Vulnerabilities in software security can remain undiscovered even after being exploited. Linking attacks to vulnerabilities helps experts identify and respond promptly to the incident. This paper introduces VULDAT, a classification tool using a sentence transformer MPNET to identify system vulnerabilities from attack descriptions. Our model was applied to 100 attack techniques from the ATT&CK repository and 685 issues from the CVE repository. Then, we compare the performance of VULDAT against the other eight state-of-the-art classifiers based on sentence transformers. Our findings indicate that our model achieves the best performance with F1 score of 0.85, Precision of 0.86, and Recall of 0.83. Furthermore, we found 56% of CVE reports vulnerabilities associated with an attack were identified by VULDAT, and 61% of identified vulnerabilities were in the CVE repository.

翻译：软件安全漏洞在被利用后仍可能未被发现。将攻击与漏洞关联有助于专家及时识别并响应安全事件。本文提出VULDAT分类工具，该工具采用句子Transformer模型MPNET从攻击描述中识别系统漏洞。我们将模型应用于ATT&CK知识库中的100种攻击技术及CVE数据库中的685条漏洞记录，并基于句子Transformer架构将VULDAT与其余八种先进分类器的性能进行对比。实验结果表明，我们的模型取得了最优性能：F1分数达0.85，精确率为0.86，召回率为0.83。此外，研究发现VULDAT能识别出56%与攻击相关联的CVE漏洞报告，且已识别漏洞中有61%存在于CVE数据库中。