Multi-Class vs. Multi-Label BERT for CVE-to-CWE Mapping: How Taxonomy Structure Shapes the Errors

· Source: Machine Learning · Field: Technology & Digital — Artificial Intelligence & Machine Learning, Cybersecurity & Data Privacy · Depth: Expert, quick

Summary

A study investigates the automated assignment of Common Weakness Enumeration (CWE) categories to Common Vulnerabilities and Exposures (CVE) records, comparing multi-class and multi-label text classification approaches. Researchers evaluated BERT Base, SecureBERT, and CySecBERT transformer encoders across three nested CWE label spaces (83, 47, and 25 classes). Multi-class training consistently achieved higher macro-F1 scores, though the performance gap with multi-label models decreased from 21 to 2 percentage points as the label space was reduced. Post-hoc threshold optimization further closed this gap for multi-label models in the 25-class setting. Analysis revealed that misclassification patterns strongly align with the CWE hierarchy, suggesting taxonomy design is a primary driver of error structure, rather than the specific encoder used (Pearson r > 0.92). A hierarchy-relaxed evaluation, which tolerates within-family confusions, boosted macro-F1 from approximately 81% to 90%, indicating better branch-level quality than strict metrics suggest. CySecBERT demonstrated the strongest overall performance, particularly in the multi-label configuration.

Key takeaway

For vulnerability analysts or ML engineers developing automated CVE-to-CWE mapping systems, you should prioritize understanding the CWE taxonomy's impact on model errors. While multi-class BERT models show initial macro-F1 advantages, consider multi-label approaches with post-hoc threshold optimization, especially for smaller label spaces, as CySecBERT demonstrated strong gains here. Evaluate your models using hierarchy-relaxed metrics to accurately assess branch-level classification quality, preventing strict metrics from understating performance.

Key insights

CWE taxonomy structure significantly influences CVE-to-CWE mapping errors more than the choice of BERT encoder.

Principles

Method

Compares multi-class vs. multi-label BERT (Base, SecureBERT, CySecBERT) on CVE-to-CWE mapping across 3 nested CWE label spaces, using macro-F1 and confusion analysis.

In practice

Topics

Best for: NLP Engineer, Research Scientist, AI Scientist, Machine Learning Engineer, AI Security Engineer

Related on AIssential

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by Machine Learning.