Ehsan Khodayarseresht (Concordia University), Suryadipta Majumdar (Concordia University), Serguei Mokhov (Concordia University), Mourad Debbabi (Concordia University)
The Common Vulnerabilities and Exposures (CVE) program each year records thousands of known vulnerabilities without actionable context about how these vulnerabilities might be exploited by attackers. On the other hand, the MITRE ATT\&CK framework outlines attack tactics, techniques, and procedures (TTPs) without linking them to specific vulnerabilities. While enabling automatic mapping of CVE descriptions to TTPs can allow more accurate and more efficient threat detection and mitigation, existing efforts face several challenges: (i) the lack of large-scale, high-quality datasets linking CVEs to TTPs; (ii) the presence of uneven data distributions and missing key TTPs in the existing datasets; (iii) the difficulty of accurately extracting adversarial behaviors from unstructured CVE descriptions; and (iv) the lack of adaptive learning mechanisms for continuously correcting the mappings. This paper addresses those challenges with NEXUS, a framework to automatically map CVEs to TTPs. Our evaluation (on a newly built dataset, covering 208 TTPs and 92K+ CVEs, along with other public datasets) shows that NEXUS achieves a maximum F1-score of 97.94% in CVE-to-TTP mapping, with the capability to work on new CVE entries, compared to existing works that achieve a maximum of 67.68%.