CVE-driven Attack Technique Prediction with Semantic Information Extraction and a Domain-specific Language Model

TL;DR

This paper presents TTPpredictor, a tool that leverages semantic extraction and a domain-specific language model to accurately link CVE vulnerability descriptions to attack techniques, improving proactive cybersecurity defenses.

Contribution

The paper introduces TTPpredictor, a novel method that combines semantic role labeling and domain-specific language modeling to infer attack techniques from CVE descriptions, addressing data scarcity and semantic gaps.

Findings

Achieves approximately 98% accuracy in CVE classification.

F1-scores range from 95% to 98% in linking CVEs to attack techniques.

Outperforms existing language models like ChatGPT in this task.

Abstract

This paper addresses a critical challenge in cybersecurity: the gap between vulnerability information represented by Common Vulnerabilities and Exposures (CVEs) and the resulting cyberattack actions. CVEs provide insights into vulnerabilities, but often lack details on potential threat actions (tactics, techniques, and procedures, or TTPs) within the ATT&CK framework. This gap hinders accurate CVE categorization and proactive countermeasure initiation. The paper introduces the TTPpredictor tool, which uses innovative techniques to analyze CVE descriptions and infer plausible TTP attacks resulting from CVE exploitation. TTPpredictor overcomes challenges posed by limited labeled data and semantic disparities between CVE and TTP descriptions. It initially extracts threat actions from unstructured cyber threat reports using Semantic Role Labeling (SRL) techniques. These actions, along with their contextual attributes, are correlated with MITRE's attack functionality classes. This automated correlation facilitates the creation of labeled data, essential for categorizing novel threat actions into threat functionality classes and TTPs. The paper presents an empirical assessment, demonstrating TTPpredictor's effectiveness with accuracy rates of approximately 98% and F1-scores ranging from 95% to 98% in precise CVE classification to ATT&CK techniques. TTPpredictor outperforms state-of-the-art language model tools like ChatGPT. Overall, this paper offers a robust solution for linking CVEs to potential attack techniques, enhancing cybersecurity practitioners' ability to proactively identify and mitigate threats.