Search papers, labs, and topics across Lattice.
This paper addresses the gap between software vulnerabilities and attacker behaviors by constructing a CVE-TTP Knowledge Graph that links Common Vulnerabilities and Exposures (CVEs) to tactics and techniques from the MITRE ATT&CK framework. Using transformer-based models, particularly CySecBERT, the authors achieve high macro F1-scores of 87.71% for techniques and 96.16% for tactics, alongside a robust annotated dataset of 24,820 entities and 43,608 relations. The resulting knowledge graph facilitates structured visualization and interpretation of vulnerabilities in the context of potential attack behaviors, enhancing threat response capabilities.
Linking software vulnerabilities to attacker behaviors reveals critical insights for proactive threat mitigation in cybersecurity.
In the evolving threat landscape, adversaries exploit software vulnerabilities to launch sophisticated attacks, challenging traditional defenses. Although databases like CVE and NVD provide detailed technical information, they often lack links to attacker behaviors such as tactics and techniques, limiting effective threat interpretation and response. This work bridges this gap by connecting vulnerabilities with behavioral patterns from the MITRE ATT&CK framework. We construct a CVE-TTP Knowledge Graph that links CVEs to tactics and techniques using classification and relation extraction. Transformer-based models are developed for behavior identification, with CySecBERT achieving macro F1-scores of 87.71% (techniques) and 96.16% (tactics). Also, we created an annotated dataset with 24,820 entities and 43,608 relations for entity and relation extraction. The pipeline-based approach achieves macro F1-scores of 0.86 (entity extraction) and 0.99 (relation extraction), while a span-based joint model achieves 0.78. These outputs are integrated into a Neo4j-based Cyber Threat Knowledge Graph, enabling structured visualization of vulnerabilities.