Enhancing Vulnerability Reports with Automated and Augmented Description Summarization
Hattan Althebeiti, Mohammed Alkinoon, Manar Mohaisen, Saeed Salem, DaeHun Nyang, David Mohaisen
TL;DR
Public vulnerability descriptions in the NVD are often brief and lacking context. Zad addresses this by a two-stage NLP pipeline: first collecting semantically relevant external content to augment descriptions, then fine-tuning pretrained seq2seq models to generate enriched narratives. It employs two fine-tuning strategies—label-guided (manual summaries) and summary-guided (using the original description as an anchor)—along with a dataset-quality enhancement step based on word-frequency diversity. Evaluations using automated metrics and human judgments show meaningful improvements in contextual richness and coherence, suggesting Zad can meaningfully enhance threat intelligence workflows while highlighting ongoing challenges in ensuring precise vulnerability details.
Abstract
Public vulnerability databases, such as the National Vulnerability Database (NVD), document vulnerabilities and facilitate threat information sharing. However, they often suffer from short descriptions and outdated or insufficient information. In this paper, we introduce Zad, a system designed to enrich NVD vulnerability descriptions by leveraging external resources. Zad consists of two pipelines: one collects and filters supplementary data using two encoders to build a detailed dataset, while the other fine-tunes a pre-trained model on this dataset to generate enriched descriptions. By addressing brevity and improving content quality, Zad produces more comprehensive and cohesive vulnerability descriptions. We evaluate Zad using standard summarization metrics and human assessments, demonstrating its effectiveness in enhancing vulnerability information.
