulnerability databases are critical repositories that aggregate information about known security vulnerabilities across various software products. However, the existence of multiple, heterogeneous databases often leads to duplicate vulnerability records, necessitating significant manual effort by maintainers to identify and consolidate these duplicates. This study addresses the challenge of detecting duplicate vulnerabilities across different databases by proposing a combined method that integrates cosine similarity measures with a fine-tuned BERT-based language model. We constructed a comprehensive duplicate vulnerability dataset by analyzing records from prominent databases such as CVE, OSV, and the GitHub Advisory Database. Our method was evaluated against several baseline techniques, including similarity-based and deep learning-based approaches, demonstrating superior performance across multiple metrics, including Hit Rate@N, Mean Reciprocal Rank (MRR), Mean Rank, and Median Rank. Additionally, our method proved effective in practical scenarios involving ongoing database maintenance, showcasing its ability to generalize to unseen data. The findings highlight the potential of integrating traditional similarity measures with advanced language models to enhance the accuracy and efficiency of duplicate vulnerability detection, thereby facilitating more reliable vulnerability management.</div></div>","PeriodicalId":49561,"journal":{"name":"Science of Computer Programming","volume":"247 ","pages":"Article 103357"},"PeriodicalIF":1.4000,"publicationDate":"2025-07-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"Detecting duplicate vulnerability records across databases\",\"authors\":\"Kangliang Zhu , Wenhua Yang , Minxue Pan , Yu Zhou\",\"doi\":\"10.1016/j.scico.2025.103357\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><div>Vulnerability databases are critical repositories that aggregate information about known security vulnerabilities across various software products. However, the existence of multiple, heterogeneous databases often leads to duplicate vulnerability records, necessitating significant manual effort by maintainers to identify and consolidate these duplicates. This study addresses the challenge of detecting duplicate vulnerabilities across different databases by proposing a combined method that integrates cosine similarity measures with a fine-tuned BERT-based language model. We constructed a comprehensive duplicate vulnerability dataset by analyzing records from prominent databases such as CVE, OSV, and the GitHub Advisory Database. Our method was evaluated against several baseline techniques, including similarity-based and deep learning-based approaches, demonstrating superior performance across multiple metrics, including Hit Rate@N, Mean Reciprocal Rank (MRR), Mean Rank, and Median Rank. Additionally, our method proved effective in practical scenarios involving ongoing database maintenance, showcasing its ability to generalize to unseen data. The findings highlight the potential of integrating traditional similarity measures with advanced language models to enhance the accuracy and efficiency of duplicate vulnerability detection, thereby facilitating more reliable vulnerability management.</div></div>\",\"PeriodicalId\":49561,\"journal\":{\"name\":\"Science of Computer Programming\",\"volume\":\"247 \",\"pages\":\"Article 103357\"},\"PeriodicalIF\":1.4000,\"publicationDate\":\"2025-07-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Science of Computer Programming\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0167642325000966\",\"RegionNum\":4,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q3\",\"JCRName\":\"COMPUTER SCIENCE, SOFTWARE ENGINEERING\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Science of Computer Programming","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167642325000966","RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, SOFTWARE ENGINEERING","Score":null,"Total":0}

引用次数: 0

摘要

漏洞数据库是汇集各种软件产品中已知安全漏洞信息的关键存储库。然而，多个异构数据库的存在通常会导致重复的漏洞记录，这就需要维护人员进行大量的手工工作来识别和整合这些重复的漏洞。本研究通过提出一种将余弦相似性度量与微调的基于bert的语言模型集成在一起的组合方法，解决了在不同数据库中检测重复漏洞的挑战。我们通过分析CVE、OSV和GitHub Advisory Database等知名数据库的记录，构建了一个全面的重复漏洞数据集。我们的方法根据几种基线技术进行了评估，包括基于相似性和基于深度学习的方法，在多个指标上表现出卓越的性能，包括Hit Rate@N、Mean Reciprocal Rank （MRR）、Mean Rank和Median Rank。此外，我们的方法在涉及正在进行的数据库维护的实际场景中被证明是有效的，展示了它泛化到不可见数据的能力。研究结果表明，将传统的相似度度量与先进的语言模型相结合，可以提高重复漏洞检测的准确性和效率，从而促进更可靠的漏洞管理。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

Detecting duplicate vulnerability records across databases

Vulnerability databases are critical repositories that aggregate information about known security vulnerabilities across various software products. However, the existence of multiple, heterogeneous databases often leads to duplicate vulnerability records, necessitating significant manual effort by maintainers to identify and consolidate these duplicates. This study addresses the challenge of detecting duplicate vulnerabilities across different databases by proposing a combined method that integrates cosine similarity measures with a fine-tuned BERT-based language model. We constructed a comprehensive duplicate vulnerability dataset by analyzing records from prominent databases such as CVE, OSV, and the GitHub Advisory Database. Our method was evaluated against several baseline techniques, including similarity-based and deep learning-based approaches, demonstrating superior performance across multiple metrics, including Hit Rate@N, Mean Reciprocal Rank (MRR), Mean Rank, and Median Rank. Additionally, our method proved effective in practical scenarios involving ongoing database maintenance, showcasing its ability to generalize to unseen data. The findings highlight the potential of integrating traditional similarity measures with advanced language models to enhance the accuracy and efficiency of duplicate vulnerability detection, thereby facilitating more reliable vulnerability management.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Science of Computer Programming 工程技术-计算机：软件工程

CiteScore

3.80

自引率

0.00%

发文量

审稿时长

67 days

期刊介绍： Science of Computer Programming is dedicated to the distribution of research results in the areas of software systems development, use and maintenance, including the software aspects of hardware design. The journal has a wide scope ranging from the many facets of methodological foundations to the details of technical issues andthe aspects of industrial practice. The subjects of interest to SCP cover the entire spectrum of methods for the entire life cycle of software systems, including • Requirements, specification, design, validation, verification, coding, testing, maintenance, metrics and renovation of software; • Design, implementation and evaluation of programming languages; • Programming environments, development tools, visualisation and animation; • Management of the development process; • Human factors in software, software for social interaction, software for social computing; • Cyber physical systems, and software for the interaction between the physical and the machine; • Software aspects of infrastructure services, system administration, and network management.