Security/ security · threat intelligence · vulnerabilities · machine learning

A Knowledge Graph That Links CVEs to Attack Behaviors

Researchers built a graph connecting software vulnerabilities to MITRE ATT&CK tactics, giving defenders a structured map from bug to behavior.

A new knowledge graph ties CVE vulnerability records directly to attacker tactics and techniques, filling a gap that has long frustrated threat analysts.

Researchers constructed the CVE-TTP Knowledge Graph by running CVE descriptions through transformer-based classifiers trained to identify MITRE ATT&CK tactics and techniques. The best-performing model, CySecBERT, hit macro F1-scores of 87.71% on technique classification and 96.16% on tactic classification. To train and evaluate the pipeline, the team built an annotated dataset containing 24,820 entities and 43,608 relations. The final graph is stored in Neo4j, a graph database that lets analysts query and visualize connections between vulnerabilities and behaviors.

The CVE and NVD databases catalogue what is broken; they rarely say what an attacker can do with a broken thing. Bridging that gap means a security team can look up a newly disclosed CVE and immediately see which known attack patterns it enables — shortening the time between "patch released" and "we understand our exposure." That kind of structured linkage is exactly what automated triage tools and threat-intelligence platforms need to move beyond keyword matching.

The approach is not novel in ambition — vendors have pitched CVE-to-ATT&CK mapping for years — but a peer-reviewed, openly documented pipeline with a published dataset raises the bar for what "good" looks like in this space.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →