AI-Based False Positive Filtering and

Prioritization in Vulnerability
Assessment
Abstract
Vulnerability scanning tools often generate a significant number of false positives,
overwhelming security teams and reducing operational efficiency. This research proposes
an AI-based solution to automatically classify vulnerabilities as true or false positives and to
prioritize them based on severity, context, and potential impact. The paper outlines a hybrid
approach combining rule-based filtering, supervised machine learning, and large language
model (LLM) integration to provide intelligent analysis and actionable remediation
suggestions.

1. Introduction
In penetration testing and vulnerability management, a recurring problem is the abundance
of false positives generated by automated scanners. These incorrect alerts consume
valuable time and lead to misallocation of resources. With the advancement of Artificial
Intelligence (AI), there is an opportunity to optimize this process through intelligent
filtering and prioritization mechanisms.

2. Problem Statement
Traditional vulnerability scanners (e.g., Nessus, OpenVAS, Burp Suite) often flag non-
exploitable issues as vulnerabilities, leading to false positives. This inflates the vulnerability
list, making it difficult for analysts to focus on real threats. A solution is needed to automate
the detection of false positives and accurately prioritize the remaining issues based on
actual risk.

3. Objectives
- Develop an AI-based tool to classify vulnerabilities as true or false positives

- Integrate machine learning models trained on past scan data

- Use LLMs to analyze vulnerability descriptions and recommend remediation

- Provide a dashboard and/or chatbot-based interface to display results

4. Methodology

4.1 Data Collection

Collect scan outputs from tools like Nuclei, Nessus, Burp Suite and normalize data into a
structured JSON format.

4.2 Feature Engineering

Use scanner type, vulnerability title, response codes, payloads used, confidence scores, CVE
ID, response body length.

4.3 Machine Learning Model

Use supervised models like Random Forest, XGBoost, or SVM, and evaluate using precision,
recall, and F1-score.

4.4 LLM Integration

Use models like GPT or BERT to analyze unstructured scan result text and suggest
remediation.

4.5 Automation Pipeline

Input: New scan results
Processing: Feature extraction → ML Classification → LLM Analysis
Output: Validated vulnerabilities

4.6 WhatsApp Chatbot/Web Dashboard (optional)

Integrate Twilio or WhatsApp API for real-time scan insights and remediation suggestions.

5. Implementation Tools
Python, Scikit-learn, XGBoost, Pandas, OpenAI API / HuggingFace Transformers,
Flask/FastAPI, React.js, Twilio API

6. Code Snippet and Explanation

Example code to classify vulnerabilities:

import pandas as pd
from sklearn.ensemble import RandomForestClassifier
from sklearn.model_selection import train_test_split
from sklearn.metrics import classification_report

# Sample scan data (simulated)

data = pd.DataFrame({
'scanner': ['Nessus', 'Burp', 'Nuclei', 'Burp'],
 'title': ['SQL Injection', 'Clickjacking', 'XSS', 'SQL Injection'],
'response_code': [500, 200, 403, 500],
'payload_present': [1, 0, 1, 1],
'false_positive': [0, 1, 1, 0] # 0 = true positive, 1 = false positive
})

# Feature and label selection

X = data[['response_code', 'payload_present']]
y = data['false_positive']

# Train/test split
X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2)

# Train the model

clf = RandomForestClassifier()
clf.fit(X_train, y_train)

# Predict and evaluate

y_pred = clf.predict(X_test)
print(classification_report(y_test, y_pred))

The code simulates training a classifier to identify false positives using basic features like
response code and payload presence. In a real-world scenario, this model would be
expanded with richer features and a larger labeled dataset.

7. Expected Outcomes
Reduction in manual time spent validating vulnerabilities, improved signal-to-noise ratio in
scan results, actionable insights, and better operational efficiency.

8. Limitations and Future Work

Model accuracy depends on quality of training data. Dynamic analysis and PoC generation
are not included in MVP. Future improvements include reinforcement learning and
integration with patch management systems.

9. Conclusion
This AI-powered tool aims to improve vulnerability management by filtering false positives
and identifying real threats, thereby enhancing security operations.
References
- OWASP Vulnerability Management Guide

- NIST SP 800-115 Technical Guide to Information Security Testing

- Scikit-learn Documentation

- OpenAI GPT-4 Technical Overview

- HackerOne Vulnerability Reports Archive