An official website of the United States government
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United States.
Secure .gov websites use HTTPS
A lock (
) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.
SMET: Semantic Mapping of CVE to ATT&CK and its Application to Cyber Security
Published
Author(s)
Abdeen Basel, Ehab Al-Sheer, Anoop Singhal, Latifur Khan, Kevin Hamlen
Abstract
Cybercriminals relentlessly pursue vulnerabilities across cyberspace to exploit software, threatening the security of individuals, organizations, and governments. Although security teams strive to establish defense measures to thwart attackers, the complexity of cyber defense and the magnitude of existing threats exceed the capacity of defenders. Therefore, MITRE took the initiative and introduced multiple frameworks to facilitate vital knowledge sharing of vulnerabilities, attack, and defense information. The Common Vulnerabilities and Exposures (CVE) and ATT&CK Matrix are two significant MITRE endeavors. CVE facilitates sharing publicly discovered vulnerabilities while ATT&CK collects and categorizes adversaries' Tactic, Techniques, and Procedures (TTP) and recommends appropriate countermeasures. As CVE yields a low-level description of the vulnerability, ATT&CK can complement CVE by providing more insights into it from an attacking perspective, aiding defenders to counter any exploitation attempt. Unfortunately, due to the complexity of this mapping and the rapid growth of these frameworks, mapping CVE to ATT&CK is a daunting and time-intensive undertaking that overwhelms even experts. Multiple studies proposed models that automatically achieve this mapping. However, due to their reliance on annotated datasets, these models exhibit limitations in quality and coverage and fail to justify their decisions. To overcome these challenges, we present SMET, a tool that automatically maps CVE entries to ATT&CK techniques based on their textual similarity. SMET achieves this mapping by leveraging ATT&CK BERT, a model that we trained using the SIAMESE network to learn semantic similarity among attack actions. In inference, SMET utilizes semantic extraction, ATT&CK BERT, and a logistic regression model to map CVE entries to ATT&CK techniques. As a result, SMET demonstrated superior performance compared to other state-of-the-art models.
Proceedings Title
DBSec 2023: Data and Applications Security and Privacy XXXVII
Volume
13942
Conference Dates
July 19-21, 2023
Conference Location
Sophia Antopolis, FR
Conference Title
IFIP International Conference on Data Application Security and Privacy (DBSEC 2023)
Basel, A.
, Al-Sheer, E.
, Singhal, A.
, Khan, L.
and Hamlen, K.
(2023),
SMET: Semantic Mapping of CVE to ATT&CK and its Application to Cyber Security, DBSec 2023: Data and Applications Security and Privacy XXXVII, Sophia Antopolis, FR, [online], https://doi.org/10.1007/978-3-031-37586-6_15, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=936761
(Accessed November 20, 2024)