Vulnerabilities in software security can remain undiscovered even after being exploited. Linking attacks to vulnerabilities helps experts identify and respond promptly to the incident. This paper introduces VULDAT, a classification tool using a sentence transformer MPNET to identify system vulnerabilities from attack descriptions. Our model was applied to 100 attack techniques from the ATT&CK repository and 685 issues from the CVE repository. Then, we compare the performance of VULDAT against the other eight state-of-the-art classifiers based on sentence transformers. Our findings indicate that our model achieves the best performance with F1 score of 0.85, Precision of 0.86, and Recall of 0.83. Furthermore, we found 56% of CVE reports vulnerabilities associated with an attack were identified by VULDAT, and 61% of identified vulnerabilities were in the CVE repository.

翻译：软件安全漏洞在被利用后仍可能未被发现。将攻击与漏洞关联有助于专家及时识别并响应安全事件。本文提出VULDAT分类工具，该工具采用句子转换器MPNET从攻击描述中识别系统漏洞。我们将模型应用于ATT&CK知识库中的100种攻击技术以及CVE数据库中的685个漏洞条目。随后，我们将VULDAT与其他八种基于句子转换器的先进分类器进行性能比较。实验结果表明，我们的模型取得了最佳性能，F1分数达0.85，精确率为0.86，召回率为0.83。此外，我们发现VULDAT成功识别出56%与攻击关联的CVE报告漏洞，且已识别漏洞中有61%存在于CVE数据库中。