Cybersecurity Defenses: Exploration of CVE Types through Attack Descriptions
Refat Othman, Bruno Rossi, Barbara Russo
TL;DR
This paper tackles the problem of connecting ATT&CK attack techniques to publicly known CVE vulnerabilities to enhance cyber threat intelligence and incident response. It proposes VULDAT, a pipeline that uses MPNet-based sentence embeddings to semantically match attack descriptions with CVE reports, selecting matches via a cosine similarity threshold to form a Detection List. The study introduces a novel annotated dataset linking ATT&CK to CVEs, benchmarks VULDAT against nine transformer baselines, and reports strong performance with F1 ≈ 0.85, Precision ≈ 0.86, and Recall ≈ 0.83, plus Mapping ≈ 0.56 and Detection ≈ 0.61. The findings demonstrate the feasibility of automated vulnerability detection from attack narratives and highlight directions for validating links and expanding the approach to broader data sources for practical defensive benefits.
Abstract
Vulnerabilities in software security can remain undiscovered even after being exploited. Linking attacks to vulnerabilities helps experts identify and respond promptly to the incident. This paper introduces VULDAT, a classification tool using a sentence transformer MPNET to identify system vulnerabilities from attack descriptions. Our model was applied to 100 attack techniques from the ATT&CK repository and 685 issues from the CVE repository. Then, we compare the performance of VULDAT against the other eight state-of-the-art classifiers based on sentence transformers. Our findings indicate that our model achieves the best performance with F1 score of 0.85, Precision of 0.86, and Recall of 0.83. Furthermore, we found 56% of CVE reports vulnerabilities associated with an attack were identified by VULDAT, and 61% of identified vulnerabilities were in the CVE repository.