FVulPri：基于BERT-BGRU和多指标的细粒度漏洞优先级

IF 4.3 2区计算机科学 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Information and Software Technology Pub Date : 2025-08-07 DOI:10.1016/j.infsof.2025.107853

Sixuan Wang, Dongjin Yu, Xiongjie Liang, Chen Huang

{"title":"FVulPri：基于BERT-BGRU和多指标的细粒度漏洞优先级","authors":"Sixuan Wang, Dongjin Yu, Xiongjie Liang, Chen Huang","doi":"10.1016/j.infsof.2025.107853","DOIUrl":null,"url":null,"abstract":"<div><h3>Introduction:</h3><div>Extensive efforts have been made to mitigate the impact of software vulnerabilities on information security. The researchers aim to prioritize vulnerabilities after they are disclosed and then take remediation actions. However, existing methods have problems such as a low degree of automation, coarse-grained granularity and insufficient scoring indicators.</div></div><div><h3>Objectives:</h3><div>This paper aims to provide a new approach to vulnerability prioritization, bridging the existing shortcomings with a more comprehensive evaluation system, improving the automation of the process and providing fine-grained scoring.</div></div><div><h3>Methods:</h3><div>In this paper, we propose FVulPri, a fine-grained vulnerability prioritization method that ranks software vulnerabilities at the function-level for the first time. FVulPri employs the BERT-BGRU model to evaluate vulnerability severity, introduces a novel code learning approach to analyze vulnerability-related functions and integrates multiple indicators to provide a comprehensive assessment.</div></div><div><h3>Results:</h3><div>The experimental results show that FVulPri has a more reasonable distribution compared to the CVSS (Common Vulnerability Scoring System) scores, achieves an average of 69.06% effectiveness on newly added function-level metrics, and its ranking results show a stronger alignment with expert assessments than those of CVSS, effectively enhancing the quality of vulnerability prioritization.</div></div><div><h3>Conclusion:</h3><div>This paper presents a Fine-grained Vulnerability Prioritization Method that leverages BERT-BGRU and multiple indicators to assess 14 metrics across three dimensions, namely necessity, function level, and scope of impact, thereby improving the efficiency and quality of vulnerability prioritization.</div></div>","PeriodicalId":54983,"journal":{"name":"Information and Software Technology","volume":"187 ","pages":"Article 107853"},"PeriodicalIF":4.3000,"publicationDate":"2025-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":"{\"title\":\"FVulPri: Fine-grained vulnerability prioritization based on BERT-BGRU and multiple indicators\",\"authors\":\"Sixuan Wang, Dongjin Yu, Xiongjie Liang, Chen Huang\",\"doi\":\"10.1016/j.infsof.2025.107853\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"<div><h3>Introduction:</h3><div>Extensive efforts have been made to mitigate the impact of software vulnerabilities on information security. The researchers aim to prioritize vulnerabilities after they are disclosed and then take remediation actions. However, existing methods have problems such as a low degree of automation, coarse-grained granularity and insufficient scoring indicators.</div></div><div><h3>Objectives:</h3><div>This paper aims to provide a new approach to vulnerability prioritization, bridging the existing shortcomings with a more comprehensive evaluation system, improving the automation of the process and providing fine-grained scoring.</div></div><div><h3>Methods:</h3><div>In this paper, we propose FVulPri, a fine-grained vulnerability prioritization method that ranks software vulnerabilities at the function-level for the first time. FVulPri employs the BERT-BGRU model to evaluate vulnerability severity, introduces a novel code learning approach to analyze vulnerability-related functions and integrates multiple indicators to provide a comprehensive assessment.</div></div><div><h3>Results:</h3><div>The experimental results show that FVulPri has a more reasonable distribution compared to the CVSS (Common Vulnerability Scoring System) scores, achieves an average of 69.06% effectiveness on newly added function-level metrics, and its ranking results show a stronger alignment with expert assessments than those of CVSS, effectively enhancing the quality of vulnerability prioritization.</div></div><div><h3>Conclusion:</h3><div>This paper presents a Fine-grained Vulnerability Prioritization Method that leverages BERT-BGRU and multiple indicators to assess 14 metrics across three dimensions, namely necessity, function level, and scope of impact, thereby improving the efficiency and quality of vulnerability prioritization.</div></div>\",\"PeriodicalId\":54983,\"journal\":{\"name\":\"Information and Software Technology\",\"volume\":\"187 \",\"pages\":\"Article 107853\"},\"PeriodicalIF\":4.3000,\"publicationDate\":\"2025-08-07\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"0\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"Information and Software Technology\",\"FirstCategoryId\":\"94\",\"ListUrlMain\":\"https://www.sciencedirect.com/science/article/pii/S0950584925001922\",\"RegionNum\":2,\"RegionCategory\":\"计算机科学\",\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"Q2\",\"JCRName\":\"COMPUTER SCIENCE, INFORMATION SYSTEMS\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"Information and Software Technology","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0950584925001922","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

摘要

导言：为了减轻软件漏洞对信息安全的影响，已经做了大量的工作。研究人员的目标是在漏洞被披露后对其进行优先排序，然后采取补救措施。但现有方法存在自动化程度低、粒度粗、评分指标不足等问题。目的：本文旨在提供一种新的漏洞优先排序方法，通过更全面的评估系统弥补现有的不足，提高流程的自动化程度，并提供细粒度评分。方法：本文首次提出了一种细粒度的漏洞优先排序方法FVulPri，对软件漏洞进行功能级排序。FVulPri采用BERT-BGRU模型评估漏洞严重程度，引入新颖的代码学习方法分析漏洞相关功能，并整合多个指标进行综合评估。结果：实验结果表明，与CVSS （Common Vulnerability Scoring System）评分相比，FVulPri得分分布更为合理，对新增功能级指标的平均有效性达到69.06%，排序结果与专家评价的一致性较CVSS强，有效提高了漏洞优先级排序的质量。结论：本文提出了一种细粒度漏洞优先排序方法，该方法利用BERT-BGRU和多个指标对必要性、功能级别和影响范围三个维度的14个指标进行评估，从而提高了漏洞优先排序的效率和质量。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

查看原文本刊更多论文

FVulPri: Fine-grained vulnerability prioritization based on BERT-BGRU and multiple indicators

Introduction:

Extensive efforts have been made to mitigate the impact of software vulnerabilities on information security. The researchers aim to prioritize vulnerabilities after they are disclosed and then take remediation actions. However, existing methods have problems such as a low degree of automation, coarse-grained granularity and insufficient scoring indicators.

Objectives:

This paper aims to provide a new approach to vulnerability prioritization, bridging the existing shortcomings with a more comprehensive evaluation system, improving the automation of the process and providing fine-grained scoring.

Methods:

In this paper, we propose FVulPri, a fine-grained vulnerability prioritization method that ranks software vulnerabilities at the function-level for the first time. FVulPri employs the BERT-BGRU model to evaluate vulnerability severity, introduces a novel code learning approach to analyze vulnerability-related functions and integrates multiple indicators to provide a comprehensive assessment.

Results:

The experimental results show that FVulPri has a more reasonable distribution compared to the CVSS (Common Vulnerability Scoring System) scores, achieves an average of 69.06% effectiveness on newly added function-level metrics, and its ranking results show a stronger alignment with expert assessments than those of CVSS, effectively enhancing the quality of vulnerability prioritization.

Conclusion:

This paper presents a Fine-grained Vulnerability Prioritization Method that leverages BERT-BGRU and multiple indicators to assess 14 metrics across three dimensions, namely necessity, function level, and scope of impact, thereby improving the efficiency and quality of vulnerability prioritization.

求助全文

通过发布文献求助，成功后即可免费获取论文全文。去求助

来源期刊

Information and Software Technology 工程技术-计算机：软件工程

CiteScore

9.10

自引率

7.70%

发文量

164

审稿时长

9.6 weeks

期刊介绍： Information and Software Technology is the international archival journal focusing on research and experience that contributes to the improvement of software development practices. The journal''s scope includes methods and techniques to better engineer software and manage its development. Articles submitted for review should have a clear component of software engineering or address ways to improve the engineering and management of software development. Areas covered by the journal include: • Software management, quality and metrics, • Software processes, • Software architecture, modelling, specification, design and programming • Functional and non-functional software requirements • Software testing and verification & validation • Empirical studies of all aspects of engineering and managing software development Short Communications is a new section dedicated to short papers addressing new ideas, controversial opinions, "Negative" results and much more. Read the Guide for authors for more information. The journal encourages and welcomes submissions of systematic literature studies (reviews and maps) within the scope of the journal. Information and Software Technology is the premiere outlet for systematic literature studies in software engineering.