More Web Proxy on the site http://driver.im/

research-article

Open access

Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs

Authors:

Nikolay Matyunin,

David StarobinskiAuthors Info & Claims

ACM Transactions on Privacy and Security, Volume 27, Issue 1

Article No.: 13, Pages 1 - 26

https://doi.org/10.1145/3641819

Published: 05 February 2024 Publication History

All formats PDF Full text

Abstract

Security assessment relies on public information about products, vulnerabilities, and weaknesses. So far, databases in these categories have rarely been analyzed in combination. Yet, doing so could help predict unreported vulnerabilities and identify common threat patterns. In this article, we propose a methodology for producing and optimizing a knowledge graph that aggregates knowledge from common threat databases (CVE, CWE, and CPE). We apply the threat knowledge graph to predict associations between threat databases, specifically between products, vulnerabilities, and weaknesses. We evaluate the prediction performance both in closed world with associations from the knowledge graph and in open world with associations revealed afterward. Using rank-based metrics (i.e., Mean Rank, Mean Reciprocal Rank, and Hits@N scores), we demonstrate the ability of the threat knowledge graph to uncover many associations that are currently unknown but will be revealed in the future, which remains useful over different time periods. We propose approaches to optimize the knowledge graph and show that they indeed help in further uncovering associations. We have made the artifacts of our work publicly available.

References

[1]

Farahnaz Akrami, Mohammed Samiul Saeef, Qingheng Zhang, Wei Hu, and Chengkai Li. 2020. Realistic re-evaluation of knowledge graph completion methods: An experimental study. In ACM SIGMOD International Conference on Management of Data. 1995–2010.

Digital Library

[2]

Masaki Aota, Hideaki Kanehara, Masaki Kubo, Noboru Murata, Bo Sun, and Takeshi Takahashi. 2020. Automation of vulnerability classification from its description using machine learning. In IEEE Symposium on Computers and Communications (ISCC’20). IEEE, 1–7.

[3]

Lingfeng Bao, Xin Xia, Ahmed E. Hassan, and Xiaohu Yang. 2022. V-SZZ: Automatic identification of version ranges affected by CVE vulnerabilities. In 44th International Conference on Software Engineering. 2352–2364.

Digital Library

[4]

Antoine Bordes, Nicolas Usunier, Alberto Garcia-Duran, Jason Weston, and Oksana Yakhnenko. 2013. Translating embeddings for modeling multi-relational data. Adv. Neural Inf. Process. Syst. 26 (2013).

[5]

Tianyu Chen, Lin Li, Bingjie Shan, Guangtai Liang, Ding Li, Qianxiang Wang, and Tao Xie. 2023. Identifying vulnerable third-party libraries from textual descriptions of vulnerabilities and libraries. arXiv preprint arXiv:2307.08206 (2023).

[6]

Xiaojun Chen, Shengbin Jia, and Yang Xiang. 2020. A review: Knowledge reasoning over knowledge graph. Expert Syst. Applic. 141 (2020), 112948.

Digital Library

[7]

Siddhartha Shankar Das, Edoardo Serra, Mahantesh Halappanavar, Alex Pothen, and Ehab Al-Shaer. 2021. V2W-BERT: A framework for effective hierarchical multiclass classification of software vulnerabilities. In IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA’21). IEEE, 1–12.

[8]

Google. 2023. OSV—A distributed vulnerability database for Open Source. Retrieved from https://osv.dev/

[9]

Google. 2023. OSV-Scanner. Retrieved from https://github.com/google/osv-scanner

[10]

Katsuhiko Hayashi and Masashi Shimbo. 2017. On the equivalence of holographic and complex embeddings for link prediction. arXiv preprint arXiv:1702.05563 (2017).

[11]

Xiao Huang, Jingyuan Zhang, Dingcheng Li, and Ping Li. 2019. Knowledge graph embedding based question answering. In 12th ACM International Conference on Web Search and Data Mining. 105–113.

Digital Library

[12]

IriusRisk. 2023. Irius Risk | Automated Threat Modeling Tool. Retrieved from https://www.iriusrisk.com/

[13]

Shaoxiong Ji, Shirui Pan, Erik Cambria, Pekka Marttinen, and Philip S. Yu. 2022. A survey on knowledge graphs: Representation, acquisition, and applications. IEEE Trans. Neural Netw. Learn. Syst. 33, 2 (2022), 494–514.

[14]

Xiang Li, Jinfu Chen, Zhechao Lin, Lin Zhang, Zibin Wang, Minmin Zhou, and Wanggen Xie. 2017. A mining approach to obtain the software vulnerability characteristics. In 5th International Conference on Advanced Cloud and Big Data (CBD’17). IEEE, 296–301.

[15]

Yunbo Lyu, Thanh Le-Cong, Hong Jin Kang, Ratnadira Widyasari, Zhipeng Zhao, Xuan-Bach D Le, Ming Li, and David Lo. 2023. Chronos: Time-aware zero-shot identification of libraries from vulnerability reports. arXiv preprint arXiv:2301.03944 (2023).

[16]

MITRE. 2023. Common Attack Pattern Enumerations and Classifications (CAPEC). Retrieved from https://capec.mitre.org

[17]

MITRE. 2023. Common Vulnerabilities and Exposure (CVE). Retrieved from https://cve.mitre.org

[18]

MITRE. 2023. Common Weakness Enumeration (CWE). Retrieved from https://cwe.mitre.org

[19]

MITRE. 2023. CWE Glossary. Retrieved from https://cwe.mitre.org/documents/glossary/index.html

[20]

MITRE. 2023. Official Common Platform Enumeration (CPE) Dictionary. Retrieved from https://nvd.nist.gov/products/cpe

[21]

Maximilian Nickel, Lorenzo Rosasco, and Tomaso Poggio. 2016. Holographic embeddings of knowledge graphs. In AAAI Conference on Artificial Intelligence.

[22]

NVD. 2023. CVE-2021-0144 Detail. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-0144

[23]

NVD. 2023. CVE-2021-21348 Detail. Retrieved from https://nvd.nist.gov/vuln/detail/CVE-2021-21348

[24]

NVD. 2023. National Vulnerability Database (NVD). Retrieved from https://nvd.nist.gov/general

[25]

OWASP. 2023. pytm: A Pythonic framework for threat modeling. Retrieved from https://github.com/izar/pytm

[26]

Heiko Paulheim. 2017. Knowledge graph refinement: A survey of approaches and evaluation methods. Semant. Web 8, 3 (2017), 489–508.

Digital Library

[27]

Christian Schneider. 2023. Threagile. Retrieved from https://threagile.io/

[28]

Zhenpeng Shi, Kalman Graffi, David Starobinski, and Nikolay Matyunin. 2022. Threat modeling tools: A taxonomy. IEEE Secur. Privac. 20, 04 (2022), 29–39. DOI:

Digital Library

[29]

Zhenpeng Shi, Nikolay Matyunin, Kalman Graffi, and David Starobinski. 2022. Uncovering product vulnerabilities with threat knowledge graphs. In IEEE Secure Development Conference (SecDev’22). IEEE, 84–90.

[30]

Zhenpeng Shi, Nikolay Matyunin, Kalman Graffi, and David Starobinski. 2023. Threat Knowledge Graph. Retrieved from https://github.com/nislab/threat-knowledge-graph

[31]

Théo Trouillon, Johannes Welbl, Sebastian Riedel, Éric Gaussier, and Guillaume Bouchard. 2016. Complex embeddings for simple link prediction. In 33rd International Conference on Machine Learning. PMLR, 2071–2080.

[32]

Roman Ushakov, Elena Doynikova, Evgenia Novikova, and Igor Kotenko. 2021. CPE and CVE based technique for software security risk assessment. In 11th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS’21). IEEE, 353–356.

Digital Library

[33]

Quan Wang, Zhendong Mao, Bin Wang, and Li Guo. 2017. Knowledge graph embedding: A survey of approaches and applications. IEEE Trans. Knowl. Data Eng. 29, 12 (2017), 2724–2743.

[34]

Xiang Wang, Xiangnan He, Yixin Cao, Meng Liu, and Tat-Seng Chua. 2019. KGAT: Knowledge graph attention network for recommendation. In 25th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. 950–958.

Digital Library

[35]

Yongfu Wang, Ying Zhou, Xiaohai Zou, Quanqiang Miao, and Wei Wang. 2020. The analysis method of security vulnerability based on the knowledge graph. In 10th International Conference on Communication and Network Security. 135–145.

Digital Library

[36]

Emil Wåreus and Martin Hell. 2020. Automated CPE labeling of CVE summaries with machine learning. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 3–22.

Digital Library

[37]

Bishan Yang, Wen-tau Yih, Xiaodong He, Jianfeng Gao, and Li Deng. 2014. Embedding entities and relations for learning and inference in knowledge bases. arXiv preprint arXiv:1412.6575 (2014).

[38]

Veneta Yosifova. 2021. Vulnerability type prediction in common vulnerabilities and exposures database with ensemble machine learning. In International Conference Automatics and Informatics (ICAI’21). IEEE, 146–149.

[39]

Liu Yuan, Yude Bai, Zhenchang Xing, Sen Chen, Xiaohong Li, and Zhidong Deng. 2021. Predicting entity relations across different security databases by using graph attention network. In IEEE 45th Annual Computers, Software, and Applications Conference (COMPSAC’21). IEEE, 834–843.

[40]

Su Zhang, Xinming Ou, and Doina Caragea. 2015. Predicting cyber risks through national vulnerability database. Inf. Secur. J.: Global Perspect. 24, 4-6 (2015), 194–206.

Digital Library

Cited By

Liu XGuo XGu W(2025)SecKG2vec: A novel security knowledge graph relational reasoning method based on semantic and structural fusion embeddingComputers & Security10.1016/j.cose.2024.104192149(104192)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2024.104192
Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
Alfasi DShapira TBremler-Barr ABarlet-Ros PCasas PScarselli FSuárez-Varela JCabellos A(2024)VulnScopper: Unveiling Hidden Links Between Unseen Security EntitiesProceedings of the 3rd GNNet Workshop on Graph Neural Networking Workshop10.1145/3694811.3697819(33-40)Online publication date: 9-Dec-2024
https://dl.acm.org/doi/10.1145/3694811.3697819
Show More Cited By

Index Terms

Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs
1. Computing methodologies
  1. Artificial intelligence
    1. Knowledge representation and reasoning
2. Security and privacy
  1. Software and application security
    1. Software security engineering

Recommendations

Edge propagation for link prediction in requirement-cyber threat intelligence knowledge graph
Abstract
Critical information infrastructure (CII) is a critical component of national socioeconomic systems and one of the primary targets of cyberattacks. Unfortunately, CII's security administration struggles to keep up with the rapidly evolving and ...
Highlights
- Critical information infrastructure is the main target of cyber-attacks.
- Knowledge graph can associate cyber-attack knowledge with cybersecurity management knowledge.
- Locating security management vulnerabilities can effectively ...
Mitigation of SQL Injection Attacks using Threat Modeling

Day after day, SQL Injection (SQLI) attack is consistently proliferating across the globe. According to Open Web Application Security Project (OWASP) Top Ten Cheat Sheet-2014, SQLI is at top in the list of online attacks. The cause of spread of SQLI is ...
Insider threat mitigation: preventing unauthorized knowledge acquisition
Special Issue: Supervisory control and data acquisition (SCADA)

This paper investigates insider threat in relational database systems. It discusses the problem of inferring unauthorized information by insiders and proposes methods to prevent such threats. The paper defines various types of dependencies as well as ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Transactions on Privacy and Security

ACM Transactions on Privacy and Security Volume 27, Issue 1

February 2024

369 pages

EISSN:2471-2574

DOI:10.1145/3613489

Editor:
Michael Waidner
ATHENE/TU Darmstadt/Fraunhofer SIT, Germany

Issue’s Table of Contents

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 05 February 2024

Online AM: 19 January 2024

Accepted: 13 December 2023

Revised: 14 October 2023

Received: 20 April 2023

Published in TOPS Volume 27, Issue 1

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

Honda Research Institute Europe GmbH and BU Hariri Institute Research Incubation Award
Boston University Red Hat Collaboratory
US National Science Foundation

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

4
Total Citations
View Citations
3,876
Total Downloads

Downloads (Last 12 months)3,612
Downloads (Last 6 weeks)465

Reflects downloads up to 02 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Liu XGuo XGu W(2025)SecKG2vec: A novel security knowledge graph relational reasoning method based on semantic and structural fusion embeddingComputers & Security10.1016/j.cose.2024.104192149(104192)Online publication date: Feb-2025
https://doi.org/10.1016/j.cose.2024.104192
Bennouk KAit Aali NEl Bouzekri El Idrissi YSebai BFaroukhi AMahouachi D(2024)A Comprehensive Review and Assessment of Cybersecurity Vulnerability Detection MethodologiesJournal of Cybersecurity and Privacy10.3390/jcp40400404:4(853-908)Online publication date: 7-Oct-2024
https://doi.org/10.3390/jcp4040040
Alfasi DShapira TBremler-Barr ABarlet-Ros PCasas PScarselli FSuárez-Varela JCabellos A(2024)VulnScopper: Unveiling Hidden Links Between Unseen Security EntitiesProceedings of the 3rd GNNet Workshop on Graph Neural Networking Workshop10.1145/3694811.3697819(33-40)Online publication date: 9-Dec-2024
https://dl.acm.org/doi/10.1145/3694811.3697819
Şimşek ŞShi ZXia HMedina DStarobinski DLuo BLiao XXu JKirda ELie D(2024)Poster: Analyzing and Correcting Inaccurate CVE-CWE Mappings in the National Vulnerability DatabaseProceedings of the 2024 on ACM SIGSAC Conference on Computer and Communications Security10.1145/3658644.3691375(5042-5044)Online publication date: 2-Dec-2024
https://dl.acm.org/doi/10.1145/3658644.3691375

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Full Text

View this article in Full Text.

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Article

Figures

Tables

Media

View full text|Download PDF

View Issue’s Table of Contents