Using Machine Learning to Infer Plausible and Undetected Cyber Threat, Vulnerability and Mitigation Relationships

We demonstrate how machine learning could serve cyber knowledge-base curators, threat hunters, and security analysts. We present a a machine learning~(ML) based workflow that addresses the overwhelming quantity of text entries that would have to be read and assimilated by hunters and analysts in order to infer a plausible relationship between two entries from different threat, vulnerability, and mitigation sources. The workflow uses language embedding models and classifiers to automatically label exhaustively-collected pairs of entries as linked or not. It also includes humans who in a curator role guide how many pairs are labeled as linked, ``candidates''. The curator also ranks the candidates; experts participate by independently and manually categorically assessing the ML-derived candidates; and the curator reprises by specifying rules that state how the collective expert categorizations determine a final label for each candidate pair.