CVE-TTP KG: Knowledge Graph Linking Software Vulnerabilities to Attack Behaviors

๐Ÿ“… 2026-06-30
๐Ÿ“ˆ Citations: 0
โœจ Influential: 0
๐Ÿ“„ PDF
๐Ÿค– AI Summary
This study addresses the critical gap in existing vulnerability databases, which lack effective linkage to adversary tactics and techniques, thereby limiting deep understanding of threat behaviors. To bridge this gap, the work presents the first systematic construction of a CVEโ€“TTP knowledge graph by semantically associating Common Vulnerabilities and Exposures (CVEs) with MITRE ATT&CK tactics and techniques. This is achieved through an integrated approach combining CySecBERT and other Transformer-based models with a pipeline-style, span-based joint extraction framework. The authors release a large-scale annotated dataset, achieving macro F1 scores of 96.16% and 87.71% for tactic and technique identification, respectively, and 0.86 and 0.99 for entity and relation extraction. The resulting knowledge graph comprises 24,820 entities and 43,608 relations, and is structurally visualized using Neo4j.
๐Ÿ“ Abstract
In the evolving threat landscape, adversaries exploit software vulnerabilities to launch sophisticated attacks, challenging traditional defenses. Although databases like CVE and NVD provide detailed technical information, they often lack links to attacker behaviors such as tactics and techniques, limiting effective threat interpretation and response. This work bridges this gap by connecting vulnerabilities with behavioral patterns from the MITRE ATT&CK framework. We construct a CVE-TTP Knowledge Graph that links CVEs to tactics and techniques using classification and relation extraction. Transformer-based models are developed for behavior identification, with CySecBERT achieving macro F1-scores of 87.71% (techniques) and 96.16% (tactics). Also, we created an annotated dataset with 24,820 entities and 43,608 relations for entity and relation extraction. The pipeline-based approach achieves macro F1-scores of 0.86 (entity extraction) and 0.99 (relation extraction), while a span-based joint model achieves 0.78. These outputs are integrated into a Neo4j-based Cyber Threat Knowledge Graph, enabling structured visualization of vulnerabilities.
Problem

Research questions and friction points this paper is trying to address.

software vulnerabilities
attack behaviors
CVE
MITRE ATT&CK
threat intelligence
Innovation

Methods, ideas, or system contributions that make the work stand out.

Knowledge Graph
CVE-TTP Linking
Transformer-based Behavior Identification
Entity and Relation Extraction
CySecBERT
๐Ÿ”Ž Similar Papers
No similar papers found.