Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text

Stefano Simonetto; Ronan Oostveen; Thijs Van Ede; Peter Bosch; Willem Jonker

doi:10.1007/978-981-95-4434-9_23

Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text

Stefano Simonetto^*
, Ronan Oostveen
, Thijs Van Ede
, Peter Bosch
, Willem Jonker

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

9 Downloads (Pure)

Abstract

In real-world cyberattacks, adversaries frequently exploit a combination of vulnerabilities, bugs, and misconfigurations to compromise systems. To systematically analyze the root causes behind these issues, the Common Weakness Enumeration (CWE) framework provides a standardized taxonomy of software weaknesses.

While vulnerability databases are central to cataloging known issues, many security-relevant descriptions first appear in informal sources such as blog posts, CTI reports, and social media. Although these sources predominantly offer broader cybersecurity insights, they occasionally yield details that may indicate underlying weaknesses not captured in formal databases.

We propose a two-step approach to extract these security-related descriptions from unstructured threat intelligence and automatically map them to their corresponding CWE categories. First, a binary classifier detects sentences resembling CVE descriptions, identifying information relevant to security teams. Then, we apply a self-supervised learning model to predict the most appropriate CWE, enabling structured analysis even in the absence of formal vulnerability tracking.

As no ground truth exists for this task, we conduct expert-driven validation. Our results show strong performance, with an F1-score of 98.17% for correctly assigning CWE labels, improving by at least 64% points over state-of-the-art reasoning LLMs. This demonstrates the feasibility of automating weakness classification in unstructured cybersecurity text.

Original language	English
Title of host publication	Cryptology and Network Security
Subtitle of host publication	24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings
Editors	Yongdae Kim, Atsuko Miyaji, Mehdi Tibouchi
Place of Publication	Singapore
Publisher	Springer
Pages	493-517
Number of pages	25
Edition	1
ISBN (Electronic)	978-981-95-4434-9
ISBN (Print)	978-981-95-4433-2
DOIs	https://doi.org/10.1007/978-981-95-4434-9_23
Publication status	Published - 14 Nov 2025
Event	24th International Conference on Cryptology and Network Security, CANS 2025 - Osaka International Convention Center, Osaka, Japan Duration: 17 Nov 2025 → 20 Nov 2025 Conference number: 24 https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/

Publication series

Name	Lecture Notes in Computer Science
Publisher	Springer
Volume	16351
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	24th International Conference on Cryptology and Network Security, CANS 2025
Abbreviated title	CANS 2025
Country/Territory	Japan
City	Osaka
Period	17/11/25 → 20/11/25
Internet address	https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/

Keywords

CTI
CVE-like extraction
CWE mapping
Security blog posts
Vulnerability analysis

Access to Document

10.1007/978-981-95-4434-9_23

Accepted conference paperAccepted author version, 1.16 MBLicence: CC BY-ND

Cite this

Simonetto, S., Oostveen, R., Van Ede, T., Bosch, P., & Jonker, W. (2025). Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text. In Y. Kim, A. Miyaji, & M. Tibouchi (Eds.), Cryptology and Network Security: 24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings (1 ed., pp. 493-517). (Lecture Notes in Computer Science; Vol. 16351). Springer. https://doi.org/10.1007/978-981-95-4434-9_23

Simonetto, Stefano ; Oostveen, Ronan ; Van Ede, Thijs et al. / Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text. Cryptology and Network Security: 24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings. editor / Yongdae Kim ; Atsuko Miyaji ; Mehdi Tibouchi. 1. ed. Singapore : Springer, 2025. pp. 493-517 (Lecture Notes in Computer Science).

@inproceedings{00d5001d7ad54b809180f548cde5487d,

title = "Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text",

abstract = "In real-world cyberattacks, adversaries frequently exploit a combination of vulnerabilities, bugs, and misconfigurations to compromise systems. To systematically analyze the root causes behind these issues, the Common Weakness Enumeration (CWE) framework provides a standardized taxonomy of software weaknesses.While vulnerability databases are central to cataloging known issues, many security-relevant descriptions first appear in informal sources such as blog posts, CTI reports, and social media. Although these sources predominantly offer broader cybersecurity insights, they occasionally yield details that may indicate underlying weaknesses not captured in formal databases.We propose a two-step approach to extract these security-related descriptions from unstructured threat intelligence and automatically map them to their corresponding CWE categories. First, a binary classifier detects sentences resembling CVE descriptions, identifying information relevant to security teams. Then, we apply a self-supervised learning model to predict the most appropriate CWE, enabling structured analysis even in the absence of formal vulnerability tracking.As no ground truth exists for this task, we conduct expert-driven validation. Our results show strong performance, with an F1-score of 98.17\% for correctly assigning CWE labels, improving by at least 64\% points over state-of-the-art reasoning LLMs. This demonstrates the feasibility of automating weakness classification in unstructured cybersecurity text.",

keywords = "CTI, CVE-like extraction, CWE mapping, Security blog posts, Vulnerability analysis",

author = "Stefano Simonetto and Ronan Oostveen and \{Van Ede\}, Thijs and Peter Bosch and Willem Jonker",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2026.; 24th International Conference on Cryptology and Network Security, CANS 2025, CANS 2025 ; Conference date: 17-11-2025 Through 20-11-2025",

year = "2025",

month = nov,

day = "14",

doi = "10.1007/978-981-95-4434-9\_23",

language = "English",

isbn = "978-981-95-4433-2",

series = "Lecture Notes in Computer Science",

publisher = "Springer",

pages = "493--517",

editor = "Yongdae Kim and Atsuko Miyaji and Mehdi Tibouchi",

booktitle = "Cryptology and Network Security",

address = "Germany",

edition = "1",

url = "https://cy2sec.comm.eng.osaka-u.ac.jp/miyaji-lab/event/cans2025/",

}

Simonetto, S, Oostveen, R, Van Ede, T, Bosch, P & Jonker, W 2025, Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text. in Y Kim, A Miyaji & M Tibouchi (eds), Cryptology and Network Security: 24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings. 1 edn, Lecture Notes in Computer Science, vol. 16351, Springer, Singapore, pp. 493-517, 24th International Conference on Cryptology and Network Security, CANS 2025, Osaka, Japan, 17/11/25. https://doi.org/10.1007/978-981-95-4434-9_23

Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text. / Simonetto, Stefano; Oostveen, Ronan; Van Ede, Thijs et al.
Cryptology and Network Security: 24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings. ed. / Yongdae Kim; Atsuko Miyaji; Mehdi Tibouchi. 1. ed. Singapore: Springer, 2025. p. 493-517 (Lecture Notes in Computer Science; Vol. 16351).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › Academic › peer-review

TY - GEN

T1 - Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text

AU - Simonetto, Stefano

AU - Oostveen, Ronan

AU - Van Ede, Thijs

AU - Bosch, Peter

AU - Jonker, Willem

N1 - Conference code: 24

PY - 2025/11/14

Y1 - 2025/11/14

N2 - In real-world cyberattacks, adversaries frequently exploit a combination of vulnerabilities, bugs, and misconfigurations to compromise systems. To systematically analyze the root causes behind these issues, the Common Weakness Enumeration (CWE) framework provides a standardized taxonomy of software weaknesses.While vulnerability databases are central to cataloging known issues, many security-relevant descriptions first appear in informal sources such as blog posts, CTI reports, and social media. Although these sources predominantly offer broader cybersecurity insights, they occasionally yield details that may indicate underlying weaknesses not captured in formal databases.We propose a two-step approach to extract these security-related descriptions from unstructured threat intelligence and automatically map them to their corresponding CWE categories. First, a binary classifier detects sentences resembling CVE descriptions, identifying information relevant to security teams. Then, we apply a self-supervised learning model to predict the most appropriate CWE, enabling structured analysis even in the absence of formal vulnerability tracking.As no ground truth exists for this task, we conduct expert-driven validation. Our results show strong performance, with an F1-score of 98.17% for correctly assigning CWE labels, improving by at least 64% points over state-of-the-art reasoning LLMs. This demonstrates the feasibility of automating weakness classification in unstructured cybersecurity text.

AB - In real-world cyberattacks, adversaries frequently exploit a combination of vulnerabilities, bugs, and misconfigurations to compromise systems. To systematically analyze the root causes behind these issues, the Common Weakness Enumeration (CWE) framework provides a standardized taxonomy of software weaknesses.While vulnerability databases are central to cataloging known issues, many security-relevant descriptions first appear in informal sources such as blog posts, CTI reports, and social media. Although these sources predominantly offer broader cybersecurity insights, they occasionally yield details that may indicate underlying weaknesses not captured in formal databases.We propose a two-step approach to extract these security-related descriptions from unstructured threat intelligence and automatically map them to their corresponding CWE categories. First, a binary classifier detects sentences resembling CVE descriptions, identifying information relevant to security teams. Then, we apply a self-supervised learning model to predict the most appropriate CWE, enabling structured analysis even in the absence of formal vulnerability tracking.As no ground truth exists for this task, we conduct expert-driven validation. Our results show strong performance, with an F1-score of 98.17% for correctly assigning CWE labels, improving by at least 64% points over state-of-the-art reasoning LLMs. This demonstrates the feasibility of automating weakness classification in unstructured cybersecurity text.

KW - CTI

KW - CVE-like extraction

KW - CWE mapping

KW - Security blog posts

KW - Vulnerability analysis

UR - https://www.scopus.com/pages/publications/105023329449

U2 - 10.1007/978-981-95-4434-9_23

DO - 10.1007/978-981-95-4434-9_23

M3 - Conference contribution

AN - SCOPUS:105023329449

SN - 978-981-95-4433-2

T3 - Lecture Notes in Computer Science

SP - 493

EP - 517

BT - Cryptology and Network Security

A2 - Kim, Yongdae

A2 - Miyaji, Atsuko

A2 - Tibouchi, Mehdi

PB - Springer

CY - Singapore

T2 - 24th International Conference on Cryptology and Network Security, CANS 2025

Y2 - 17 November 2025 through 20 November 2025

ER -

Simonetto S, Oostveen R, Van Ede T, Bosch P, Jonker W. Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text. In Kim Y, Miyaji A, Tibouchi M, editors, Cryptology and Network Security: 24th International Conference, CANS 2025, Osaka, Japan, November 17–20, 2025, Proceedings. 1 ed. Singapore: Springer. 2025. p. 493-517. (Lecture Notes in Computer Science). Epub 2025 Nov 13. doi: 10.1007/978-981-95-4434-9_23

Beyond CWEs: Mapping Weaknesses in Unstructured Threat Intelligence Text

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this