VulCPE: Context-Aware Cybersecurity Vulnerability Retrieval and Management
Yuning Jiang, Feiyang Shang, Freedy Tan Wei You, Huilin Wang, Chia Ren Cong, Qiaoran Meng, Nay Oo, Hoon Wei Lim, Biplab Sikdar
TL;DR
VulCPE tackles data-quality-driven false positives in vulnerability retrieval by standardizing heterogeneous CPE data into a unified uCPE schema and modeling configuration dependencies with graph structures. It combines RoBERTa-based NER and RE, a canonical dictionary, and graph-based FP filtering to enable context-aware vulnerability mapping across complex system configurations. Empirical results show high NER/RE performance and improved retrieval precision and coverage (e.g., precision ≈ 0.766 and coverage ≈ 0.926), outperforming baselines like cve-search and OpenCVE. The framework supports incremental updates and scalable deployment, offering a practical path toward more accurate and resilient vulnerability management in heterogeneous environments.
Abstract
The dynamic landscape of cybersecurity demands precise and scalable solutions for vulnerability management in heterogeneous systems, where configuration-specific vulnerabilities are often misidentified due to inconsistent data in databases like the National Vulnerability Database (NVD). Inaccurate Common Platform Enumeration (CPE) data in NVD further leads to false positives and incomplete vulnerability retrieval. Informed by our systematic analysis of CPE and CVEdeails data, revealing more than 50% vendor name inconsistencies, we propose VulCPE, a framework that standardizes data and models configuration dependencies using a unified CPE schema (uCPE), entity recognition, relation extraction, and graph-based modeling. VulCPE achieves superior retrieval precision (0.766) and coverage (0.926) over existing tools. VulCPE ensures precise, context-aware vulnerability management, enhancing cyber resilience.