This paper addresses a critical challenge in cybersecurity: the gap between
vulnerability information represented by Common Vulnerabilities and Exposures
(CVEs) and the resulting cyberattack actions. CVEs provide insights into
vulnerabilities, but often lack details on potential threat actions (tactics,
techniques, and procedures, or TTPs) within the ATT&CK framework. This gap
hinders accurate CVE categorization and proactive countermeasure initiation.
The paper introduces the TTPpredictor tool, which uses innovative techniques to
analyze CVE descriptions and infer plausible TTP attacks resulting from CVE
exploitation. TTPpredictor overcomes challenges posed by limited labeled data
and semantic disparities between CVE and TTP descriptions. It initially
extracts threat actions from unstructured cyber threat reports using Semantic
Role Labeling (SRL) techniques. These actions, along with their contextual
attributes, are correlated with MITRE's attack functionality classes. This
automated correlation facilitates the creation of labeled data, essential for
categorizing novel threat actions into threat functionality classes and TTPs.
The paper presents an empirical assessment, demonstrating TTPpredictor's
effectiveness with accuracy rates of approximately 98% and F1-scores ranging
from 95% to 98% in precise CVE classification to ATT&CK techniques.
TTPpredictor outperforms state-of-the-art language model tools like ChatGPT.
Overall, this paper offers a robust solution for linking CVEs to potential
attack techniques, enhancing cybersecurity practitioners' ability to
proactively identify and mitigate threats