Identifying missing relationships of CAPEC attack patterns by transformer models and graph structure

As threats to software vulnerabilities diversify, countermeasures against various threat patterns become more critical. The Common Attack Pattern Enumeration and Classification (CAPEC) is a catalog of security attack patterns that helps understand what attacks can be launched against these vulnerabilities. CAPEC defines relationships between attack patterns, but these are manually associated so that some may be missed. This paper proposes a method to identify missed relationships using the transformer model and existing relational graph structures. Specifically, pre-trained models are fine-tuned using BERT and Longformer based on the names and descriptions of the two attack patterns and their relationships. Then missed relationships are identified by the classification task, and graph structure rules are defined for the identified relations to determine whether they are graph-structurally correct. Finally, whether the relations are semantically correct is verified. Our evaluation found that 41 likely relationships were missed.