The proliferation of software vulnerabilities poses a significant challenge for security databases and analysts tasked with their timely identification, classification, and remediation. With the National Vulnerability Database (NVD) reporting an ever-increasing number of vulnerabilities, the traditional manual analysis becomes untenably time-consuming and prone to errors. This paper introduces VulnScopper, an innovative approach that utilizes multi-modal representation learning, combining Knowledge Graphs (KG) and Natural Language Processing (NLP), to automate and enhance the analysis of software vulnerabilities. Leveraging ULTRA, a knowledge graph foundation model, combined with a Large Language Model (LLM), VulnScopper effectively handles unseen entities, overcoming the limitations of previous KG approaches. We evaluate VulnScopper on two major security datasets, the NVD and the Red Hat CVE database. Our method significantly improves the link prediction accuracy between Common Vulnerabilities and Exposures (CVEs), Common Weakness Enumeration (CWEs), and Common Platform Enumerations (CPEs). Our results show that VulnScopper outperforms existing methods, achieving up to 78% Hits@10 accuracy in linking CVEs to CPEs and CWEs and presenting an 11.7% improvement over large language models in predicting CWE labels based on the Red Hat database. Based on the NVD, only 6.37% of the linked CPEs are being published during the first 30 days; many of them are related to critical and high-risk vulnerabilities which, according to multiple compliance frameworks (such as CISA and PCI), should be remediated within 15-30 days. Our model can uncover new products linked to vulnerabilities, reducing remediation time and improving vulnerability management. We analyzed several CVEs from 2023 to showcase this ability.

翻译：软件漏洞的激增对安全数据库及负责及时识别、分类和修复漏洞的分析人员构成了重大挑战。随着美国国家漏洞数据库（NVD）报告的漏洞数量持续攀升，传统的人工分析变得耗时且易出错。本文提出VulnScopper这一创新方法，通过结合知识图谱（KG）与自然语言处理（NLP）的多模态表示学习，实现软件漏洞分析的自动化与增强。该方法利用知识图谱基础模型ULTRA，并结合大语言模型（LLM），有效处理未见实体，克服了以往知识图谱方法的局限性。我们在NVD和Red Hat CVE数据库这两个主要安全数据集上评估了VulnScopper。该方法显著提升了通用漏洞披露（CVE）、通用弱点枚举（CWE）与通用平台枚举（CPE）之间的链接预测准确率。实验结果表明，VulnScopper优于现有方法，在将CVE链接至CPE和CWE时，Hits@10准确率达78%，并在基于Red Hat数据库预测CWE标签方面比大语言模型提升11.7%。根据NVD数据，仅6.37%的关联CPE在漏洞发布后的前30天内被公开；其中许多涉及关键和高风险漏洞，依据多项合规框架（如CISA和PCI），应在15至30天内完成修复。我们的模型能够发现与漏洞关联的新产品，从而缩短修复时间并改进漏洞管理。我们分析了2023年的多个CVE案例以展示这一能力。