Table of Contents
Fetching ...

Enhancing Vulnerability Reports with Automated and Augmented Description Summarization

Hattan Althebeiti, Mohammed Alkinoon, Manar Mohaisen, Saeed Salem, DaeHun Nyang, David Mohaisen

TL;DR

Public vulnerability descriptions in the NVD are often brief and lacking context. Zad addresses this by a two-stage NLP pipeline: first collecting semantically relevant external content to augment descriptions, then fine-tuning pretrained seq2seq models to generate enriched narratives. It employs two fine-tuning strategies—label-guided (manual summaries) and summary-guided (using the original description as an anchor)—along with a dataset-quality enhancement step based on word-frequency diversity. Evaluations using automated metrics and human judgments show meaningful improvements in contextual richness and coherence, suggesting Zad can meaningfully enhance threat intelligence workflows while highlighting ongoing challenges in ensuring precise vulnerability details.

Abstract

Public vulnerability databases, such as the National Vulnerability Database (NVD), document vulnerabilities and facilitate threat information sharing. However, they often suffer from short descriptions and outdated or insufficient information. In this paper, we introduce Zad, a system designed to enrich NVD vulnerability descriptions by leveraging external resources. Zad consists of two pipelines: one collects and filters supplementary data using two encoders to build a detailed dataset, while the other fine-tunes a pre-trained model on this dataset to generate enriched descriptions. By addressing brevity and improving content quality, Zad produces more comprehensive and cohesive vulnerability descriptions. We evaluate Zad using standard summarization metrics and human assessments, demonstrating its effectiveness in enhancing vulnerability information.

Enhancing Vulnerability Reports with Automated and Augmented Description Summarization

TL;DR

Public vulnerability descriptions in the NVD are often brief and lacking context. Zad addresses this by a two-stage NLP pipeline: first collecting semantically relevant external content to augment descriptions, then fine-tuning pretrained seq2seq models to generate enriched narratives. It employs two fine-tuning strategies—label-guided (manual summaries) and summary-guided (using the original description as an anchor)—along with a dataset-quality enhancement step based on word-frequency diversity. Evaluations using automated metrics and human judgments show meaningful improvements in contextual richness and coherence, suggesting Zad can meaningfully enhance threat intelligence workflows while highlighting ongoing challenges in ensuring precise vulnerability details.

Abstract

Public vulnerability databases, such as the National Vulnerability Database (NVD), document vulnerabilities and facilitate threat information sharing. However, they often suffer from short descriptions and outdated or insufficient information. In this paper, we introduce Zad, a system designed to enrich NVD vulnerability descriptions by leveraging external resources. Zad consists of two pipelines: one collects and filters supplementary data using two encoders to build a detailed dataset, while the other fine-tunes a pre-trained model on this dataset to generate enriched descriptions. By addressing brevity and improving content quality, Zad produces more comprehensive and cohesive vulnerability descriptions. We evaluate Zad using standard summarization metrics and human assessments, demonstrating its effectiveness in enhancing vulnerability information.
Paper Structure (25 sections, 3 equations, 12 figures, 3 tables)

This paper contains 25 sections, 3 equations, 12 figures, 3 tables.

Figures (12)

  • Figure 1: Zad pipeline. The pipeline consists of multiple steps to transform the text $X_{1:n}$ from a series of tokens into numerical representations. The encoder component then encodes them to incorporate their context, improving their embeddings through self-attention. The decoder's role is to deploy the encoded sequences to predict the target sequence $Y_{1:m}$.
  • Figure 2: A schematic structure for training Byte-Pair Encoding (BPE) tokenizer
  • Figure 3: Our data collection pipeline.
  • Figure 4: Dataset quality enhancement pipeline, added as an extension to Zad. The pipeline starts with the augmented text of each instance and breaks it into a group of sentences, followed by a duplicate removal pipeline. Text cleaning considers removing ineffective phrases followed by tokenization to construct the lexicons set. Finally, word-frequency vectors are created for each sentence, and the diversity between sentences is measured using a predefined threshold.
  • Figure 5: Results after fine-tuning the models using a different single encoder. The number of beams used across all settings is 2, and the batch size for BART is 8, while for T5 is 4. The keys highlight pairs of model-encoder for BART and T5 using both USE and MPNet.
  • ...and 7 more figures