CVE-TTP KG: Knowledge Graph Linking Software Vulnerabilities to Attack Behaviors
Summary
The CVE-TTP Knowledge Graph (KG) addresses a critical gap in cybersecurity by linking software vulnerabilities (CVEs) to specific attacker behaviors, including tactics and techniques from the MITRE ATT&CK framework. This work develops a system that uses Transformer-based models, notably CySecBERT, to identify these behaviors with high accuracy, achieving macro F1-scores of 87.71% for techniques and 96.16% for tactics. Researchers also created a substantial annotated dataset comprising 24,820 entities and 43,608 relations to facilitate entity and relation extraction. A pipeline-based approach demonstrated strong performance with macro F1-scores of 0.86 for entity extraction and 0.99 for relation extraction, while a span-based joint model achieved 0.78. The resulting knowledge graph is integrated into a Neo4j-based Cyber Threat Knowledge Graph, providing structured visualization for enhanced threat interpretation and response.
Key takeaway
For cybersecurity analysts and AI security engineers focused on threat interpretation, integrating the CVE-TTP Knowledge Graph can significantly enhance your understanding of vulnerability exploitation. This system provides direct links between CVEs and MITRE ATT&CK behaviors, allowing you to quickly contextualize threats and prioritize responses. You should consider adopting similar knowledge graph approaches to enrich your existing vulnerability management platforms and improve proactive defense strategies.
Key insights
A knowledge graph effectively links CVEs to MITRE ATT&CK behaviors using Transformer models for improved threat intelligence.
Principles
- Linking CVEs to ATT&CK enhances threat context.
- Transformer models excel in behavior identification.
- Annotated datasets are crucial for relation extraction.
Method
The approach involves classification and relation extraction using Transformer-based models like CySecBERT, followed by integration into a Neo4j-based Cyber Threat Knowledge Graph for visualization.
In practice
- Integrate CVE-TTP KG for enriched vulnerability data.
- Use CySecBERT for precise behavior mapping.
- Develop custom datasets for specific threat intelligence.
Topics
- CVE-TTP Knowledge Graph
- Software Vulnerabilities
- MITRE ATT&CK
- Transformer Models
- Relation Extraction
- Cyber Threat Intelligence
Best for: NLP Engineer, CTO, VP of Engineering/Data, AI Scientist, AI Security Engineer, Research Scientist
Related on AIssential
Editorial summary, takeaway, and curation by AIssential. Original article published by Artificial Intelligence.