中文

CVE-TTP KG: Knowledge Graph Linking Software Vulnerabilities to Attack Behaviors

密码学与安全 2026-06-30 v1 人工智能

摘要

In the evolving threat landscape, adversaries exploit software vulnerabilities to launch sophisticated attacks, challenging traditional defenses. Although databases like CVE and NVD provide detailed technical information, they often lack links to attacker behaviors such as tactics and techniques, limiting effective threat interpretation and response. This work bridges this gap by connecting vulnerabilities with behavioral patterns from the MITRE ATT&CK framework. We construct a CVE-TTP Knowledge Graph that links CVEs to tactics and techniques using classification and relation extraction. Transformer-based models are developed for behavior identification, with CySecBERT achieving macro F1-scores of 87.71% (techniques) and 96.16% (tactics). Also, we created an annotated dataset with 24,820 entities and 43,608 relations for entity and relation extraction. The pipeline-based approach achieves macro F1-scores of 0.86 (entity extraction) and 0.99 (relation extraction), while a span-based joint model achieves 0.78. These outputs are integrated into a Neo4j-based Cyber Threat Knowledge Graph, enabling structured visualization of vulnerabilities.

引用

@article{arxiv.2606.31557,
  title  = {CVE-TTP KG: Knowledge Graph Linking Software Vulnerabilities to Attack Behaviors},
  author = {Basant Agarwal and Dincy R. Arikkat and Swati Yadav and Serena Nicolazzo and Antonino Nocera and Vinod P},
  journal= {arXiv preprint arXiv:2606.31557},
  year   = {2026}
}