Go to main content | Go to main menu | Go to search

Publication details

From Attack Descriptions to Vulnerabilities: A Sentence Transformer-Based Approach

Authors

OTHMAN Refat T A RIMAWI Diaeddin ROSSI Bruno RUSSO Barbara

Year of publication 2026
Type Article in Periodical
Magazine / Source JOURNAL OF SYSTEMS AND SOFTWARE
MU Faculty or unit

Faculty of Informatics

Citation
web https://doi.org/10.1016/j.jss.2025.112615
Doi https://doi.org/10.1016/j.jss.2025.112615
Keywords Cyber threat intelligence; MITRE ATT&CK; CAPEC; CVE; Sentence transformer; Attack-vulnerability linking; Pretrained language models
Description In the domain of security, vulnerabilities frequently remain undetected even after their exploitation. In this work, vulnerabilities refer to publicly disclosed flaws documented in Common Vulnerabilities and Exposures (CVE) reports. Establishing a connection between attacks and vulnerabilities is essential for enabling timely incident response, as it provides defenders with immediate, actionable insights. However, manually mapping attacks to CVEs is infeasible, thereby motivating the need for automation. This paper evaluates 14 state-ofthe-art (SOTA) sentence transformers for automatically identifying vulnerabilities from textual descriptions of attacks. Our results demonstrate that the multi-qa-mpnet-base-dot-v1 (MMPNet) model achieves superior classification performance when using attack Technique descriptions, with an F1-score of 89.0, precision of 84.0, and recall of 94.7. Furthermore, it was observed that, on average, 56% of the vulnerabilities identified by the MMPNet model are also represented within the CVE repository in conjunction with an attack, while 61% of the vulnerabilities detected by the model correspond to those cataloged in the CVE repository. A manual inspection of the results revealed the existence of 275 predicted links that were not documented in the MITRE repositories. Consequently, the automation of linking attack techniques to vulnerabilities not only enhances the detection and response capabilities related to software security incidents but also diminishes the duration during which vulnerabilities remain exploitable, thereby contributing to the development of more secure systems.

You are running an old browser version. We recommend updating your browser to its latest version.

More info