{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,26]],"date-time":"2026-03-26T17:21:05Z","timestamp":1774545665608,"version":"3.50.1"},"reference-count":32,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2023,11,2]],"date-time":"2023-11-02T00:00:00Z","timestamp":1698883200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2023,11,2]],"date-time":"2023-11-02T00:00:00Z","timestamp":1698883200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Vulnerability reports are essential for improving software security since they record key information on vulnerabilities. In a report, CWE denotes the weakness of the vulnerability and thus helps quickly understand the cause of the vulnerability. Therefore, CWE assignment is useful for categorizing newly discovered vulnerabilities. In this paper, we propose an automatic CWE assignment method with graph neural networks. First, we prepare a dataset that contains 3394 real world vulnerabilities from Linux, OpenSSL, Wireshark and many other software programs. Then, we extract statements with vulnerability syntax features from these vulnerabilities and use program slicing to slice them according to the categories of syntax features. On top of slices, we represent these slices with graphs that characterize the data dependency and control dependency between statements. Finally, we employ the graph neural networks to learn the hidden information from these graphs and leverage the Siamese network to compute the similarity between vulnerability functions, thereby assigning CWE IDs for these vulnerabilities. The experimental results show that the proposed method is effective compared to existing methods.<\/jats:p>","DOI":"10.1186\/s42400-023-00160-1","type":"journal-article","created":{"date-parts":[[2023,11,2]],"date-time":"2023-11-02T01:12:29Z","timestamp":1698887549000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":4,"title":["Graph neural network based approach to automatically assigning common weakness enumeration identifiers for vulnerabilities"],"prefix":"10.1186","volume":"6","author":[{"given":"Peng","family":"Liu","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0007-2587-6876","authenticated-orcid":false,"given":"Wenzhe","family":"Ye","sequence":"additional","affiliation":[]},{"given":"Haiying","family":"Duan","sequence":"additional","affiliation":[]},{"given":"Xianxian","family":"Li","sequence":"additional","affiliation":[]},{"given":"Shuyi","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Chuanjian","family":"Yao","sequence":"additional","affiliation":[]},{"given":"Yongnan","family":"Li","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2023,11,2]]},"reference":[{"key":"160_CR1","doi-asserted-by":"crossref","unstructured":"Aivatoglou G, Anastasiadis M, Spanos G, Voulgaridis A, Votis K, Tzovaras D (2021) A tree-based machine learning methodology to automatically classify software vulnerabilities. In: 2021 IEEE International Conference on Cyber Security and Resilience (CSR), pp 312\u2013317","DOI":"10.1109\/CSR51186.2021.9527965"},{"key":"160_CR3","unstructured":"Common Vulnerabilities and Exposures (2023) https:\/\/cve.mitre.org\/. Accessed on 15 Jan 2023"},{"key":"160_CR4","unstructured":"Common Weakness Enumeration (2023) https:\/\/cwe.mitre.org\/. Accessed on 15 Jan 2023"},{"key":"160_CR6","doi-asserted-by":"publisher","first-page":"2004","DOI":"10.1109\/TIFS.2020.3047756","volume":"16","author":"L Cui","year":"2020","unstructured":"Cui L, Hao Z, Jiao Y, Fei H, Yun X (2020) Vuldetector: detecting vulnerabilities using weighted feature graph comparison. IEEE Trans Inf Forensics Secur 16:2004\u20132017","journal-title":"IEEE Trans Inf Forensics Secur"},{"key":"160_CR7","unstructured":"CVE-2016-2842 (2023) https:\/\/www.cvedetails.com\/cve\/CVE-2016-2842\/. Accessed on 15 Jan 2023"},{"key":"160_CR8","unstructured":"CVE-2022-32552 (2023) https:\/\/www.cvedetails.com\/cve\/CVE-2022-32552\/. Accessed on 15 Jan 2023"},{"key":"160_CR9","unstructured":"CVE-2022-33936 (2023) https:\/\/www.cvedetails.com\/cve\/CVE-2022-33936\/. Accessed on 15 Jan 2023"},{"key":"160_CR10","unstructured":"CVEDetails (2023) https:\/\/www.cvedetails.com\/. Accessed on 15 Jan 2023"},{"key":"160_CR11","doi-asserted-by":"crossref","unstructured":"Dam HK, Pham T, Ng SW, Tran T, Grundy J, Ghose A, Kim CJ (2018) A deep tree-based model for software defect prediction. arXiv preprint arXiv:1802.00921","DOI":"10.1109\/MSR.2019.00017"},{"key":"160_CR12","doi-asserted-by":"crossref","unstructured":"Das SS, Serra E, Halappanavar M, Pothen A, Al-Shaer E (2021) V2w-bert: a framework for effective hierarchical multiclass classification of software vulnerabilities. In: 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA), pp 1\u201312","DOI":"10.1109\/DSAA53316.2021.9564227"},{"key":"160_CR13","doi-asserted-by":"crossref","unstructured":"DeLooze LL (2004) Classification of computer attacks using a self-organizing map. In: Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp 365\u2013369","DOI":"10.1109\/IAW.2004.1437840"},{"key":"160_CR14","doi-asserted-by":"publisher","first-page":"193","DOI":"10.1007\/BF00344251","volume":"36","author":"K Fukushima","year":"1980","unstructured":"Fukushima K (1980) A self-organizing neural network model for a mechanism of pattern recognition unaffected by shift in position. Biol Cybern 36:193\u2013202","journal-title":"Biol Cybern"},{"key":"160_CR15","unstructured":"Joern tool (2023) https:\/\/joern.io\/. Accessed on 15 Jan 2023"},{"key":"160_CR16","unstructured":"Kipf TN, Welling M (2016) Semi-supervised classification with graph convolutional networks. arXiv preprint arXiv:1609.02907"},{"key":"160_CR17","doi-asserted-by":"crossref","unstructured":"Lattner C, Adve V (2004) LLVM: a compilation framework for lifelong program analysis & transformation. In: International symposium on code generation and optimization, 2004. CGO, pp 75\u201386","DOI":"10.1109\/CGO.2004.1281665"},{"key":"160_CR18","unstructured":"Le Q, Mikolov T (2014) Distributed representations of sentences and documents. In: International conference on machine learning, pp 1188\u20131196"},{"issue":"4","key":"160_CR19","doi-asserted-by":"publisher","first-page":"2244","DOI":"10.1109\/TDSC.2021.3051525","volume":"19","author":"Z Li","year":"2021","unstructured":"Li Z, Zou D, Xu S, Jin H, Zhu Y, Chen Z (2021a) Sysevr: a framework for using deep learning to detect software vulnerabilities. IEEE Trans Dependable Secure Comput 19(4):2244\u20132258","journal-title":"IEEE Trans Dependable Secure Comput"},{"key":"160_CR20","doi-asserted-by":"crossref","unstructured":"Li Y, Wang S, Nguyen TN (2021b) Vulnerability detection with fine-grained interpretations. In: Proceedings of the 29th ACM Joint Meeting on European Software Engineering Conference and Symposium on the Foundations of Software Engineering, pp 292\u2013303","DOI":"10.1145\/3468264.3468597"},{"key":"160_CR21","unstructured":"Mikolov T, Chen K, Corrado G, Dean J (2013) Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781"},{"key":"160_CR22","doi-asserted-by":"crossref","unstructured":"Na S, Kim T, Kim H (2017) A study on the classification of common vulnerabilities and exposures using na\u00efve bayes. In: Advances on Broad-Band Wireless Computing, Communication and Applications: Proceedings of the 11th International Conference On Broad-Band Wireless Computing, Communication and Applications (BWCCA\u20132016) November 5\u20137, 2016, Korea, Springer International Publishing, pp 657\u2013662","DOI":"10.1007\/978-3-319-49106-6_65"},{"key":"160_CR23","doi-asserted-by":"crossref","unstructured":"Neculoiu P, Versteegh M, Rotaru M (2016) Learning text similarity with siamese recurrent networks. In: Proceedings of the 1st Workshop on Representation Learning for NLP, pp 148\u2013157","DOI":"10.18653\/v1\/W16-1617"},{"key":"160_CR24","doi-asserted-by":"crossref","unstructured":"Neuhaus S, Zimmermann T (2010) Security trend analysis with cve topic models. In: 2010 IEEE 21st International Symposium on Software Reliability Engineering, pp 111\u2013120","DOI":"10.1109\/ISSRE.2010.53"},{"key":"160_CR25","volume-title":"Adaptive bug classification for cve list using bayesian probabilistic approach","author":"MM Rahman","year":"2013","unstructured":"Rahman MM, Yeasmin S (2013) Adaptive bug classification for cve list using bayesian probabilistic approach. USask, Saskatoon"},{"key":"160_CR26","unstructured":"Russell SJ (2010) Artificial intelligence a modern approach. Pearson Education, Inc"},{"key":"160_CR27","unstructured":"Shi X, Chen Z, Wang H, Yeung DY, Wong WK, Woo WC (2015) Convolutional LSTM network: A machine learning approach for precipitation nowcasting. Adv Neural Inf Process Syst 28"},{"key":"160_CR28","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2021.102417","volume":"110","author":"H Sun","year":"2021","unstructured":"Sun H, Cui L, Li L, Ding Z, Hao Z, Cui J, Liu P (2021) VDSimilar: vulnerability detection based on code similarity of vulnerabilities and patches. Comput Secur 110:102417","journal-title":"Comput Secur"},{"key":"160_CR29","unstructured":"The code static analysis tool Checkmarx (2023) https:\/\/checkmarx.com\/. Accessed on 15 Jan 2023"},{"key":"160_CR30","unstructured":"Vulncode-db (2023) https:\/\/www.vulncode-db.com\/. Accessed on 15 Jan 2023"},{"issue":"5","key":"160_CR31","doi-asserted-by":"publisher","first-page":"7103","DOI":"10.1007\/s11042-022-12049-1","volume":"81","author":"Q Wang","year":"2022","unstructured":"Wang Q, Li Y, Wang Y, Ren J (2022) An automatic algorithm for software vulnerability classification based on CNN and GRU. Multim Tools Appl 81(5):7103\u20137124","journal-title":"Multim Tools Appl"},{"key":"160_CR32","doi-asserted-by":"crossref","unstructured":"Wita R, Teng-Amnuay Y (2005) Vulnerability profile for linux. In: 19th International Conference on Advanced Information Networking and Applications (AINA'05) Volume 1 (AINA papers) Vol 1, pp 953\u2013958","DOI":"10.1109\/AINA.2005.343"},{"key":"160_CR33","unstructured":"Xiao Y, Chen B, Yu C, Xu Z, Yuan Z, Li F, Shi W (2020) MVP: detecting vulnerabilities using patch-enhanced vulnerability signatures. In: USENIX Security Symposium, pp 1165\u20131182"},{"key":"160_CR34","unstructured":"Zhou Y, Liu S, Siow J, Du X, Liu Y (2019) Devign: effective vulnerability identification by learning comprehensive program semantics via graph neural networks. Adv Neural Inf Process Syst 32"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00160-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-023-00160-1\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-023-00160-1.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2023,11,2]],"date-time":"2023-11-02T01:12:52Z","timestamp":1698887572000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-023-00160-1"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,11,2]]},"references-count":32,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2023,12]]}},"alternative-id":["160"],"URL":"https:\/\/doi.org\/10.1186\/s42400-023-00160-1","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,11,2]]},"assertion":[{"value":"31 January 2023","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"20 April 2023","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 November 2023","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"29"}}