ThreatLinker: An NLP-based Methodology to Automatically Estimate CVE Relevance for CAPEC Attack Patterns

TL;DR

ThreatLinker is an NLP-based methodology that automatically links CVE vulnerabilities to CAPEC attack patterns, improving threat analysis efficiency and accuracy by combining semantic similarity with keyword analysis.

Contribution

It introduces a novel NLP approach for automatic CVE-CAPEC association and provides a larger dataset for this correlation task, outperforming existing models.

Findings

Superior performance over state-of-the-art models

Effective combination of semantic similarity and keyword analysis

Enhanced dataset for CVE-CAPEC correlation

Abstract

Threat analysis is continuously growing in importance due to the always-increasing complexity and frequency of cyber attacks. Analyzing threats demands significant effort from security experts: different cybersecurity knowledge bases support this task, but manual efforts are required to correlate heterogeneous sources into a unified view that would enable a more comprehensive assessment. To address this gap, we propose ThreatLinker, a methodology leveraging Natural Language Processing (NLP) to effectively and efficiently associate Common Vulnerabilities and Exposure (CVE) vulnerabilities with Common Attack Pattern Enumeration and Classification (CAPEC) attack patterns. The proposed technique combines semantic similarity with keyword analysis to improve the accuracy of association estimations. We contributed a larger dataset for CVE-CAPEC correlation, and experimental evaluations demonstrate superior performance compared to state-of-the-art models.