A Relevance Model for Threat-Centric Ranking of Cybersecurity Vulnerabilities

TL;DR

The paper tackles the problem that CVSS-based vulnerability prioritization often misaligns with real exploitation risk. It introduces a threat-centric ranking framework built on a knowledge graph that links vulnerabilities to adversary tactics (MITRE ATT&CK, CAPEC) and sector targets, integrating diverse public data (CWE/CVE/CVSS, CAPEC, ExploitDB, KEV, EPSS, NVD). Four ranking policies are defined and evaluated using $nDCG$, revealing substantial improvements over CVSS-only prioritization, with notable patch-cost savings (approximately 23.3%–25.6%) and a case study showing improved prioritization of known-exploit CVEs. The approach demonstrates end-to-end, automated vulnerability management powered by semantic data integration and threat intelligence, offering practical ROI and a scalable path for organization-specific remediation strategies.

Abstract

The relentless process of tracking and remediating vulnerabilities is a top concern for cybersecurity professionals. The key challenge is trying to identify a remediation scheme specific to in-house, organizational objectives. Without a strategy, the result is a patchwork of fixes applied to a tide of vulnerabilities, any one of which could be the point of failure in an otherwise formidable defense. Given that few vulnerabilities are a focus of real-world attacks, a practical remediation strategy is to identify vulnerabilities likely to be exploited and focus efforts towards remediating those vulnerabilities first. The goal of this research is to demonstrate that aggregating and synthesizing readily accessible, public data sources to provide personalized, automated recommendations for organizations to prioritize their vulnerability management strategy will offer significant improvements over using the Common Vulnerability Scoring System (CVSS). We provide a framework for vulnerability management specifically focused on mitigating threats using adversary criteria derived from MITRE ATT&CK. We test our approach by identifying vulnerabilities in software associated with six universities and four government facilities. Ranking policy performance is measured using the Normalized Discounted Cumulative Gain (nDCG). Our results show an average 71.5% - 91.3% improvement towards the identification of vulnerabilities likely to be targeted and exploited by cyber threat actors. The return on investment (ROI) of patching using our policies results in a savings of 23.3% - 25.5% in annualized costs. Our results demonstrate the efficacy of creating knowledge graphs to link large data sets to facilitate semantic queries and create data-driven, flexible ranking policies.

Figures (8)

• Figure 1: Software vulnerability lifecycle phases and their relationships to our public data sources.
• Figure 2: The entities of the knowledge graph.
• Figure 3: Graph schema representing the type of entities via color in the knowledge graph and the relationship between them.
• Figure 4: Vulnerabilities by month and year for CVE-IDs between 2019 and 2021 for government facilities (left) and education (right) sectors.
• Figure 5: Average value of nDCG at different rank levels (K) for CVSS Base Score versus APT Threat policy for the ODU, REGENT, and WM organizations.