{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,17]],"date-time":"2026-05-17T09:55:39Z","timestamp":1779011739467,"version":"3.51.4"},"reference-count":39,"publisher":"Association for Computing Machinery (ACM)","issue":"8","license":[{"start":{"date-parts":[[2024,7,31]],"date-time":"2024-07-31T00:00:00Z","timestamp":1722384000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Knowl. Discov. Data"],"published-print":{"date-parts":[[2024,9,30]]},"abstract":"<jats:p>\n            Software vulnerabilities, also known as flaws, bugs or weaknesses, are common in modern information systems, putting critical data of organizations and individuals at cyber risk. Due to the scarcity of resources, initial risk assessment is becoming a necessary step to prioritize vulnerabilities and make better decisions on remediation, mitigation, and patching. Datasets containing historical vulnerability information are crucial digital assets to enable AI-based risk assessments. However, existing datasets focus on collecting information on individual vulnerabilities while simply storing them in relational databases, disregarding their structural connections. This article constructs a compact vulnerability knowledge graph, VulKG, containing over 276 K nodes and 1 M relationships to represent the connections between vulnerabilities, exploits, affected products, vendors, referred domain names, and more. We provide a detailed analysis of VulKG modeling and construction, demonstrating VulKG-based query and reasoning, and providing a use case of applying VulKG to a vulnerability risk assessment task, i.e., co-exploitation behavior discovery. Experimental results demonstrate the value of graph connections in vulnerability risk assessment tasks. VulKG offers exciting opportunities for more novel and significant research in areas related to vulnerability risk assessment. The data and codes of this article are available at\n            <jats:ext-link xmlns:xlink=\"http:\/\/www.w3.org\/1999\/xlink\" ext-link-type=\"url\" xlink:href=\"https:\/\/github.com\/happyResearcher\/VulKG.git\">https:\/\/github.com\/happyResearcher\/VulKG.git<\/jats:ext-link>\n            .\n          <\/jats:p>","DOI":"10.1145\/3671005","type":"journal-article","created":{"date-parts":[[2024,6,5]],"date-time":"2024-06-05T08:47:41Z","timestamp":1717577261000},"page":"1-17","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":29,"title":["A Compact Vulnerability Knowledge Graph for Risk Assessment"],"prefix":"10.1145","volume":"18","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-0269-2624","authenticated-orcid":false,"given":"Jiao","family":"Yin","sequence":"first","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2833-9228","authenticated-orcid":false,"given":"Wei","family":"Hong","sequence":"additional","affiliation":[{"name":"School of Artificial Intelligence, Chongqing University of Arts and Sciences, Chongqing, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-8465-0996","authenticated-orcid":false,"given":"Hua","family":"Wang","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0221-6361","authenticated-orcid":false,"given":"Jinli","family":"Cao","sequence":"additional","affiliation":[{"name":"Department of Computer Science and Information Technology, La Trobe University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6712-3465","authenticated-orcid":false,"given":"Yuan","family":"Miao","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-5094-5980","authenticated-orcid":false,"given":"Yanchun","family":"Zhang","sequence":"additional","affiliation":[{"name":"Institute for Sustainable Industries and Liveable Cities, Victoria University, Melbourne, Australia"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2024,7,31]]},"reference":[{"key":"e_1_3_2_2_2","doi-asserted-by":"publisher","DOI":"10.1109\/CyberSecurity.2012.12"},{"key":"e_1_3_2_3_2","doi-asserted-by":"publisher","DOI":"10.1145\/1835804.1835821"},{"key":"e_1_3_2_4_2","doi-asserted-by":"publisher","DOI":"10.24963\/ijcai.2019\/937"},{"key":"e_1_3_2_5_2","doi-asserted-by":"publisher","DOI":"10.1145\/3292500.3330742"},{"key":"e_1_3_2_6_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-319-91662-0_3"},{"key":"e_1_3_2_7_2","first-page":"48","volume-title":"Proceedings of the 13th Scandinavian Conference on Artificial Intelligence (SCAI 15)","author":"Edkrantz Michel","year":"2015","unstructured":"Michel Edkrantz and Alan Said. 2015. Predicting cyber vulnerability exploits with machine learning. In Proceedings of the 13th Scandinavian Conference on Artificial Intelligence (SCAI 15). 48\u201357."},{"key":"e_1_3_2_8_2","doi-asserted-by":"publisher","DOI":"10.1145\/3092566"},{"key":"e_1_3_2_9_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.ins.2020.11.053"},{"key":"e_1_3_2_10_2","doi-asserted-by":"publisher","DOI":"10.5555\/3294771.3294869"},{"key":"e_1_3_2_11_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICSME.2017.52"},{"key":"e_1_3_2_12_2","doi-asserted-by":"crossref","unstructured":"Jay Jacobs Sasha Romanosky Benjamin Edwards Michael Roytman and Idris Adjerid. 2019. Exploit prediction scoring system (EPSS) Digital Threats: Research and Practice. 2: 1 - 17. Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:199577534","DOI":"10.1145\/3436242"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.eng.2018.01.004"},{"key":"e_1_3_2_14_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-30796-7_13"},{"key":"e_1_3_2_15_2","unstructured":"Thomas N. Kipf and Max Welling. 2016. Semi-supervised classification with graph convolutional networks. Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:3144218"},{"key":"e_1_3_2_16_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11280-018-0578-x"},{"key":"e_1_3_2_17_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jnca.2019.01.029"},{"key":"e_1_3_2_18_2","doi-asserted-by":"publisher","DOI":"10.1007\/s11280-017-0487-4"},{"key":"e_1_3_2_19_2","doi-asserted-by":"publisher","DOI":"10.1145\/3529757"},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-16145-3_11"},{"key":"e_1_3_2_21_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2022.111283"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/TETCI.2019.2915813"},{"key":"e_1_3_2_23_2","first-page":"117","volume-title":"Handbook of Statistics","author":"Noel Steven","year":"2016","unstructured":"Steven Noel, Eric Harley, Kam Him Tam, Michael Limiero, and Matthew Share. 2016. CyGraph: Graph-based analytics and visualization for cybersecurity. In: Venkat N. Gudivada, Vijay V. Raghavan, Venu Govindaraju, C.R. Rao (Eds.), Handbook of Statistics, Vol. 35. Elsevier, 117\u2013167."},{"key":"e_1_3_2_24_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-981-15-1922-2_1"},{"key":"e_1_3_2_25_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.jss.2019.06.001"},{"key":"e_1_3_2_26_2","first-page":"1041","volume-title":"Proceedings of the 24th {USENIX{USENIX} Security 15)","author":"Sabottke Carl","year":"2015","unstructured":"Carl Sabottke, Octavian Suciu, and Tudor Dumitra\u0219. 2015. Vulnerability disclosure in the age of social media: Exploiting twitter for predicting real-world exploits. In Proceedings of the 24th {USENIX{USENIX} Security 15). 1041\u20131056."},{"key":"e_1_3_2_27_2","doi-asserted-by":"publisher","DOI":"10.1109\/SecDev53368.2022.00028"},{"key":"e_1_3_2_28_2","doi-asserted-by":"publisher","DOI":"10.1109\/MSN50589.2020.00126"},{"key":"e_1_3_2_29_2","doi-asserted-by":"publisher","DOI":"10.1609\/aaai.v32i1.11428"},{"key":"e_1_3_2_30_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-031-19214-2_42"},{"key":"e_1_3_2_31_2","doi-asserted-by":"publisher","DOI":"10.1145\/3326362"},{"key":"e_1_3_2_32_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-36718-3_5"},{"key":"e_1_3_2_33_2","unstructured":"Keyulu Xu Weihua Hu Jure Leskovec and Stefanie Jegelka. 2018. How powerful are graph neural networks? Retrieved from https:\/\/api.semanticscholar.org\/CorpusID:52895589"},{"key":"e_1_3_2_34_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2020.106529"},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1016\/j.neucom.2021.01.144"},{"key":"e_1_3_2_36_2","doi-asserted-by":"publisher","DOI":"10.1007\/978-3-030-62008-0_18"},{"key":"e_1_3_2_37_2","doi-asserted-by":"publisher","DOI":"10.1109\/TII.2022.3192027"},{"key":"e_1_3_2_38_2","first-page":"1","article-title":"A knowledge graph empowered online learning framework for access control decision-making","volume":"26","author":"You Mingshan","year":"2022","unstructured":"Mingshan You, Jiao Yin, Hua Wang, Jinli Cao, Kate Wang, Yuan Miao, and Elisa Bertino. 2022. A knowledge graph empowered online learning framework for access control decision-making. World Wide Web 26, (2022), 1\u201322.","journal-title":"World Wide Web"},{"key":"e_1_3_2_39_2","doi-asserted-by":"publisher","DOI":"10.1109\/COMPSAC51774.2021.00116"},{"key":"e_1_3_2_40_2","first-page":"7548","article-title":"Graph geometry interaction learning","volume":"33","author":"Zhu Shichao","year":"2020","unstructured":"Shichao Zhu, Shirui Pan, Chuan Zhou, Jia Wu, Yanan Cao, and Bin Wang. 2020. Graph geometry interaction learning. Advances in Neural Information Processing Systems 33 (2020), 7548\u20137558.","journal-title":"Advances in Neural Information Processing Systems"}],"container-title":["ACM Transactions on Knowledge Discovery from Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3671005","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3671005","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,19]],"date-time":"2025-06-19T01:09:55Z","timestamp":1750295395000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3671005"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7,31]]},"references-count":39,"journal-issue":{"issue":"8","published-print":{"date-parts":[[2024,9,30]]}},"alternative-id":["10.1145\/3671005"],"URL":"https:\/\/doi.org\/10.1145\/3671005","relation":{},"ISSN":["1556-4681","1556-472X"],"issn-type":[{"value":"1556-4681","type":"print"},{"value":"1556-472X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,7,31]]},"assertion":[{"value":"2023-03-16","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-05-31","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2024-07-31","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}