{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T15:52:55Z","timestamp":1774367575990,"version":"3.50.1"},"reference-count":40,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2024,2,5]],"date-time":"2024-02-05T00:00:00Z","timestamp":1707091200000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"funder":[{"name":"Honda Research Institute Europe GmbH and BU Hariri Institute Research Incubation Award","award":["2020-06-006"],"award-info":[{"award-number":["2020-06-006"]}]},{"name":"Boston University Red Hat Collaboratory","award":["2022-01-RH03"],"award-info":[{"award-number":["2022-01-RH03"]}]},{"DOI":"10.13039\/100000001","name":"US National Science Foundation","doi-asserted-by":"crossref","award":["CNS-1717858 CNS-1908087 CCF-2006628, EECS-2128517"],"award-info":[{"award-number":["CNS-1717858 CNS-1908087 CCF-2006628, EECS-2128517"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Priv. Secur."],"published-print":{"date-parts":[[2024,2,29]]},"abstract":"<jats:p>Security assessment relies on public information about products, vulnerabilities, and weaknesses. So far, databases in these categories have rarely been analyzed in combination. Yet, doing so could help predict unreported vulnerabilities and identify common threat patterns. In this article, we propose a methodology for producing and optimizing a knowledge graph that aggregates knowledge from common threat databases (CVE, CWE, and CPE). We apply the threat knowledge graph to predict associations between threat databases, specifically between products, vulnerabilities, and weaknesses. We evaluate the prediction performance both in closed world with associations from the knowledge graph and in open world with associations revealed afterward. Using rank-based metrics (i.e., Mean Rank, Mean Reciprocal Rank, and Hits@N scores), we demonstrate the ability of the threat knowledge graph to uncover many associations that are currently unknown but will be revealed in the future, which remains useful over different time periods. We propose approaches to optimize the knowledge graph and show that they indeed help in further uncovering associations. We have made the artifacts of our work publicly available.<\/jats:p>","DOI":"10.1145\/3641819","type":"journal-article","created":{"date-parts":[[2024,1,19]],"date-time":"2024-01-19T12:11:14Z","timestamp":1705666274000},"page":"1-26","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":19,"title":["Uncovering CWE-CVE-CPE Relations with Threat Knowledge Graphs"],"prefix":"10.1145","volume":"27","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3524-4182","authenticated-orcid":false,"given":"Zhenpeng","family":"Shi","sequence":"first","affiliation":[{"name":"Boston University, Boston, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-8974-3078","authenticated-orcid":false,"given":"Nikolay","family":"Matyunin","sequence":"additional","affiliation":[{"name":"Honda Research Institute Europe GmbH, Offenbach am Main, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-1708-6835","authenticated-orcid":false,"given":"Kalman","family":"Graffi","sequence":"additional","affiliation":[{"name":"Technische Hochschule Bingen, Bingen, Germany"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8071-3865","authenticated-orcid":false,"given":"David","family":"Starobinski","sequence":"additional","affiliation":[{"name":"Boston University, Boston, USA"}]}],"member":"320","published-online":{"date-parts":[[2024,2,5]]},"reference":[{"key":"e_1_3_1_2_2","doi-asserted-by":"publisher","DOI":"10.1145\/3318464.3380599"},{"key":"e_1_3_1_3_2","first-page":"1","volume-title":"IEEE Symposium on Computers and Communications (ISCC\u201920)","author":"Aota Masaki","year":"2020","unstructured":"Masaki Aota, Hideaki Kanehara, Masaki Kubo, Noboru Murata, Bo Sun, and Takeshi Takahashi. 2020. Automation of vulnerability classification from its description using machine learning. In IEEE Symposium on Computers and Communications (ISCC\u201920). IEEE, 1\u20137."},{"key":"e_1_3_1_4_2","doi-asserted-by":"publisher","DOI":"10.1145\/3510003.3510113"},{"key":"e_1_3_1_5_2","article-title":"Translating embeddings for modeling multi-relational data","volume":"26","author":"Bordes Antoine","year":"2013","unstructured":"Antoine Bordes, Nicolas Usunier, Alberto Garcia-Duran, Jason Weston, and Oksana Yakhnenko. 2013. Translating embeddings for modeling multi-relational data. Adv. Neural Inf. Process. Syst. 26 (2013).","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"e_1_3_1_6_2","article-title":"Identifying vulnerable third-party libraries from textual descriptions of vulnerabilities and libraries","author":"Chen Tianyu","year":"2023","unstructured":"Tianyu Chen, Lin Li, Bingjie Shan, Guangtai Liang, Ding Li, Qianxiang Wang, and Tao Xie. 2023. Identifying vulnerable third-party libraries from textual descriptions of vulnerabilities and libraries. arXiv preprint arXiv:2307.08206 (2023).","journal-title":"arXiv preprint arXiv:2307.08206"},{"key":"e_1_3_1_7_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eswa.2019.112948"},{"key":"e_1_3_1_8_2","doi-asserted-by":"publisher","DOI":"10.1109\/DSAA53316.2021.9564227"},{"key":"e_1_3_1_9_2","unstructured":"Google. 2023. OSV\u2014A distributed vulnerability database for Open Source. Retrieved from https:\/\/osv.dev\/"},{"key":"e_1_3_1_10_2","unstructured":"Google. 2023. OSV-Scanner. Retrieved from https:\/\/github.com\/google\/osv-scanner"},{"key":"e_1_3_1_11_2","article-title":"On the equivalence of holographic and complex embeddings for link prediction","author":"Hayashi Katsuhiko","year":"2017","unstructured":"Katsuhiko Hayashi and Masashi Shimbo. 2017. On the equivalence of holographic and complex embeddings for link prediction. arXiv preprint arXiv:1702.05563 (2017).","journal-title":"arXiv preprint arXiv:1702.05563"},{"key":"e_1_3_1_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3289600.3290956"},{"key":"e_1_3_1_13_2","unstructured":"IriusRisk. 2023. Irius Risk | Automated Threat Modeling Tool. Retrieved from https:\/\/www.iriusrisk.com\/"},{"key":"e_1_3_1_14_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2021.3070843"},{"key":"e_1_3_1_15_2","doi-asserted-by":"publisher","DOI":"10.1109\/CBD.2017.58"},{"key":"e_1_3_1_16_2","article-title":"Chronos: Time-aware zero-shot identification of libraries from vulnerability reports","author":"Lyu Yunbo","year":"2023","unstructured":"Yunbo Lyu, Thanh Le-Cong, Hong Jin Kang, Ratnadira Widyasari, Zhipeng Zhao, Xuan-Bach D Le, Ming Li, and David Lo. 2023. Chronos: Time-aware zero-shot identification of libraries from vulnerability reports. arXiv preprint arXiv:2301.03944 (2023).","journal-title":"arXiv preprint arXiv:2301.03944"},{"key":"e_1_3_1_17_2","unstructured":"MITRE. 2023. Common Attack Pattern Enumerations and Classifications (CAPEC). Retrieved from https:\/\/capec.mitre.org"},{"key":"e_1_3_1_18_2","unstructured":"MITRE. 2023. Common Vulnerabilities and Exposure (CVE). Retrieved from https:\/\/cve.mitre.org"},{"key":"e_1_3_1_19_2","unstructured":"MITRE. 2023. Common Weakness Enumeration (CWE). Retrieved from https:\/\/cwe.mitre.org"},{"key":"e_1_3_1_20_2","unstructured":"MITRE. 2023. CWE Glossary. Retrieved from https:\/\/cwe.mitre.org\/documents\/glossary\/index.html"},{"key":"e_1_3_1_21_2","unstructured":"MITRE. 2023. Official Common Platform Enumeration (CPE) Dictionary. Retrieved from https:\/\/nvd.nist.gov\/products\/cpe"},{"key":"e_1_3_1_22_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v30i1.10314"},{"key":"e_1_3_1_23_2","unstructured":"NVD. 2023. CVE-2021-0144 Detail. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-0144"},{"key":"e_1_3_1_24_2","unstructured":"NVD. 2023. CVE-2021-21348 Detail. Retrieved from https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2021-21348"},{"key":"e_1_3_1_25_2","unstructured":"NVD. 2023. National Vulnerability Database (NVD). Retrieved from https:\/\/nvd.nist.gov\/general"},{"key":"e_1_3_1_26_2","unstructured":"OWASP. 2023. pytm: A Pythonic framework for threat modeling. Retrieved from https:\/\/github.com\/izar\/pytm"},{"key":"e_1_3_1_27_2","doi-asserted-by":"publisher","DOI":"10.3233\/SW-160218"},{"key":"e_1_3_1_28_2","unstructured":"Christian Schneider. 2023. Threagile. Retrieved from https:\/\/threagile.io\/"},{"key":"e_1_3_1_29_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSEC.2021.3125229"},{"key":"e_1_3_1_30_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev53368.2022.00028"},{"key":"e_1_3_1_31_2","unstructured":"Zhenpeng Shi Nikolay Matyunin Kalman Graffi and David Starobinski. 2023. Threat Knowledge Graph. Retrieved from https:\/\/github.com\/nislab\/threat-knowledge-graph"},{"key":"e_1_3_1_32_2","first-page":"2071","volume-title":"33rd International Conference on Machine Learning","author":"Trouillon Th\u00e9o","year":"2016","unstructured":"Th\u00e9o Trouillon, Johannes Welbl, Sebastian Riedel, \u00c9ric Gaussier, and Guillaume Bouchard. 2016. Complex embeddings for simple link prediction. In 33rd International Conference on Machine Learning. PMLR, 2071\u20132080."},{"key":"e_1_3_1_33_2","doi-asserted-by":"publisher","DOI":"10.1109\/IDAACS53288.2021.9660968"},{"key":"e_1_3_1_34_2","doi-asserted-by":"publisher","DOI":"10.1109\/TKDE.2017.2754499"},{"key":"e_1_3_1_35_2","doi-asserted-by":"publisher","DOI":"10.1145\/3292500.3330989"},{"key":"e_1_3_1_36_2","doi-asserted-by":"publisher","DOI":"10.1145\/3442520.3442535"},{"key":"e_1_3_1_37_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-52683-2_1"},{"key":"e_1_3_1_38_2","article-title":"Embedding entities and relations for learning and inference in knowledge bases","author":"Yang Bishan","year":"2014","unstructured":"Bishan Yang, Wen-tau Yih, Xiaodong He, Jianfeng Gao, and Li Deng. 2014. Embedding entities and relations for learning and inference in knowledge bases. arXiv preprint arXiv:1412.6575 (2014).","journal-title":"arXiv preprint arXiv:1412.6575"},{"key":"e_1_3_1_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICAI52893.2021.9639588"},{"key":"e_1_3_1_40_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC51774.2021.00116"},{"key":"e_1_3_1_41_2","doi-asserted-by":"publisher","DOI":"10.1080\/19393555.2015.1111961"}],"container-title":["ACM Transactions on Privacy and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3641819","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3641819","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T00:03:06Z","timestamp":1750291386000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3641819"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,2,5]]},"references-count":40,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2024,2,29]]}},"alternative-id":["10.1145\/3641819"],"URL":"https:\/\/doi.org\/10.1145\/3641819","relation":{},"ISSN":["2471-2566","2471-2574"],"issn-type":[{"value":"2471-2566","type":"print"},{"value":"2471-2574","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,2,5]]},"assertion":[{"value":"2023-04-20","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2023-12-13","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-02-05","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}