CVE-ReRanker / README.md
ManglamX's picture
Fix Hugging Face configuration metadata
aaf821d
|
Raw
History Blame Contribute Delete
11.4 kB
---
title: CVE Severity Re-Ranker API
emoji: πŸ›‘οΈ
colorFrom: blue
colorTo: indigo
sdk: docker
app_port: 7860
pinned: false
---
# CVE Vulnerability Severity Re-Ranking
> Context-aware vulnerability prioritisation using NLP, Deep Learning, and Machine Learning
[![Python](https://img.shields.io/badge/Python-3.10-blue?style=flat-square)](https://python.org)
[![Next.js](https://img.shields.io/badge/Next.js-Frontend-black?style=flat-square)](https://nextjs.org)
[![FastAPI](https://img.shields.io/badge/FastAPI-Backend-teal?style=flat-square)](https://fastapi.tiangolo.com)
[![XGBoost](https://img.shields.io/badge/XGBoost-3.2-orange?style=flat-square)](https://xgboost.readthedocs.io)
[![SecBERT](https://img.shields.io/badge/SecBERT-BERT--base-purple?style=flat-square)](https://huggingface.co/jackaduma/SecBERT)
[![NVD](https://img.shields.io/badge/Dataset-NVD%20200k%2B%20CVEs-green?style=flat-square)](https://nvd.nist.gov)
[![SDG](https://img.shields.io/badge/SDG-9%20%26%2016-teal?style=flat-square)](https://sdgs.un.org/goals)
---
## The Problem
The [National Vulnerability Database (NVD)](https://nvd.nist.gov) publishes thousands of CVEs every month, each with a static CVSS score. Security teams sort by CVSS and start patching from the top β€” but CVSS is environment-blind. A CVSS 9.8 Critical in software you don't use is less urgent than a CVSS 7.5 High in software running on your public-facing server.
This project fixes that.
---
## What This System Does
1. Analyses CVE descriptions from the NVD using NLP + SecBERT embeddings
2. Predicts severity (Low / Medium / High / Critical) using XGBoost
3. Re-ranks CVEs based on your specific software inventory
4. Surfaces the most dangerous vulnerabilities for **your environment** β€” not a generic list
5. Serves results through a FastAPI backend consumed by a Next.js dashboard
---
## Team
| Name | Roll No | Contribution |
|---|---|---|
| Manglam Jaiswal | 10127 | Data collection, NLP preprocessing, EDA |
| Tanaya Bane | 10107 | Re-ranking module, Next.js UI, evaluation |
| Tanmay Sarode | 10154 | SecBERT embeddings, XGBoost training, SHAP |
Third Year | Semester 6 | ML + DL + NLP Mini Project | 2025–26
---
## Results
| Metric | Value |
|---|---|
| Dataset | 200,431 CVEs (NVD 2019–2026) |
| Model | XGBoost on 781-dim fused feature vector |
| Weighted F1 | **0.77** |
| Accuracy | **77%** |
| Medium F1 | 0.82 |
| Critical F1 | 0.73 |
---
## System Architecture
```
NVD API
β”‚
β–Ό
[Layer 1 β€” NLP]
Text cleaning β†’ spaCy NER β†’ keyword feature flags
β”‚
β–Ό
[Layer 2 β€” Deep Learning]
SecBERT β†’ 768-dim CLS embedding per CVE
β”‚
β–Ό
[Layer 3 β€” Feature Fusion]
BERT (768) + NLP features (8) + CVSS metadata (5) = 781-dim vector
β”‚
β–Ό
[Layer 4 β€” Machine Learning]
XGBoost classifier β†’ Low / Medium / High / Critical
β”‚
β–Ό
[Layer 5 β€” Contextual Re-Ranking]
User inventory CSV β†’ fuzzy match β†’ boost score β†’ re-sorted list
β”‚
β–Ό
[FastAPI Backend]
REST API serving predictions and re-ranked results
β”‚
β–Ό
[Next.js Frontend]
Single CVE lookup | Bulk CSV upload | Inventory matcher | Dashboard
```
---
## SDG Mapping
**SDG 9 β€” Industry, Innovation and Infrastructure**
Makes intelligent vulnerability prioritisation accessible to organisations of all sizes.
**SDG 16 β€” Peace, Justice and Strong Institutions**
Strengthens institutional resilience against cyberattacks by enabling faster, targeted vulnerability response.
---
## Repository Structure
```
cve-severity-reranker/
β”‚
β”œβ”€β”€ .github/
β”‚ └── workflows/
β”‚ β”œβ”€β”€ daily_fetch.yml # Fetches new CVEs every day at 6 AM UTC
β”‚ └── weekly_pipeline.yml # Full pipeline every Sunday at 2 AM UTC
β”‚
β”œβ”€β”€ scripts/
β”‚ β”œβ”€β”€ 01_fetch.py # NVD API data collection
β”‚ β”œβ”€β”€ 02_preprocess.py # NLP cleaning + feature engineering
β”‚ β”œβ”€β”€ 03_embeddings.py # SecBERT embedding generation
β”‚ └── 04_train.py # XGBoost training (smart update mode)
β”‚
β”œβ”€β”€ backend/
β”‚ β”œβ”€β”€ main.py # FastAPI app β€” all API routes
β”‚ β”œβ”€β”€ pipeline.py # Prediction + re-ranking logic
β”‚ β”œβ”€β”€ reranker.py # Inventory matching + boost formula
β”‚ └── requirements.txt # Python dependencies for backend
β”‚
β”œβ”€β”€ frontend/
β”‚ β”œβ”€β”€ app/ # Next.js app directory
β”‚ β”‚ β”œβ”€β”€ page.tsx # Home β€” dashboard overview
β”‚ β”‚ β”œβ”€β”€ lookup/page.tsx # Single CVE lookup screen
β”‚ β”‚ β”œβ”€β”€ bulk/page.tsx # Bulk CSV upload screen
β”‚ β”‚ └── inventory/page.tsx # Inventory matcher screen
β”‚ β”œβ”€β”€ components/ # Reusable React components
β”‚ β”œβ”€β”€ public/ # Static assets
β”‚ β”œβ”€β”€ package.json
β”‚ └── next.config.js
β”‚
β”œβ”€β”€ data/
β”‚ β”œβ”€β”€ cves_raw.csv # Raw NVD data (Git LFS)
β”‚ β”œβ”€β”€ cves_processed.csv # Cleaned + feature engineered (Git LFS)
β”‚ β”œβ”€β”€ bert_embeddings.npy # 200k Γ— 768 embedding matrix (Git LFS)
β”‚ └── last_updated.json # Tracks last data collection date
β”‚
β”œβ”€β”€ models/
β”‚ β”œβ”€β”€ model_xgb.pkl # Trained XGBoost model (Git LFS)
β”‚ β”œβ”€β”€ label_encoder.pkl # Label encoder
β”‚ └── training_tracker.json # Tracks rows model was trained on
β”‚
β”œβ”€β”€ notebooks/
β”‚ β”œβ”€β”€ 01_data_collection.ipynb
β”‚ β”œβ”€β”€ 02_preprocessing.ipynb
β”‚ β”œβ”€β”€ 04_embeddings.ipynb
β”‚ β”œβ”€β”€ 05_training.ipynb
β”‚ └── 06_live_updater.ipynb
β”‚
β”œβ”€β”€ requirements.txt
└── README.md
```
---
## Quick Start
### Prerequisites
- Python 3.10+
- Node.js 18+
- npm or yarn
### 1. Clone the repo
```bash
git clone https://github.com/ManglamX/cve-severity-reranker.git
cd cve-severity-reranker
```
### 2. Start the FastAPI backend
```bash
cd backend
pip install -r requirements.txt
python -m spacy download en_core_web_sm
uvicorn main:app --reload --port 8000
```
Backend runs at `http://localhost:8000`
Interactive API docs at `http://localhost:8000/docs`
### 3. Start the Next.js frontend
```bash
cd frontend
npm install
npm run dev
```
Frontend runs at `http://localhost:3000`
---
## API Endpoints
| Method | Endpoint | Description |
|---|---|---|
| `GET` | `/health` | Health check |
| `GET` | `/cve/{cve_id}` | Analyse a single CVE |
| `POST` | `/bulk` | Analyse a list of CVE IDs |
| `POST` | `/inventory` | Find CVEs matching uploaded inventory |
| `GET` | `/stats` | Dataset and model statistics |
### Example β€” single CVE
```bash
curl http://localhost:8000/cve/CVE-2021-44228
```
```json
{
"cve_id": "CVE-2021-44228",
"cvss_score": 10.0,
"cvss_label": "Critical",
"predicted_label": "Critical",
"context_score": 0.512,
"boost_factor": 1.0,
"matched_inventory": [],
"attack_vector": "NETWORK",
"has_remote": 1,
"has_exec": 1
}
```
### Example β€” bulk with inventory
```bash
curl -X POST http://localhost:8000/bulk \
-H "Content-Type: application/json" \
-d '{
"cve_ids": ["CVE-2021-44228", "CVE-2022-30190"],
"inventory": ["Apache Log4j", "OpenSSL", "Windows Server"]
}'
```
---
## Frontend Screens
### Dashboard
Overview of your CVE dataset β€” class distribution chart, top 10 highest context score CVEs, model performance summary.
### Single CVE Lookup
Enter any CVE ID and get instant analysis β€” predicted severity, context score, risk signals (remote exploitable, code execution, attack vector), and inventory match warning if applicable.
### Bulk CSV Upload
Upload a CSV with a `cve_id` column. Get back a ranked table sorted by context score. Download results as CSV.
### Inventory Matcher
Upload your software inventory CSV. The system returns only CVEs that affect your software, ranked by context score.
**Sample inventory CSV format:**
```csv
software
Apache HTTP Server
OpenSSL
Windows Server
MySQL
Log4j
nginx
```
---
## How the Re-Ranking Works
```
boost = 1.0
+ 0.30 Γ— (number of inventory matches)
Γ— 1.25 (if public exploit exists)
Γ— 1.15 (if remote + unauthenticated)
Γ— 1.10 (if attack vector = NETWORK)
context_score = min(prob_critical Γ— boost, 1.0)
```
CVEs are sorted by `context_score` β€” not by CVSS score.
**Example β€” CVE-2021-44228 (Log4Shell)**
| Condition | Context Score |
|---|---|
| No inventory | 0.51 |
| Inventory contains `Log4j` | 0.67 (boost 1.43Γ—) |
---
## Automation (GitHub Actions)
| Workflow | Schedule | What it does |
|---|---|---|
| `daily_fetch.yml` | Every day 6 AM UTC | Fetches new CVEs, updates `cves_raw.csv` |
| `weekly_pipeline.yml` | Every Sunday 2 AM UTC | Fetch β†’ preprocess β†’ embed β†’ retrain |
Smart training β€” only does what is needed:
| Situation | Mode | Time |
|---|---|---|
| Dataset unchanged | Skip β€” loads existing model | 10 sec |
| < 10% new rows | Update β€” trains on new rows only | ~2 min |
| β‰₯ 10% new rows | Full retrain | ~15 min |
Add your NVD API key as a GitHub Secret named `NVD_API_KEY` to enable automation.
---
## Retraining (Google Colab)
1. `notebooks/01_data_collection.ipynb` β€” fetch CVE data
2. `notebooks/02_preprocessing.ipynb` β€” NLP pipeline
3. `notebooks/04_embeddings.ipynb` β€” SecBERT embeddings (GPU, ~65 min)
4. `notebooks/05_training.ipynb` β€” XGBoost training + evaluation
Each notebook is smart β€” skips completed steps and only processes new rows.
---
## Tech Stack
| Component | Technology |
|---|---|
| Frontend | Next.js (React) |
| Backend | FastAPI (Python) |
| NLP | spaCy, regex |
| Deep Learning | SecBERT, PyTorch, Hugging Face transformers |
| Machine Learning | XGBoost, scikit-learn |
| Explainability | SHAP TreeExplainer |
| Inventory matching | FuzzyWuzzy |
| Data source | NVD REST API v2.0 |
| Training platform | Google Colab (T4 GPU) |
| Automation | GitHub Actions |
| Storage | Google Drive + Git LFS |
---
## Evaluation
**Classification Report β€” test set (40,087 CVEs)**
| Class | Precision | Recall | F1 | Support |
|---|---|---|---|---|
| Critical | 0.72 | 0.74 | 0.73 | 4,705 |
| High | 0.76 | 0.72 | 0.74 | 14,792 |
| Low | 0.88 | 0.38 | 0.53 | 1,589 |
| Medium | 0.79 | 0.86 | 0.82 | 19,001 |
| **Weighted avg** | **0.77** | **0.77** | **0.77** | **40,087** |
Low class recall is lower due to class imbalance. Planned fix: SMOTE oversampling.
---
## Dataset
| Property | Value |
|---|---|
| Source | NVD REST API v2.0 |
| Date range | January 2019 β€” March 2026 |
| Total CVEs | 200,431 |
| Features per CVE | 781 (768 BERT + 8 NLP + 5 metadata) |
| Auto-updated | Daily via GitHub Actions |
**CVSS label mapping:**
| Score | Label |
|---|---|
| 0.0 – 3.9 | Low |
| 4.0 – 6.9 | Medium |
| 7.0 – 8.9 | High |
| 9.0 – 10.0 | Critical |
---
## References
1. Shahid & Debar. *CVSS-BERT.* arXiv 2021.
2. *NLP-Based Analysis of Cyber Threats.* PMC 2023.
3. *CVE Severity Prediction β€” A Deep Learning Approach.* ScienceDirect 2024.
4. jackaduma. *SecBERT.* Hugging Face Hub.
5. Lundberg & Lee. *SHAP.* NeurIPS 2017.
6. Chen & Guestrin. *XGBoost.* KDD 2016.
---
## License
This project was built for academic purposes as part of a Third Year Mini Project (2025–26).