Towards AI-Based Identification of Publicly Known Vulnerabilities

Andrés Vargas-Rivera; Herson Esquivel-Vargas

doi:10.1007/978-3-031-82362-6_11

Towards AI-Based Identification of Publicly Known Vulnerabilities

Andrés Vargas-Rivera
, Herson Esquivel-Vargas

Costa Rica Institute of Technology

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

The increasing volume of publicly disclosed vulnerabilities presents a significant challenge for organizations striving to secure their information systems and data. Traditional vulnerability scanners, reliant on manually coded vulnerability tests, struggle to keep pace with the growing number of vulnerabilities, resulting in delays and inefficiencies. In this work, we propose a novel architecture that leverages Artificial Intelligence (AI) to create modular and scalable vulnerability scanners. Our architecture decouples vulnerability tests from the vulnerability database (VDB), enabling the use of well-known fingerprinting tools and an AI-driven VDB that is regularly updated from Common Vulnerabilities and Exposures records. We evaluate the feasibility and effectiveness of our approach through a series of experiments. Using both heuristic and GPT-based methods, we assess the performance of our approach to automatically create the VDB and to identify known vulnerabilities in arbitrary software using it. The GPT-based methods demonstrate superior accuracy, achieving a perfect precision, recall, and F1 score creating the VDB, albeit with increased execution time compared to heuristic methods. On the vulnerability identification task, the GPT-based approach also shows significant improvement in accuracy over heuristic methods. Our findings indicate that AI models, particularly large language models, can significantly enhance vulnerability scanners to keep up with the latest vulnerabilities. Despite the higher computational costs, the improved accuracy and reduced false positives and false negatives make AI-driven approaches a promising direction for future research and development in cybersecurity.

Original language	English
Title of host publication	Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers
Editors	Joaquin Garcia-Alfaro, Harsha Kalutarage, Naoto Yanai, Rafał Kozik, Marek Pawlicki, Michał Choraś, Paweł Ksieniewicz, Michał Woźniak, Habtamu Abie, Sandeep Pirbhulal, Silvio Ranise, Luca Verderame, Enrico Cambiaso, Rita Ugarelli, Isabel Praça, Basel Katt, Ankur Shukla
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	171-192
Number of pages	22
ISBN (Print)	9783031823619
DOIs	https://doi.org/10.1007/978-3-031-82362-6_11
State	Published - 2025
Event	International Workshops which were held in conjunction with 29th European Symposium on Research in Computer Security, ESORICS 2024 - Bydgoszcz, Poland Duration: 16 Sep 2024 → 20 Sep 2024

Publication series

Name	Lecture Notes in Computer Science
Volume	15264 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	International Workshops which were held in conjunction with 29th European Symposium on Research in Computer Security, ESORICS 2024
Country/Territory	Poland
City	Bydgoszcz
Period	16/09/24 → 20/09/24

Keywords

CVE records
LLM
Vulnerability identification

Access to Document

10.1007/978-3-031-82362-6_11

Cite this

Vargas-Rivera, A., & Esquivel-Vargas, H. (2025). Towards AI-Based Identification of Publicly Known Vulnerabilities. In J. Garcia-Alfaro, H. Kalutarage, N. Yanai, R. Kozik, M. Pawlicki, M. Choraś, P. Ksieniewicz, M. Woźniak, H. Abie, S. Pirbhulal, S. Ranise, L. Verderame, E. Cambiaso, R. Ugarelli, I. Praça, B. Katt, & A. Shukla (Eds.), Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers (pp. 171-192). (Lecture Notes in Computer Science; Vol. 15264 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-82362-6_11

Vargas-Rivera, Andrés ; Esquivel-Vargas, Herson. / Towards AI-Based Identification of Publicly Known Vulnerabilities. Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers. editor / Joaquin Garcia-Alfaro ; Harsha Kalutarage ; Naoto Yanai ; Rafał Kozik ; Marek Pawlicki ; Michał Choraś ; Paweł Ksieniewicz ; Michał Woźniak ; Habtamu Abie ; Sandeep Pirbhulal ; Silvio Ranise ; Luca Verderame ; Enrico Cambiaso ; Rita Ugarelli ; Isabel Praça ; Basel Katt ; Ankur Shukla. Springer Science and Business Media Deutschland GmbH, 2025. pp. 171-192 (Lecture Notes in Computer Science).

@inproceedings{c140beeb50b744e08c04c9411ed511b1,

title = "Towards AI-Based Identification of Publicly Known Vulnerabilities",

abstract = "The increasing volume of publicly disclosed vulnerabilities presents a significant challenge for organizations striving to secure their information systems and data. Traditional vulnerability scanners, reliant on manually coded vulnerability tests, struggle to keep pace with the growing number of vulnerabilities, resulting in delays and inefficiencies. In this work, we propose a novel architecture that leverages Artificial Intelligence (AI) to create modular and scalable vulnerability scanners. Our architecture decouples vulnerability tests from the vulnerability database (VDB), enabling the use of well-known fingerprinting tools and an AI-driven VDB that is regularly updated from Common Vulnerabilities and Exposures records. We evaluate the feasibility and effectiveness of our approach through a series of experiments. Using both heuristic and GPT-based methods, we assess the performance of our approach to automatically create the VDB and to identify known vulnerabilities in arbitrary software using it. The GPT-based methods demonstrate superior accuracy, achieving a perfect precision, recall, and F1 score creating the VDB, albeit with increased execution time compared to heuristic methods. On the vulnerability identification task, the GPT-based approach also shows significant improvement in accuracy over heuristic methods. Our findings indicate that AI models, particularly large language models, can significantly enhance vulnerability scanners to keep up with the latest vulnerabilities. Despite the higher computational costs, the improved accuracy and reduced false positives and false negatives make AI-driven approaches a promising direction for future research and development in cybersecurity.",

keywords = "CVE records, LLM, Vulnerability identification",

author = "Andr{\'e}s Vargas-Rivera and Herson Esquivel-Vargas",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.; International Workshops which were held in conjunction with 29th European Symposium on Research in Computer Security, ESORICS 2024 ; Conference date: 16-09-2024 Through 20-09-2024",

year = "2025",

doi = "10.1007/978-3-031-82362-6\_11",

language = "Ingl{\'e}s",

isbn = "9783031823619",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "171--192",

editor = "Joaquin Garcia-Alfaro and Harsha Kalutarage and Naoto Yanai and Rafa{\l} Kozik and Marek Pawlicki and Micha{\l} Chora{\'s} and Pawe{\l} Ksieniewicz and Micha{\l} Wo{\'z}niak and Habtamu Abie and Sandeep Pirbhulal and Silvio Ranise and Luca Verderame and Enrico Cambiaso and Rita Ugarelli and Isabel Pra{\c c}a and Basel Katt and Ankur Shukla",

booktitle = "Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers",

}

Vargas-Rivera, A & Esquivel-Vargas, H 2025, Towards AI-Based Identification of Publicly Known Vulnerabilities. in J Garcia-Alfaro, H Kalutarage, N Yanai, R Kozik, M Pawlicki, M Choraś, P Ksieniewicz, M Woźniak, H Abie, S Pirbhulal, S Ranise, L Verderame, E Cambiaso, R Ugarelli, I Praça, B Katt & A Shukla (eds), Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers. Lecture Notes in Computer Science, vol. 15264 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 171-192, International Workshops which were held in conjunction with 29th European Symposium on Research in Computer Security, ESORICS 2024, Bydgoszcz, Poland, 16/09/24. https://doi.org/10.1007/978-3-031-82362-6_11

Towards AI-Based Identification of Publicly Known Vulnerabilities. / Vargas-Rivera, Andrés; Esquivel-Vargas, Herson.
Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers. ed. / Joaquin Garcia-Alfaro; Harsha Kalutarage; Naoto Yanai; Rafał Kozik; Marek Pawlicki; Michał Choraś; Paweł Ksieniewicz; Michał Woźniak; Habtamu Abie; Sandeep Pirbhulal; Silvio Ranise; Luca Verderame; Enrico Cambiaso; Rita Ugarelli; Isabel Praça; Basel Katt; Ankur Shukla. Springer Science and Business Media Deutschland GmbH, 2025. p. 171-192 (Lecture Notes in Computer Science; Vol. 15264 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Towards AI-Based Identification of Publicly Known Vulnerabilities

AU - Vargas-Rivera, Andrés

AU - Esquivel-Vargas, Herson

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Switzerland AG 2025.

PY - 2025

Y1 - 2025

N2 - The increasing volume of publicly disclosed vulnerabilities presents a significant challenge for organizations striving to secure their information systems and data. Traditional vulnerability scanners, reliant on manually coded vulnerability tests, struggle to keep pace with the growing number of vulnerabilities, resulting in delays and inefficiencies. In this work, we propose a novel architecture that leverages Artificial Intelligence (AI) to create modular and scalable vulnerability scanners. Our architecture decouples vulnerability tests from the vulnerability database (VDB), enabling the use of well-known fingerprinting tools and an AI-driven VDB that is regularly updated from Common Vulnerabilities and Exposures records. We evaluate the feasibility and effectiveness of our approach through a series of experiments. Using both heuristic and GPT-based methods, we assess the performance of our approach to automatically create the VDB and to identify known vulnerabilities in arbitrary software using it. The GPT-based methods demonstrate superior accuracy, achieving a perfect precision, recall, and F1 score creating the VDB, albeit with increased execution time compared to heuristic methods. On the vulnerability identification task, the GPT-based approach also shows significant improvement in accuracy over heuristic methods. Our findings indicate that AI models, particularly large language models, can significantly enhance vulnerability scanners to keep up with the latest vulnerabilities. Despite the higher computational costs, the improved accuracy and reduced false positives and false negatives make AI-driven approaches a promising direction for future research and development in cybersecurity.

AB - The increasing volume of publicly disclosed vulnerabilities presents a significant challenge for organizations striving to secure their information systems and data. Traditional vulnerability scanners, reliant on manually coded vulnerability tests, struggle to keep pace with the growing number of vulnerabilities, resulting in delays and inefficiencies. In this work, we propose a novel architecture that leverages Artificial Intelligence (AI) to create modular and scalable vulnerability scanners. Our architecture decouples vulnerability tests from the vulnerability database (VDB), enabling the use of well-known fingerprinting tools and an AI-driven VDB that is regularly updated from Common Vulnerabilities and Exposures records. We evaluate the feasibility and effectiveness of our approach through a series of experiments. Using both heuristic and GPT-based methods, we assess the performance of our approach to automatically create the VDB and to identify known vulnerabilities in arbitrary software using it. The GPT-based methods demonstrate superior accuracy, achieving a perfect precision, recall, and F1 score creating the VDB, albeit with increased execution time compared to heuristic methods. On the vulnerability identification task, the GPT-based approach also shows significant improvement in accuracy over heuristic methods. Our findings indicate that AI models, particularly large language models, can significantly enhance vulnerability scanners to keep up with the latest vulnerabilities. Despite the higher computational costs, the improved accuracy and reduced false positives and false negatives make AI-driven approaches a promising direction for future research and development in cybersecurity.

KW - CVE records

KW - LLM

KW - Vulnerability identification

UR - https://www.scopus.com/pages/publications/105002717449

U2 - 10.1007/978-3-031-82362-6_11

DO - 10.1007/978-3-031-82362-6_11

M3 - Contribución a la conferencia

AN - SCOPUS:105002717449

SN - 9783031823619

T3 - Lecture Notes in Computer Science

SP - 171

EP - 192

BT - Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers

A2 - Garcia-Alfaro, Joaquin

A2 - Kalutarage, Harsha

A2 - Yanai, Naoto

A2 - Kozik, Rafał

A2 - Pawlicki, Marek

A2 - Choraś, Michał

A2 - Ksieniewicz, Paweł

A2 - Woźniak, Michał

A2 - Abie, Habtamu

A2 - Pirbhulal, Sandeep

A2 - Ranise, Silvio

A2 - Verderame, Luca

A2 - Cambiaso, Enrico

A2 - Ugarelli, Rita

A2 - Praça, Isabel

A2 - Katt, Basel

A2 - Shukla, Ankur

PB - Springer Science and Business Media Deutschland GmbH

T2 - International Workshops which were held in conjunction with 29th European Symposium on Research in Computer Security, ESORICS 2024

Y2 - 16 September 2024 through 20 September 2024

ER -

Vargas-Rivera A, Esquivel-Vargas H. Towards AI-Based Identification of Publicly Known Vulnerabilities. In Garcia-Alfaro J, Kalutarage H, Yanai N, Kozik R, Pawlicki M, Choraś M, Ksieniewicz P, Woźniak M, Abie H, Pirbhulal S, Ranise S, Verderame L, Cambiaso E, Ugarelli R, Praça I, Katt B, Shukla A, editors, Computer Security. ESORICS 2024 International Workshops - SECAI, DisA, CPS4CIP, and SecAssure, Bydgoszcz, 2024, Revised Selected Papers. Springer Science and Business Media Deutschland GmbH. 2025. p. 171-192. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-82362-6_11