Abstract
Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of existing threats exceed the capacity of defenders. Therefore, MITRE took the initiative and introduced multiple frameworks to facilitate the sharing of vital knowledge about vulnerabilities, attacks, and defense information. The Common Vulnerabilities and Exposures (CVE) program and ATT&CK Matrix are two significant MITRE endeavors. CVE facilitates the sharing of publicly discovered vulnerabilities, while ATT&CK collects and categorizes adversaries’ Tactics, Techniques, and Procedures (TTP) and recommends appropriate countermeasures.
As CVE yields a low-level description of the vulnerability, ATT&CK can complement it by providing more insights into that vulnerability from an attacking perspective, thereby aiding defenders in countering exploitation attempts. Unfortunately, due to the complexity of this mapping and the rapid growth of these frameworks, mapping CVE to ATT&CK is a daunting and time-intensive undertaking. Multiple studies have proposed models that automatically achieve this mapping. However, due to their reliance on annotated datasets, these models exhibit limitations in quality and coverage and fail to justify their decisions. To overcome these challenges, we present SMET—a tool that automatically maps CVE entries to ATT&CK techniques based on their textual similarity. SMET achieves this mapping by leveraging ATT&CK BERT, a model that we trained using the SIAMESE network to learn semantic similarity among attack actions. In inference, SMET utilizes semantic extraction, ATT&CK BERT, and a logistic regression model to map CVE entries to ATT&CK techniques. As a result, SMET has demonstrated superior performance compared to other state-of-the-art models.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
3.3. metrics and scoring: Quantifying the quality of predictions. https://scikit-learn.org/stable/modules/model_evaluation.html#multilabel-ranking-metrics
Jackaduma/secbert \(\cdot \) hugging face. https://huggingface.co/jackaduma/SecBERT
Pretrained models. https://www.sbert.net/docs/pretrained_models.html
Aghaei, E., Niu, X., Shadid, W., Al-Shaer, E.: SecureBERT: a domain-specific language model for cybersecurity. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds.) SecureComm 2022. LNICS, SITE, vol. 462, pp. 39–56. Springer, Cham (2023). https://doi.org/10.1007/978-3-031-25538-0_3
Aghaei, E., Shadid, W., Al-Shaer, E.: ThreatZoom: hierarchical neural network for CVEs to CWEs classification. In: Park, N., Sun, K., Foresti, S., Butler, K., Saxena, N. (eds.) SecureComm 2020. LNICSSITE, vol. 335, pp. 23–41. Springer, Cham (2020). https://doi.org/10.1007/978-3-030-63086-7_2
Ampel, B., Samtani, S., Ullman, S., Chen, H.: Linking common vulnerabilities and exposures to the Mitre ATT&CK framework: a self-distillation approach. arXiv preprint arXiv:2108.01696 (2021)
Andrew, Y., Lim, C., Budiarto, E.: Mapping Linux shell commands to Mitre ATT&CK using NLP-based approach. In: 2022 International Conference on Electrical Engineering and Informatics (ICELTICs), pp. 37–42. IEEE (2022)
Ayoade, G., Chandra, S., Khan, L., Hamlen, K., Thuraisingham, B.: Automated threat report classification over multi-source data. In: 2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC), pp. 236–245. IEEE (2018)
Center-for-Threat-Informed-Defense: Center-for-threat-informed-defense/attack_to_cve: A methodology for mapping Mitre ATT&CK techniques to vulnerability records to describe the impact of a vulnerability. https://github.com/center-for-threat-informed-defense/attack_to_cve
Das, S.S., Halappanavar, M., Tumeo, A., Serra, E., Pothen, A., Al-Shaer, E.: VWC-BERT: scaling vulnerability-weakness-exploit mapping on modern ai accelerators. In: 2022 IEEE International Conference on Big Data (Big Data), pp. 1224–1229. IEEE (2022)
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805 (2018)
Editor, C.C., Cooper, C., Editor, C., the AuthorCharles CooperConsulting EditorCharles Cooper has covered technology, A., business for more than 25 years. He is now assisting Symantec with our blog writing, managing our editorial team., Author, A.T.: Wannacry: Lessons learned 1 year later. https://symantec-enterprise-blogs.security.com/blogs/feature-stories/wannacry-lessons-learned-1-year-later
Engenuity, M.: MAPPING ATT&CK to CVE: Threat-informed defense project, January 2023. https://mitre-engenuity.org/blog/2021/10/21/mapping-attck-to-cve-for-impact/
Fleck, A., Richter, F.: Infographic: cybercrime expected to skyrocket in coming years, December 2022. https://www.statista.com/chart/28878/expected-cost-of-cybercrime-until-2027/
Gardner, M., et al.: AllenNLP: a deep semantic natural language processing platform (2017)
Grigorescu, O., Nica, A., Dascalu, M., Rughinis, R.: CVE2ATT&CK: BERT-based mapping of CVEs to Mitre ATT&CK techniques. Algorithms 15(9), 314 (2022)
Hemberg, E., et al.: Linking threat tactics, techniques, and patterns with defensive weaknesses, vulnerabilities and affected platform configurations for cyber hunting. arXiv preprint arXiv:2010.00533 (2020)
Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., Niu, X.: Ttpdrill: automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd Annual Computer Security Applications Conference, pp. 103–115 (2017)
Izzuddin, A.B., Lim, C.: Mapping threats in smart grid system using the Mitre ATT&CK ICS framework. In: 2022 IEEE International Conference on Aerospace Electronics and Remote Sensing Technology (ICARES), pp. 1–7. IEEE (2022)
Kuppa, A., Aouad, L., Le-Khac, N.A.: Linking CVE’s to Mitre ATT&CK techniques. In: Proceedings of the 16th International Conference on Availability, Reliability and Security, pp. 1–12 (2021)
Legoy, V., Caselli, M., Seifert, C., Peter, A.: Automated retrieval of ATT&CK tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322 (2020)
Li, Z., Zeng, J., Chen, Y., Liang, Z.: ATTACKG: constructing technique knowledge graph from cyber threat intelligence reports. In: Atluri, V., Di Pietro, R., Jensen, C.D., Meng, W. (eds.) ESORICS 2022. LNCS, vol. 13554, pp. 589–609. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-17140-6_29
Mendsaikhan, O., Hasegawa, H., Yamaguchi, Y., Shimada, H.: Automatic mapping of vulnerability information to adversary techniques. In: The Fourteenth International Conference on Emerging Security Information, Systems and Technologies SECUREWARE2020 (2020)
Reimers, N., Gurevych, I.: Sentence-BERT: sentence embeddings using Siamese BERT-networks. arXiv preprint arXiv:1908.10084 (2019)
Sajid, M.S.I., Wei, J., Abdeen, B., Al-Shaer, E., Islam, M.M., Diong, W., Khan, L.: Soda: a system for cyber deception orchestration and automation. In: Annual Computer Security Applications Conference, pp. 675–689 (2021)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Ethics declarations
Disclaimer
Certain equipment, instruments, software, or materials are identified in this paper in order to specify the experimental procedure adequately. Such identification is not intended to imply recommendation or endorsement of any product or service by NIST, nor is it intended to imply that the materials or equipment identified are necessarily the best available for the purpose.
Rights and permissions
Copyright information
© 2023 IFIP International Federation for Information Processing
About this paper
Cite this paper
Abdeen, B., Al-Shaer, E., Singhal, A., Khan, L., Hamlen, K. (2023). SMET: Semantic Mapping of CVE to ATT&CK and Its Application to Cybersecurity. In: Atluri, V., Ferrara, A.L. (eds) Data and Applications Security and Privacy XXXVII. DBSec 2023. Lecture Notes in Computer Science, vol 13942. Springer, Cham. https://doi.org/10.1007/978-3-031-37586-6_15
Download citation
DOI: https://doi.org/10.1007/978-3-031-37586-6_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-37585-9
Online ISBN: 978-3-031-37586-6
eBook Packages: Computer ScienceComputer Science (R0)
