A study compares multi-class and multi-label text classification approaches for assigning Common Weakness Enumeration (CWE) categories to Common Vulnerabilities and Exposures (CVE) records. The research evaluates three transformer encoders—BERT Base, SecureBERT, and CySecBERT—across nested label spaces of 83, 47, and 25 classes.
- Multi-class training achieves higher macro-F1 across all settings, though the gap to multi-label narrows as the label space shrinks.
- Confusion analysis reveals that misclassification patterns follow the CWE hierarchy, suggesting taxonomy design drives errors more than encoder choice.
- A hierarchy-relaxed evaluation raises macro-F1 from approximately 81% to 90%, indicating strict metrics understate classifier quality.
- CySecBERT achieves the strongest results overall, with statistically significant gains concentrated in the multi-label setting.
The findings suggest that while multi-class formulations generally perform better, CySecBERT offers superior performance for complex mapping tasks.