BF–Based ML/AI Systems
Irena Bojanova, Inventor/Creator, PI & Lead, NIST Bugs Framework (BF), 2014 – ~~~

From AI@NIST Day 2025:

  • AI can reinvent Cybersecurity R&D — but only if we do it right.
  • Today, we focus on mitigating vulnerabilities, not fixing their root causes.
  • Why? → Because human-written bug reports and vulnerability descriptions — narratives AI cannot fully understand — remain our primary source.
  • The result → Assurance tools often disagree, and AI security tools may hallucinate.
  • I’m Irena Bojanova from the Information Technology Laboratory (ITL) at NIST. I have created the NIST Bugs Framework — BF — a formal system that defines vulnerabilities as chains of weaknesses leading to failures. BF is not simply a database, but it may comprehensively augment the Common Vulnerabilities and Exposures and the National Vulnerability Database (NVD) .
  • BF makes vulnerabilities machine-understandable. With it, AI can generate precise vulnerability descriptions, bug reports, and security rules — forming the basis for informed counterintelligence measures.*

A BF-Based AI Vulnerability System utilizes ML/AI-enabled capabilities to identify bugs and detect, analyze, prioritize, and resolve or mitigate vulnerabilities (i.e., fix the bug or a fault of each vulnerability). The automated analysis via AI models requires comprehensively labeled vulnerability datasets.

A BF Vulnerability AI Model is trained (see Figure 1) via BF data, vulnerable code, and ready BF vulnerability specifications. The steps from the dashed rectangle are BF specific.

Figure 1. Construct/Adapt a BF-Based Vulnerability AI Model.

  • BF Context Data is formed by the BF Security Concepts Definitions, BF Taxonomy, BF Taxon Definitions, and BF Semantic Graphs and Matrices.
  • BF Training Dataset is formed by vulnerability source code and preliminary developed BF Vulnerability Specifications

BF-based AI systems (see Figure 2) utilize BF AI Models to generate BF Specifications, which are then validated and verified by the BF Parser, and then validated against the generated BF Partial CVE specifications and Backward State Tree. The rest of the steps on Figure 2 are the same as for BF-based traditional systems (see Figure 1 in BF–Based Traditional Systems). The steps from the dashed rectangle are BF specific.

Figure 2. BF-Based ML/AI Vulnerability System.

See also:
Bojanova, I., NVD–BF (or NVDBF) Formal Vulnerability Classifications Platform, NIST ITL Science Day 2025, Mar. 26, 2026.
Bojanova, I., BF–Based ML/AI Systems for Formal Hardware & Software Vulnerability Specification, AI@NIST Day 2025, Feb. 26, 2026.

BF PATENT PENDING
U.S. Patent Application No. PCT/US2025/038662 Bugs Framework (BF): A System for Formal Specification of Cybersecurity Weaknesses and Vulnerabilities, Definition of Secure Coding Principles, and Generation of Weakness and Vulnerability Datasets and Vulnerability Classifications. Inventor: Irena Bojanova, NIST.

BF CITATION:
Bojanova I (2024) Bugs Framework (BF): Formalizing Cybersecurity Weaknesses and Vulnerabilities. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP), NIST SP 800-231. https://doi.org/10.6028/NIST.SP.800-231