Announcing the Final Examination of Hattan Althebeiti for the degree of Doctor of Philosophy
Software plays an integral role in powering numerous everyday computing gadgets. As our reliance on software continues to grow, so does the prevalence of software vulnerabilities, with significant implications for organizations and users. As such, documenting vulnerabilities and tracking their development becomes crucial. Vulnerability databases have addressed
this issue by storing a record with various attributes for each discovered vulnerability. However, their contents suffer several drawbacks, which we address in our work. In this dissertation, we investigate the weaknesses associated with vulnerability descriptions presented in public repositories and alleviate such weaknesses through Natural Language Processing (NLP)
approaches. The first contribution examines vulnerability descriptions in those databases and approaches to improve them. We propose a new automated method leveraging external sources to enrich the scope and context of a vulnerability description. Moreover, we exploit fine-tuned pretrained large language models (LLMs) for normalizing the resulting description. The second contribution investigates the need for uniform and normalized structure in vulnerability descriptions. We address this need by breaking the description of a vulnerability into multiple constituents and developing a multi-task model to create a new uniform and normalized summary that maintains the necessary attributes of the vulnerability using the extracted features while ensuring a consistent vulnerability description. Our method proved effective in generating new
summaries with the same structure across a collection of various vulnerability descriptions and types. Our final contribution investigates the feasibility of assigning the Common Weakness Enumeration (CWE) attribute to a vulnerability based on its description. CWE offers a comprehensive framework that categorizes similar exposures into classes, representing the types
of exploitation associated with such vulnerabilities. Our approach utilizing pre-trained language models is shown to outperform the standard LLMs for this task. Overall, this dissertation provides various technical approaches exploiting advances in NLP to improve publicly available vulnerability databases.
Committee in Charge:
David Mohaisen, Chair, Computer Science
Murat Yuksel, University of Central Florida, Electrical and Computer Engineering
Cliff Zou, University of Central Florida, Computer Science
Fan Yao, University of Central Florida, Electrical and Computer Engineering
Yao Li, University of Central Florida, Institute for Simulation and Training