Tracing CVE Vulnerability Information to CAPEC Attack Patterns Using Natural Language Processing Techniques

Kenta Kanakogi,Takehisa Kato,Nobukazu Yoshioka,Yoshiaki Fukazawa,Hironori Washizaki,Shinpei Ogata,Takao Okubo,Atsuo Hazeyama,Hideyuki Kanuka

doi:10.3390/info12080298

Abstract

For effective vulnerability management, vulnerability and attack information must be collected quickly and efficiently. A security knowledge repository can collect such information. The Common Vulnerabilities and Exposures (CVE) provides known vulnerabilities of products, while the Common Attack Pattern Enumeration and Classification (CAPEC) stores attack patterns, which are descriptions of common attributes and approaches employed by adversaries to exploit known weaknesses. Due to the fact that the information in these two repositories are not linked, identifying related CAPEC attack information from CVE vulnerability information is challenging. Currently, the related CAPEC-ID can be traced from the CVE-ID using Common Weakness Enumeration (CWE) in some but not all cases. Here, we propose a method to automatically trace the related CAPEC-IDs from CVE-ID using three similarity measures: TF–IDF, Universal Sentence Encoder (USE), and Sentence-BERT (SBERT). We prepared and used 58 CVE-IDs as test input data. Then, we tested whether we could trace CAPEC-IDs related to each of the 58 CVE-IDs. Additionally, we experimentally confirm that TF–IDF is the best similarity measure, as it traced 48 of the 58 CVE-IDs to the related CAPEC-ID.

Highlights

Due to the sheer volume, system administrators spend a lot of time dealing with vulnerabilities
Common Attack Pattern Enumeration and Classification (CAPEC) is a dictionary of common identifiers for attack patterns employed by adversaries to exploit weaknesses
We propose a method that enables direct tracing from Common Vulnerabilities and Exposures (CVE) to CAPEC (Figure 1)

Summary

Introduction

Due to the sheer volume, system administrators spend a lot of time dealing with vulnerabilities. In order to effectively respond and mitigate vulnerabilities, vulnerability information must be collected efficiently and quickly. The vulnerability and the attack techniques must be understood. When assessing the severity and priority of vulnerabilities, it is essential to refer to information about known vulnerabilities and attacks. To collect such information, knowledge repositories on cybersecurity issues may be used. Public repositories include Common Vulnerabilities and Exposures (CVE) [1] and Common Attack Pattern Enumeration and Classification (CAPEC) [2]. CVE lists common identifiers for known vulnerability information. CAPEC is a dictionary of common identifiers for attack patterns employed by adversaries to exploit weaknesses

Objectives

Methods

Conclusion