Skip to content
BeClaude
Research2026-07-01

CVE-TTP KG: Knowledge Graph Linking Software Vulnerabilities to Attack Behaviors

Originally published byArxiv CS.AI

arXiv:2606.31557v1 Announce Type: cross Abstract: In the evolving threat landscape, adversaries exploit software vulnerabilities to launch sophisticated attacks, challenging traditional defenses. Although databases like CVE and NVD provide detailed technical information, they often lack links to...

Bridging the Gap: A Knowledge Graph That Connects CVEs to Real-World Attack Behaviors

A new research paper from arXiv introduces CVE-TTP KG, a knowledge graph designed to link Common Vulnerabilities and Exposures (CVEs) to Tactics, Techniques, and Procedures (TTPs) from the MITRE ATT&CK framework. This work addresses a persistent blind spot in cybersecurity: while vulnerability databases like CVE and NVD catalog technical flaws in excruciating detail, they rarely tell security teams how those flaws are actually weaponized in the wild. The proposed system automatically extracts and structures these connections, creating a machine-readable bridge between static vulnerability data and dynamic adversary behavior.

Why This Matters

The disconnect between vulnerability management and threat intelligence has long frustrated security operations. A CVE score tells you a vulnerability is critical, but it does not reveal which attack chain it enables—whether it is used for initial access, privilege escalation, or lateral movement. Without this context, defenders waste resources patching low-impact flaws while overlooking those that directly enable active campaigns.

CVE-TTP KG tackles this by parsing unstructured sources—threat reports, exploit databases, and security advisories—to infer which TTPs a given CVE supports. The result is a graph where nodes represent CVEs, TTPs, and software products, and edges denote exploitable relationships. For example, CVE-2023-34362 (a SQL injection in MOVEit Transfer) would be linked to TTPs like T1190 (Exploit Public-Facing Application) and T1505.003 (Web Shell). This transforms a flat list of vulnerabilities into an actionable map of attack paths.

Implications for AI Practitioners

For those building AI-driven security tools, this research offers both a resource and a methodology. First, the knowledge graph itself can serve as a structured training dataset for models that need to reason about vulnerability exploitation. Instead of training on raw CVE descriptions, models can learn from curated relationships—improving tasks like automated prioritization, threat hunting, or incident response summarization.

Second, the approach demonstrates a viable pipeline for extracting structured threat intelligence from unstructured text. Practitioners working on security-focused LLMs or retrieval-augmented generation (RAG) systems can adopt similar techniques to enrich their knowledge bases. The key innovation is the use of entity linking and relation extraction tailored to the cybersecurity domain, which reduces hallucination risk when models attempt to map CVEs to attack behaviors.

Third, this work highlights a broader trend: the need for interoperable security ontologies. As AI agents become more autonomous in security operations, they require standardized, machine-readable representations of threats. CVE-TTP KG is a step toward that goal, but practitioners should note that graph maintenance and update frequency remain open challenges—cyber threat intelligence evolves faster than most static databases.

Key Takeaways

  • CVE-TTP KG creates a structured knowledge graph linking software vulnerabilities to MITRE ATT&CK attack behaviors, enabling context-aware vulnerability prioritization.
  • The system extracts relationships from unstructured threat reports, offering a blueprint for building domain-specific AI training datasets.
  • AI practitioners can leverage this graph to improve automated threat reasoning, reduce hallucination in security LLMs, and build more effective RAG pipelines.
  • The approach underscores the growing importance of interoperable, machine-readable threat ontologies for next-generation autonomous security systems.
arxivpapers