The Vulnerability Relationship Prediction Research for Network Risk Assessment

Abstract

Network risk assessment should include the impact of the relationship between vulnerabilities, in order to conduct a more in-depth and comprehensive assessment of vulnerabilities and network-related risks. However, the impact of extracting the relationship between vulnerabilities mainly relies on manual processes, which are subjective and inefficient. To address these issues, this paper proposes a dual-layer knowledge representation model that combines various attributes and structural information of entities. This article first constructs a vulnerability knowledge graph and proposes a two-layer knowledge representation learning model based on it. Secondly, in order to more accurately assess the actual risk of vulnerabilities in specific networks, this paper proposes a vulnerability risk calculation model based on impact relationships, which realizes the risk assessment and ranking of vulnerabilities in specific network scenarios. Finally, based on the research on automatic prediction of the impact relationship between vulnerabilities, this paper proposes a new Bayesian attack graph network risk assessment model for inferring the possibility of device intrusion in the network. The experimental results show that the model proposed in this study outperforms traditional evaluation methods in relationship prediction tasks, demonstrating its efficiency and accuracy in complex network environments. This model achieves efficient resource utilization by simplifying training parameters and reducing the demand for computing resources. In addition, this method can quantitatively evaluate the success probability of attacking specific devices in the network topology, providing risk assessment and defense strategy support for network security managers.

1. Introduction

In recent years, with the rapid development of computer networks, the scale of networks has been continuously expanding, and the growth rate of network vulnerabilities has also been gradually increasing [1,2]. Given the increasing number of vulnerabilities, ensuring that all vulnerabilities on each host are patched is a highly challenging task. Therefore, it is necessary to conduct vulnerability risk assessment to prioritize the remediation of the most critical vulnerabilities [3]. In the risk assessment process, fully considering the impact of relationships between vulnerabilities is crucial for a comprehensive evaluation of individual vulnerabilities and overall network risk [4]. Consequently, it is particularly important to automatically identify and analyze the impact relationships between vulnerabilities.

Network risk assessment, as a proactive defense security technology, has always been a research hotspot in the field of network security. Researchers have proposed various assessment methods, such as game theory [5], mathematical models [6], neural networks [7], and vulnerability correlation graphs [5]. For multi-vulnerability combined attacks, risk assessment integrates various technologies, including indicator fusion [8,9], attack graphs [10,11], and Bayesian networks [12,13,14], to reveal the correlations between vulnerabilities, thereby comprehensively assessing the risks faced by the network. Additionally, knowledge graphs, by embedding entities and relationships into low-dimensional vector spaces, simplify tasks such as graph completion and link prediction, providing a powerful tool for dynamic risk assessment.

However, current research still faces several key issues that need to be addressed. First, the dependencies between vulnerabilities heavily rely on the expertise of researchers, requiring detailed manual analysis and provision, which is especially time-consuming and labor-intensive when dealing with a large number of vulnerabilities. Second, besides dependencies, there is also an impact relationship between vulnerabilities, where the exploitation of one vulnerability may reduce the exploitation complexity of another. However, current research on such impact relationships is still insufficient. Finally, research based on Bayesian attack graphs directly adopts Common Vulnerability Scoring System (CVSS) scores when quantifying vulnerability risk, neglecting the potential impact of impact relationships between vulnerabilities on the probability of successful exploitation, which may lead to inaccurate network risk assessment results. In summary, determining how to automatically predict and embed the impact relationships between vulnerabilities into vulnerability risk assessment and network risk assessment is an urgent need in this field and the focus of this paper.

This article found, through analyzing vulnerability data, that each vulnerability entity has multiple attributes. However, existing cross-series knowledge representation models mainly utilize translation principles to transform entities and relationships in knowledge graphs into low-dimensional vectors. However, this method only embeds triplet information, limiting the accurate expression of deep meanings by entity vectors. To this end, we propose a two-layer knowledge representation learning model based on vulnerability knowledge graph, which incorporates entity attribute information in the representation learning process, thereby more accurately embedding entity nodes and improving the accuracy of predicting the impact relationships between vulnerable entities.

Based on the network environment and the impact relationships between vulnerabilities, a risk calculation model is constructed in this paper. This model introduces factors such as the importance of network devices, the connectivity between devices, and the impact relationships between vulnerabilities to achieve more reasonable vulnerability risk assessment. By constructing a network device connectivity matrix, a device vulnerability matrix, a vulnerability relationship matrix, and setting relevant weight parameters to initialize the model, the iterative method is used to calculate the risk scores of devices and vulnerabilities, and the risks are ranked.

Based on the research of predicting the influence relationships among vulnerabilities, this paper proposes a new Bayesian attack graph. This attack graph is used to establish a network risk assessment model, performing risk evaluation for vulnerabilities and device nodes within the network. First, a Bayesian attack graph incorporating impact relationships between vulnerabilities is defined to model the network environment. Second, by combining the impact relationships between vulnerabilities, the exploitability probability of vulnerability nodes is quantified. For device condition nodes, the conditional probability is calculated based on their parent vulnerability nodes, and the reachability probability of device condition nodes is calculated using the joint conditional probability of the current node and its parent nodes, thereby inferring the probability of an attacker successfully compromising the node in a given network topology, providing defense strategy support for network security managers.The main contributions of this paper are as follows:

• We propose a two-layer knowledge representation learning model that incorporates entity attribute information during the knowledge representation learning process. The method improves the embedding accuracy of entity nodes, thereby enhancing the accuracy of predicting the impact relationship between vulnerable entities. We constructed a vulnerability knowledge graph containing approximately 100,000 entities and 400,000 relationships, and conducted experiments on this graph to demonstrate that the proposed model outperforms the baseline model.
• A vulnerability risk calculation model based on impact relationships is proposed, which enables risk assessment and ranking of vulnerabilities in network scenarios. This model introduces factors such as the importance of network devices and the impact relationship between vulnerabilities. We initialize the model by constructing a network device connectivity matrix, device vulnerability matrix, vulnerability relationship matrix, and setting relevant weight parameters. And experiments have shown that the vulnerability risk calculation model based on impact relationships proposed in this paper can more reasonably evaluate the actual risk of vulnerabilities in specific network scenarios.
• We propose a network risk model based on Bayesian attack graph to assess the risk of device nodes in the network. This model combines the impact relationship between vulnerabilities and quantifies the probability of vulnerability exploitation and the risk status of network devices. By inferring the likelihood of attackers successfully capturing devices in a given network topology, it provides defense strategy support for network security managers. Compared with other risk assessment methods, this model is more accurate and efficient in evaluating the risk of vulnerabilities being exploited and devices being compromised in the network.

2. Related Work

Network risk assessment is a critical research area in network security, primarily involving methods based on indicator fusion, attack graphs, Bayesian networks, and Bayesian attack graphs. Indicator fusion methods integrate various security risk factors to build mathematical models for comprehensive evaluation of overall network risk. Researchers have proposed a series of indicator fusion-based risk assessment models using techniques such as analytic hierarchy process (AHP) [15] and D-S evidence theory [16]. For example, Wang et al. [15] introduced a network security situation assessment and quantification method based on AHP. This method uses AHP to address the subjective factors introduced during the determination of indicator weights and employs a hierarchical situation assessment model to address multiple risk indicators, thereby solving the network security situation assessment problem.

CVSS primarily aims to score the risk of individual vulnerabilities but fails to fully capture the attacker’s intent. An attack graph is a modeling technique used to represent the sequence of network attack events [17], correlating isolated vulnerabilities to illustrate the attacker’s behavior. Attack graphs are mainly divided into state attack graphs and attribute attack graphs. Due to the state explosion problem in state attack graphs, researchers have focused more on network risk assessment based on attribute attack graphs. Wang et al. [18] proposed a vulnerability assessment method based on attribute attack graphs and maximum flow. This method generates attack graphs by traversing vulnerability node information and their correlations, uses depth-first search algorithms and maximum loss flow mechanisms to find the optimal attack paths in the network, and evaluates critical vulnerabilities based on attack paths and loss saturation. To address the complexity of generating and quantifying attack graphs in large-scale networks, Lee et al. [19] endowed attack graphs with semantics using ontology technology, enabling machines to handle large-scale attack graphs and infer strategies to enhance network security, thus supporting automated risk assessment in large-scale network nodes.

When using attack graphs for network risk assessment, the modeling is typically static, whereas Bayesian networks utilize observed attack events to infer subsequent node risks, lacking dynamic attack scenario construction. Combining Bayesian networks with attack graphs can dynamically illustrate attack patterns and conduct real-time risk assessment. Poolsappasi et al. [20] proposed a dynamic risk assessment model based on Bayesian attack graphs, which includes not only the causal relationships between different network states but also the likelihood of exploiting these relationships. Munoz-Gonzalez et al. [21] introduced a new algorithm to infer Bayesian attack graphs, reducing the time required to generate these graphs, saving computational resources, and enhancing the applicability of the Bayesian attack graph method in large-scale networks.

With the increasing complexity of software functions, new vulnerability patterns continue to emerge. The diversification of software vulnerabilities and the interdependencies among software enhance cross-cooperation among vulnerabilities, making it more common for attackers to exploit multiple vulnerabilities in combination [22]. Researchers have, thus, focused on the relationships between vulnerabilities. Du et al. [23] suggested that vulnerabilities are caused by weaknesses, and the relationships between vulnerabilities should be analyzed based on weaknesses. This study proposed a weakness importance propagation algorithm based on PageRank to predict the relationships between weaknesses. Han et al. [24] also focused on weaknesses, noting that although the common weakness enumeration (CWE) contains rich information on weaknesses, its textual data format prevents direct inference of relationships among weaknesses. This study established a knowledge graph (KG) of weaknesses, using knowledge representation, learning to embed weaknesses and their relationships into a semantic vector space, facilitating knowledge acquisition and relationship inference to predict missing relationships between CWEs.

Knowledge representation learning based on knowledge graphs has become a research hotspot in recent years. Knowledge graphs consist of entities (nodes) and relationships (edges) [25], with each edge represented as a triple (head entity, relationship, tail entity). Knowledge graphs like Freebase [26], DBpedia [27], YAGO [28], and NELL [29] have been widely used in fields such as named entity disambiguation, relationship extraction, and intelligent question answering. Knowledge representation learning [30,31,32] embeds the elements of knowledge graphs, including entities and relationships, into continuous low-dimensional vector spaces, simplifying triple operations while preserving the inherent structure of the graph. After embedding entities and relationships into low-dimensional vectors, these vectors can assist in downstream tasks such as graph completion [33,34], relationship prediction [35], triple classification [36], and relationship extraction [37]. The most typical knowledge representation learning models are the TransE [38] model and its improved versions, such as TransH [39], TransR [40], and TransD [41]. These models first represent entities and relationships in a continuous vector space, defining an energy function for triples to calculate vector representations, and optimize the overall plausibility of triples to obtain vector representations of entities and relationships. However, these models only integrate structural information into vector representations through triples without considering the specific meanings of entities. Therefore, the vector representations of entities and relationships obtained may not be sufficient for predictions in downstream tasks. The TransD model addresses the problem in TransR, where entities of vastly different types and attributes share the same projection matrix by further decomposing the projection matrix into the product of two projection vectors, thus also reducing the model’s parameter count. Yang et al. [42] conducted link prediction research for entities with relatively few related triples, proposing a new link prediction model based on meta-learning. This model divides training data into four groups based on relationship types, trains each task sequentially through a meta-learning framework, and uses graph neural networks to score triples, effectively predicting relationships for newly added unknown entities in knowledge graphs. In addition, some studies [43] will explicitly simulate high-order connectivity in KG in an end-to-end manner, recursively propagating embeddings from nodes’ neighbors (which can be users, items, or attributes) to refine node embeddings, and they use attention mechanisms to distinguish the importance of neighbors to promote more effective knowledge representation.

3. Methodology and Implementation

3.1. Vulnerability Knowledge Graph Definition and Construction

The vulnerability knowledge graph constructed in this paper comprises three primary entities: vulnerabilities, the products affected by these vulnerabilities, and the vendors of these products.

At the core of this knowledge graph is the vulnerability entity. We classify the attributes of this entity into three dimensions: the fundamental characteristics of the vulnerability, the conditions under which the vulnerability can be exploited, and the impact of such exploitation. Each vulnerability entity is characterized by a total of 21 attributes across these dimensions. Detailed descriptions and values of each attribute are provided in

Table A1. Vulnerability entity attributions.

Attribution Type	Attribution Name	Attribution Meaning	Attribution Value
Base attributions of the vulnerability	CVE-ID	CVE number	For example CVE-2019-6551
	Product At OS	The operating system where Influenced the product is located	Linux/Windows/Mac/ Android/iOS
	Type	Vulnerability type	Sql Injection, XSS, Directory Traversal, DOS, Code Execution, Overflow, Memory Corruption, Bypass, Gain Privileges, CSRF, File Inclusion, Gain Information, Http Response Splitting
	CWE-ID	CWE number	For example CWE-79
	Published Date	Vulnerability published date	For example 2021 October 21
	Last Modified	Vulnerability last modified date	For example 2021 November 23
Condition attributions of vulnerability exploitation	Access Vector	Local/Adjacent Network/Remote Network/Physical
	Authentication	Does vulnerability exploitation require authentication?	Multiple/Single/None
	Access Complexity	Vulnerability exploitation complexity	High/Low
	Privileges Required	Permissions required for vulnerability exploitation	High/Low/None
	Read & Write	Read and write permissions required for vulnerability exploitation	Overall/None/Write Access/Read Access
	User	Does the exploit	Require/None
	User Interaction	Does the exploit require user interaction?
Impact attributions of vulnerability exploitation	Access Application	Ability to access the system or application	Yes/No
	Gain Privilege	Gained privilege after vulnerability exploitation	Root/administrator/User/None
	Execute System Command	Ability to execute system commands	Yes/(System/Root)/No

.

The relationships between entities are defined as five in this paper, which are shown as follows:

$$Influence::=<vulnerability,product>$$

(1)

where $vulnerability$ denotes a vulnerability entity and $product$ denotes a product entity. When both $vulnerability$ and $product$ are assigned specific values, the impact relationship between a vulnerability entity and a product entity can be determined.

$$AffiliatedWith::=<product,vendor>$$

(2)

where $product$ denotes a product entity, $vendor$ denotes a vendor entity, and $AffiliatedWith$ indicates that the product entity belongs to a vendor entity. When both product and vendor are assigned specific values, the affiliated relationship between a product entity and a vendor entity can be determined.

The Common Vulnerability Scoring System Version 3 (CVSS3) [44] evaluates the exploitability of vulnerabilities in four dimensions: attack vector (AV), attack complexity (AC), privileges required (PR), and user interaction (UI), as shown in

Table 1. CVSS3 vulnerability exploitability metrics.

Indicator Name	Indicator Values
PR	None/Low/High
AV	Network/Adjacent/Local/Physical
AC	Low/High
UI	None/Required

.

Since user interaction metrics require human factors to be involved, this paper does not consider this dimension when studying the relationship between vulnerabilities. We define the relationship between vulnerability entities in terms of three dimensions: privileges required, attack vector, and attack complexity when they are exploited.

We use the term $IncreasePermissions$ to describe the permission changes that occur when exploiting the relationship between two vulnerabilities. This relationship and its formation conditions are illustrated in Figure 1, where ellipses, rectangles, parallelograms, and rounded rectangles, respectively, represent exploitable vulnerabilities, required operations, permission requirements, and the influence relationships between vulnerabilities. If the exploitation outcome of $v_i$ is to elevate user privileges, thereby enabling the exploitation requirements of another vulnerability, $v_j$, to be met, then there exists an $IncreasePermissions$ relationship between the two vulnerabilities. GainPrivilege represents the system or application privilege attribute that can be acquired upon the exploitation of the vulnerability entity $v_i$, while PrivilegesRequired indicates the privilege attribute necessary for the exploitation of the vulnerability entity $v_j$. When the attribute value of GainPrivilege is “Root” or “Administrator” privileges, and the attribute value of PrivilegesRequired is “High”, then there exists an $IncreasePermissions$ relationship between $v_i$ and $v_j$.

We use $IncreaseAccessPath$ to describe the changes of the local vulnerability exploit conditions between two vulnerabilities, and its formation condition is shown in Figure 2. ExecuteSystemCommand and ExecuteCode, respectively, denote vulnerability’s command and code execution attribute. When the value of ExecuteSystemCommand or ExecuteCode is yes, and the value of AccessPath is Local, then there is a relationship $IncreaseAccessPath$ between $v_i$ and $v_j$.

We use $DecreaseComplexity$ to describe the complexity changes of exploit between two vulnerabilities, and its formation condition is shown in Figure 3 and Figure 4. Access Application, Access Database, Access File System, File Read Write, Upload File, and Download File, respectively, indicate whether the $v_i$ can access system or application, access database, access file system, file read and write permission, upload file, and download file. Authentication, AccessComplexity, and read–write, respectively, indicate whether it needs Authentication, access complexity when $v_j$ is exploited, and whether it requires read and write permission. When the value of AccessApplication or AccessDatabase is yes, and the value of AccessComplexity is Local, then there is a relationship DecreaseComplexity between $v_i$ and $v_j$ (Figure 3). In addition, when the value of File Read Write or Access File System or Upload File or Download File is yes, and the value of AccessComplexity is Local, then there is a relationship DecreaseComplexity between $v_i$ and $v_j$ (Figure 4).

3.2. Dual-Layer Knowledge Representation Learning Model

In the current field of information security, most researchers tend to adopt more traditional methods for modeling and analyzing complex relationships between vulnerabilities, products, and suppliers. These methods often focus on a single data processing or feature extraction technique, and less comprehensive consideration is given to multidimensional and deep-level correlations between entities. This limitation, to some extent, limits the accuracy and efficiency of vulnerability impact assessment.

In view of this, this article uses the commonly used TransE model in link prediction, which maps vulnerability entities, product entities, supplier entities, and their complex relationships into a vector space through a translation mechanism. The aim is to construct a vector embedding representation that can comprehensively cover the relationships between vulnerabilities, their affected products, and the suppliers to which the products belong. This method not only simplifies the handling of complex relationships, but also enhances the model’s generalization ability to new vulnerabilities and products. In order to further improve the accuracy of representation, the TransCatAttr knowledge representation model proposed in this paper is also introduced. This model makes full use of the vulnerability entity vector obtained from the first layer of knowledge representation learning as the initialization basis, and through splicing the attribute vectors of vulnerability entities (such as vulnerability type, severity, utilization difficulty, etc.), it achieves a more detailed and comprehensive description of vulnerability entities. This fusion of attribute vectors makes the model more accurate and efficient in identifying vulnerability features and evaluating their potential impact, providing strong support for subsequent vulnerability warning, risk assessment, and emergency response.

As shown in Figure 5, a total of two layers of knowledge representation learning are performed after the vulnerability knowledge graph is successfully constructed. The first layer is the vector embedding of vulnerability entities, product entities, vendor entities, and their inter-entity relationships using the TransE model, aiming to make the obtained vulnerability entity vectors cover the relationships with their affected products and vendors to which the products belong. The second layer uses the TransCatAttr knowledge representation model proposed in this paper, adopts the vulnerability entity vectors obtained from the first layer of knowledge representation learning as the initial vectors, and splices the attributes vectors of the vulnerability entities to represent the entities more accurately.

After obtaining the vector representation of vulnerability entities and relationships, the relationship prediction of vulnerability entities is performed. For the head vulnerability entity h and the tail vulnerability entity t for which some relationship is to be predicted, the energy function value of the triple is calculated for any one candidate relationship. Then, all candidate triples are sorted in ascending order according to the energy function value, and the relationship r ranked first is selected as the prediction result.

The initialization vector representation of entities in the TransE model is randomly generated when knowledge representation learning is performed, and the attribute information of entities is not considered. The TransCatAttr knowledge representation model proposed in this paper splices the attribute information vectorization of entities with the vulnerability entity vector obtained from the first round of knowledge representation learning as the vulnerability entity initialization of the TransCatAttr vector, which can embed entity nodes more accurately.

The input of the TransCatAttr model is vulnerability entities and relationships between vulnerability entities in the vulnerability knowledge graph. The relationship between each set of vulnerability entities is represented by a triple as $(h,r,t)\in T$, where $h,t\in V$, V denotes the set of vulnerability entities, and $r\in R$, R denotes the set of the three types of relationships between vulnerability entities. The T denotes the training set of the triples for knowledge representation learning. The input of the TransCatAttr model is vulnerability entities and relationships between vulnerability entities in the vulnerability knowledge graph. The relationship between each set of vulnerability entities is represented by a triple as $(h,r,t)\in T$, where $h,t\in V$, V denotes the set of vulnerability entities, and $r\in R$, R denotes the set of the three types of relationships between vulnerability entities. The T denotes the training set of the triples for knowledge representation learning.

Vulnerability entities and relationships are represented by k-dimensional vectors, and each vulnerability entity is represented in two parts. One part is a structure-based vector representation, with hs and ts, respectively, denoting the structure-based vector representation of the head vulnerability entity and the tail vulnerability entity, which is learned from the relationships between entities. The other part is a vector representation based on attributes information, with ha and ta, respectively, denoting the attribute-based vector representation of the head vulnerability entity and the tail vulnerability entity, which are obtained by encoding the attributes of the vulnerability entities.

The 21 kinds of attributes are coded by one-hot encoding for each attribute except for the vulnerability number and date. After obtaining the attribute vectors of vulnerability entities, the structure vector of vulnerability entities obtained by the first round of knowledge representation is used as the initial vector of vulnerability entities learned by the TransCatAttr model. The energy function of the model is shown in Equation (3), and the goal of knowledge representation is to minimize E on the triple training set T.

$$E=E_s\oplus E_a$$

(3)

where the symbol ⊕ represents the connection of the two representation vectors of the entity, and Es and Ea are calculated by the following Equation (4) and Equation (5), respectively.

$$E_s=\parallel h_s+r_s-t_s\parallel$$

(4)

$$E_a=\parallel h_a+r_a-t_a\parallel$$

(5)

The objective of the TransCatAttr model is to minimize the loss function L, as shown in Equation (6). Here, $\gamma >0$ is a bounded hyperparameter indicating that a positive instance triple scores at least $\gamma$ higher than a negative instance triple, and $E(h,r,t)$ is the energy function defined above, obtained by computing $E_s$ spliced with $E_a$. $T^{\prime }$ is the set of negative instance triples constructed during training based on the triple training set T according to Equation (7). The head entity or tail entity in the triplet is randomly replaced by any one of the entities in the vulnerability entity set V, and it must be ensured that the constructed negative instance of the triplet has not appeared in the training set T.

$$L=\sum _{(h,r,t)\in T}\sum _{(h^{\prime },r,t^{\prime })\in T^{\prime }}max(\gamma +E(h,r,t)-E(h^{\prime },r,t^{\prime }),0)$$

(6)

$$T^{\prime }(h,r,t)=\{(h^{\prime },r,t)\mid h^{\prime }\in E\}\cup \{(h,r,t^{\prime })\mid t^{\prime }\in E\}$$

(7)

The training process of the TransCatAttr model is shown in Algorithm 1. Firstly, the vector representation of each entity in the set of vulnerability entities is initialized, and the structure-based vector representation obtained from the first round of knowledge representation is stitched with the attribute vector representation. The initial value of the structure-based vector representation of the relationship vector is randomly generated, and the uniform representation conforms to the uniform distribution of $[-1,1]$, where k denotes the embedding dimension of the structure-based vector representation; it is stitched with the attribute vector of the relationship to obtain the initial vector representation of the relationship vector as a whole. After the initialization of entity and relation vectors, $T_{b}atch$ is initialized and the corresponding negative case triples are constructed according to Equation (7). The entity vectors and relation vectors are optimized in the gradient direction of the loss function described in Equation (6) for the positive and negative case triples.

Algorithm 1 Learning TransCatAttr

Input: Training set $T=(h,r,t)$, entity set V and relation set R, vulnerability entity initial embeddings set l, vulnerability entity attribution embeddings set A, vulnerability relation attribution embeddings set $RA$, margin $\gamma$, structure embeddings dimension k, attribution embeddings dimension m. Output: Knowledge graph embedding model   1: for $e\in V$ do   2:     Let $e_s$ ←I;   3:     Let $e_a$ ←A;   4:     Let $e_s$ ←$e_s⨁e_a$;   5:     Let $e_s$ ←${\displaystyle \frac{e}{\parallel e\parallel }}$;   6: end for   7: for $e\in V$ do   8:     Let $r_s$ ←I;   9:     Let $r_a$ ←A; 10:     Let $r_s$ ←$r_s⨁r_a$; 11:     Let $r_s$ ←${\displaystyle \frac{r}{\parallel r\parallel }}$; 12: end for 13: for $e\in V$ do 14:     Let $T_{b}atch$ ←$\varphi$; 15:     Let $T_{b}atch$ ←$T_{b}atch\cup ((h,r,t),(h^{\prime },r,t^{\prime }))$; 16: end for 17: Update embedding 18:           ${\Sigma }_{((h,r,t),(h^{\prime },r,t^{\prime }))\in T_{b}atch}$$max(\gamma +E(h,r,t\left(\right)-E(h^{\prime },r,t^{\prime })),O)$

3.3. Attack Graph for Relationship Prediction

Bayesian network attack graphs are commonly used network risk assessment models. As shown in

Table 2. Attack graph symbol.

Symbol	Means
S	The device node for attack status from start to end.
E	Dependencies between S during the attack occurrence.
Vul	Vulnerability assemble for attack.
R	The relationship between multiple precursor nodes and the successor nodes is represented as $R\in \{\mathrm{AND},\mathrm{OR}\}$.
Inf	Impact relationships between vulnerabilities mentioned in Section 2.
Pro	Attack the accessibility probability of the S in the graph.

, a traditional Bayesian attack graph mainly includes S, E, Vul.R, and Pro. In this paper, we redefine the model by introducing inf (Influence).

Use the formula in Equation (8) to map the integrating the influence relationship between vulnerabilities to the [0,1] range, this value indicates the probability of the attacker’s success in using the vulnerability, called the vulnerability node availability probability. As shown in Equation (8), we ignore the factor of UI according to the actual situation, where the meanings and corresponding values of indicators AV, AC, and PR are given in Table 1.

$$P\left(V\right)={\displaystyle \frac{AV·AC·PR}{10}}$$

(8)

For $S_j$, the probability of being trapped is calculated according to the parent vulnerability node with its dependence, that is, the conditional probability, denoted as $P(S_j\mid \mathrm{ParVul}\left(S_j\right))$, where $\mathrm{ParVul}\left(S_j\right)$ represents the set of parent vulnerability nodes. According to different R, the conditional probability is calculated, respectively.

$$P(S_j\mid \mathrm{ParVul}\left(S_j\right))=\left\{\begin{array}{cc}0,\hfill & \exists S_j\in \mathrm{ParVul}\left(S_j\right),S_j=0\hfill \\ {\prod }_{j=1}^n\mathrm{ParVul}\left(V_j\right),\hfill & \mathrm{others}\hfill \end{array}\right.$$

(9)

$$P(S_j\mid \mathrm{ParVul}\left(S_j\right))=\left\{\begin{array}{cc}0,\hfill & \forall S_j\in \mathrm{ParVul}\left(S_j\right),S_j=0\hfill \\ 1-{\prod }_{j=1}^n[1-\mathrm{ParVul}\left(V_j\right)],\hfill & \mathrm{others}\hfill \end{array}\right.\mathrm{R}=\mathrm{OR}$$

(10)

After calculating the conditional probability of each attribute node in the Bayesian attack graph, the joint conditional probability of the current node and its parent node is used as the accessibility probability of the attribute node to represent the trapped probability of the attribute node. The following is the formula for calculating the accessible probability of the node $S_j$.

$$\mathrm{Probability}\left(S_j\right)=\prod _{j=1}^{n}P(S_j\mid \mathrm{Par}\left(S_j\right))$$

(11)

3.4. Experiment Validation

In this paper, the vulnerability information for three years from 2019 to 2021 was obtained from National Vulnerability Database (NVD) and Common Vulnerabilities and Exposures (CVE) Details, and the corresponding relationship data were obtained from Common Weakness Enumeration (CWE), Common Attack Pattern Enumeration and Classification (CAPEC), and Security Blog (Breff). Then, entities and relationships were imported into the Neo4j database for storage. The constructed vulnerability knowledge graph contains 96,261 entities and 398,220 relationships, where the number of each type of entity node and each type of relationship is shown in

Table 3. Vulnerability knowledge graph data volume.

Entity Node Type/Relationship Type	Quantity (Pcs/Strip)
Vulnerability	55,874
Product	33,249
Vendor	7138
Influence	168,406
AffiliatedWith	33,368
IncreasePermissions	98,254
IncreaseAccessVector	20,101
DecreaseComplexity	78,091

.

Figure 6 shows some of the nodes and relationships of the vulnerability knowledge graph constructed in this paper, where a red node is the vendor node, a green node is the product node, and a yellow node is the vulnerability node. For example, it shows two product nodes, rv340 firmware and Secure Access Control, that has an relationship for AffiliatedWith with the vendor node Cisco. Two vulnerability nodes, CVE-2022-20707 and CVE-2022-20705, have an “Influence” relationship with the rv340 firmware product node, and there is a “$DecreaseComplexity$” relationship between CVE-2022-20707 and CVE-2022-20705.

The data of the triple are divided into the training set, validation set, and test set in the ratio of 8:1:1 for the linked prediction task, i.e., predicting the relations based on the head entity and tail entity, and using the task evaluation metrics to measure the accuracy and effectiveness of the model.

In relationship prediction tasks, the relationship prediction performance of knowledge representation models is often evaluated using mean rank (MR) and top-k hits Hit@k (k = 1, 3, 5).

In the model training process, the range of hyperparameters is empirically defined in this paper as follows: loss function interval margin $\in \{1,2,4,6\}$, stochastic gradient descent learning rate $lr\in \{0.001,0.01,0.1\}$, and the set hyperparameters are determined according to the best results achieved on the validation set, as shown in

Table 4. TransCatAttr model hyperparameter setting.

Parameters	Value	Meaning
embedding_dim	111	Embedding dimension
$lr$	0.01	Learning rate
margin	4.0	Loss function margin
norm	1	L1-norm or L2-norm
c	0.25	Threshold value
epochs	500	Model training iteration times
batch_size	9600	Batch size

.

This paper conducted an experiment using the PyTorch 1.5.0 deep learning framework in LINUX Ubuntu 16.04, using the Python programming language, version 3.7. The hardware was trained using NVIDIA GTX1660, an NVIDIA graphics card, and the CUDA version was 10.0.1. The overall training time is about one week.

Figure 7 shows the changes in the loss values of the training and validation sets during the training process of the TransCatAttr model. It can be seen from the figure that the loss values of the TransCatAttr model decrease as the number of training iterations increases, with a significant drop at the beginning of the training phase, indicating that the learning rate is appropriate and the gradient descent process is effective. After approximately 100 iterations, the loss curve levels off, indicating that the model has largely been trained successfully.

In this paper, to evaluate the performance of the TransCatAttr model, the TransE model is selected as the baseline model. These two models were separately subjected to relationship prediction experiments on the dataset constructed above. A comparative analysis of the experimental results is shown in

Table 5. TransCatAttr and TransE model relationship prediction results.

Model	Entity MR	Entity Hits@10	Relationship MR	Relationship Hits@1
TransE	19.92%	904.55	90.98%	2
TransCatAttr	28.89%	760.6	99.19%	1.4

. From Table 5, it can be seen that the TransCatAttr model proposed in this paper performs better compared to the TransE model. The entity MR index value is improved by 8.97%, and the relationship MR is improved by 8.21%. However, the entity Hits@10 index value is decreased by 143.95, and the relationship Hits@1 index value is decreased by 0.6.

The primary reason that the TransCatAttr model outperforms the TransE model is that it incorporates attribute information of entities, whereas the TransE model only performs vector embedding based on the graph structure. By integrating attribute information, the TransCatAttr model can represent the relationships between entities more accurately, leading to better performance in prediction tasks. Specifically, the improvement in the entity MR index is due to the enhanced expressive power of entity embeddings when attributes are considered. Similarly, the relationship MR index is improved because the inclusion of attribute information results in more precise relationship embeddings. On the other hand, the decrease in the entity Hits@10 index suggests that in certain scenarios, the introduction of attribute information enhances the model’s ability to identify entities. The slight decrease in the relationship Hits@1 index indicates that the model’s optimization may have emphasized different aspects of relationships, resulting in improved prediction accuracy for relationships.

4. Results

We selected a local area network (LAN) configuration that includes 13 servers and multiple terminals, identifying 33 vulnerabilities. The specific attack map is shown in Figure A1. Simultaneously, we used the risk calculation model introduced in this paper for validation and compared it with existing CVSS scores, demonstrating that the assessment scores from our model are closer to real-world attack scenarios.

After multiple iterations, the vulnerability risk assessment scores eventually converged. Due to the CVSS base scores (BS) not accounting for the importance of network topology, they cannot accurately assess vulnerability risks in specific environments, leading to significant discrepancies in rankings between the two methods. Figure 8 shows the risk assessment ranking of experimental network vulnerabilities using the evaluation model proposed in this paper and the basic scores in CVSS. There is a difference in the ranking given by the two methods for the same vulnerability, with vulnerabilities 1, 5, 6, 10, 13, 16, 17, 18, 24, and 31 having a significant difference. The basic score for vulnerability 5 in the CVSS evaluation method is 7.5, indicating that vulnerability 5 is not a high-risk vulnerability under the BS evaluation criteria of CVSS. However, vulnerability 5 is located on the logistics system server, and hosts within the network can access this server through the corresponding port. The exploitation of vulnerability 3 or vulnerability 4 on the logistics system server can achieve the effect of obtaining server root permission, and after obtaining root permission, vulnerability 5 can be used to download files in the shared directory to the local area. Therefore, the exploitation of vulnerability 3 or vulnerability 4 reduces the complexity of vulnerability 5 exploitation. Thus, the risk score for vulnerability 5 needs to be adjusted and increased, and the same applies to vulnerabilities 1, 6, and 10. In the CVSS evaluation method, the basic score for vulnerability 17 is 4.3, the impact score is 1.4, and the utilization score is 2.8. Under the evaluation criteria of CVSS, vulnerability 17 is not a high-risk vulnerability. However, vulnerability 17 is located on both the system server and the academic affairs server, and the exploitation of vulnerability 8 on the same device can achieve the effect of taking over the server, thereby obtaining the necessary permissions to exploit vulnerability 17. Therefore, the risk score for vulnerability 17 needs to be adjusted and increased, as well as vulnerabilities 13, 16, and 18. Vulnerability 31 is considered a high-risk vulnerability in the CVSS evaluation method, and when combined with vulnerability 32, it can be exploited to allow unauthorized attackers to remotely execute arbitrary code and obtain system privileges on the server. However, vulnerability 31 requires vulnerability 32 to help it bypass permissions, and the permission requirements for vulnerability 32 are also high. Therefore, the probability of successful exploitation of vulnerability 31 is low, and its risk value should be reduced. The same is true for vulnerability 24.

In the evaluation and verification process of the network risk model, we compared three different detection techniques to comprehensively assess the system’s security and accuracy. First, we used the hidden Markov model (HMM), a temporal probability model evolved from the Markov chain. To calculate the probability $P(S_i\left(t\right)=riskstate)$ that a vulnerability node i is in a risk state at time t, we use the forward algorithm in HMM. The initialization (at t = 1) is as follows (Equation (12)).

$$a_i^k\left(1\right)={\pi }_i^k{b}_i^k\left(O\left(1\right)\right)$$

(12)

where ${\pi }_i^k$ is the probability that node i is initially in state k, and $b_i^k\left(O\left(1\right)\right)$ is the probability of observing $O\left(1\right)$ given that node i is in state k. Next, we proceed with recursion (at $t>1$), as illustrated in Equation (13):

$$a_i^k\left(t\right)=\left(\sum _{j=1}^N{a}_i^j(t-1)a_{ji}\right)b_i^k\left(O\left(t\right)\right)$$

(13)

where $a_{ji}$ is the probability of transitioning from state j to state k. Finally, the probability that vulnerability node i is in a risk state at time t is illustrated in Equation (13):

$$P(S_t\left(t\right)=S_i^k\mid O\left(t\right),\theta )=\sum _{k=1}^N{a}_i^k\left(t\right)$$

(14)

This method quantifies the direct risk of vulnerability nodes by analyzing their security states and risk values at different times. First, for direct risk, we define the direct risk value of vulnerability node i at time t as $R_i^d\left(t\right)$, which can be expressed as follows:

$$R_i^d\left(t\right)=P(S_i\left(t\right)=\mathrm{risk}\mathrm{state})$$

(15)

where $P(S_i\left(t\right)=\mathrm{risk}\mathrm{state})$ represents the probability that node i is in a risk state at time t. Additionally, we consider the correlation between vulnerabilities to quantify the indirect risk between them. For indirect risk, we define the indirect risk value of vulnerability node i due to its association with other nodes j as $R_i^i\left(t\right)$, which can be expressed as follows:

$$R_i^i\left(t\right)=\sum _{j\ne i}P(S_j\left(t\right)=\mathrm{risk}\mathrm{state})\times C_{ji}$$

(16)

where $C_{ji}$ represents the correlation between node i and node j. By combining direct and indirect risks, we can more accurately assess the actual risk condition of the nodes. The comprehensive risk value $S_k\left(t\right)$ of device node k can be expressed as follows:

$$S_k\left(t\right)=\sum _i{w}_{ik}\left(R_i^d\left(t\right)+R_i^i\left(t\right)\right)$$

(17)

where $w_{ik}$ represents the influence weight of vulnerability node i on device node k, and ${\sum }_i{w}_{ik}=1$. By combining direct and indirect risks, we can more accurately assess the actual risk condition of the nodes. Finally, by incorporating the weights of each node in the network, we can comprehensively evaluate the risk of devices in the network, providing strong support for network security management.

Secondly, considering the dynamic impacts of attacks and defenses, we introduced the Stochastic Petri Net (SPN) to evaluate the model. In the validation experiments, device nodes were represented as places, and vulnerability events were simulated as transitions. This representation method allows for intuitive simulation and analysis of the state changes in network devices and the impact of vulnerability events on the network. During the detection process, we first modeled the network devices and vulnerability events to create an initial Petri Net model. Then, we used this model to simulate potential threats and attack paths in the network. The Stochastic Petri Net not only captures the dependencies and interactions between devices but also allows for the addition of random parameters to transitions to simulate uncertainties in real networks, thereby further analyzing the accuracy and robustness of the detection results. Figure A2 shows the Stochastic Petri Net model we constructed based on the experimental network.

Finally, Bayesian networks are probabilistic models that combine probability theory and graph theory to model conditional independence and dependencies among variables. By introducing attack graphs, the relationships between nodes, and the deductive reasoning of Bayesian networks, we can calculate the reachability probability of each node in the graph to quantify, assess, and predict network risk levels. By comprehensively applying these three detection techniques, we can more thoroughly evaluate the accuracy of the proposed model, ensuring its reliability and effectiveness across different dimensions and various scenarios. This multi-angle evaluation method not only improves the precision of detection results but also provides solid data support for optimizing network security strategies. Figure 9 shows how to use reachability probability to calculate the risk probability of device nodes by constructing a Bayesian attack graph through experimental networks. The conditional probability table for the computing node S4, as calculated based on the experimental network, is presented in

Table 6. Conditional probability of node S4 in Bayesian attack graph.

S2	S3	P(S4|S2)		P(S4|S3)
		True	False	True	False
True	True	0.22	0.78	0.28	0.72
True	False	0.22	0.78	0	1
False	True	0	0	0.28	0.72
False	False	0	0	0	1

.

We also compared the results with two commonly used risk assessment methods: hidden Markov model (HMM) and Petri Net. As shown in Figure 9, we found that the prediction results from these methods exhibit trends similar to those of our system, thereby validating the accuracy and effectiveness of our approach. Compared to models that do not consider the relationships between vulnerabilities, our method demonstrates significant differences. For example, the reachability probability prediction for node S4 is almost twice that of the original Bayesian attack graph and the Petri Net method. This difference can be attributed to the successful exploitation of vulnerability CVE-2019-2887 (on which node S4 depends), which in turn is facilitated by the presence of vulnerability CVE-2019-2729, thereby reducing the exploitation difficulty. Consequently, its exploitability PR index decreases from “L” to “N”, increasing the probability of successful exploitation and, thus, the risk of node S4 being compromised. Additionally, another vulnerability on which node S4 depends, CVE-2016-2107, has a high exploitation complexity. Exploiting the parent node vulnerability CVE-2020-1745 on the attack path can grant root access to the server, thereby reducing the exploitation complexity and lowering its exploitability AC index from “H” to “L”.

Furthermore, although the HMM method yields higher risk values than our method for some vulnerabilities, its modeling requires the integration of substantial evidence information and prior knowledge, demanding relatively high data dimensions and computational resources. This can limit the real-time assessment capability in complex network environments. In contrast, the dual-layer knowledge representation learning model adopted in this paper efficiently achieves vulnerability relationship prediction and network risk assessment with less storage space and fewer computational resources, thereby significantly enhancing the system’s response speed and real-time performance.

5. Discussion

With the continuous expansion of computer networks, the number of network vulnerabilities is also increasing year by year, corresponding to network attacks. Attacks and security incidents are becoming increasingly frequent. Due to the fact that attackers often combine and exploit multiple vulnerabilities when launching attacks, determining how to automatically predict the impact relationship between vulnerabilities and combine it with impact relationship prediction in order to achieve attack objectives through holes is important. The risks brought by vulnerability exploitation to the network have become very important. This article addresses the above issues by linking the knowledge graph and predicting the impact relationship between vulnerabilities and combining Bayesian attack graph technology for network risk assessment. The research content is as follows:

• This paper proposes a two-layer knowledge representation learning model that introduces entity attribute information during the knowledge representation learning process, enabling more accurate embedding of entity nodes and thereby enhancing the prediction accuracy of influence relationships among vulnerability entities. Firstly, a knowledge graph of vulnerabilities in the cybersecurity domain is constructed, and the meanings of entities and relationships within the vulnerability knowledge graph are elaborated in detail. Multiple-attribute information of vulnerabilities is analyzed and summarized. Secondly, the proposed two-layer knowledge representation learning model is utilized to represent entities and relationships in vector form. Each vulnerability entity is divided into two parts for representation: one based on structure and the other on attribute information, to better depict the actual meaning of vulnerability entities. Finally, a vulnerability knowledge graph comprising 96,261 entities and 398,220 relationships is constructed, and experiments are conducted on this graph to predict the influence relationships among vulnerability entities. The results demonstrate that the proposed model outperforms the TransE model.
• A vulnerability risk calculation model oriented towards influence relationships is proposed, which realizes the risk assessment and ranking of vulnerabilities existing in network scenarios. This model incorporates factors such as the importance of network devices, the connectivity between devices, and the influence relationships among vulnerabilities. It initializes the model by constructing network device connectivity matrices, device vulnerability matrices, vulnerability relationship matrices, and setting relevant weight parameters. An iterative method is employed to calculate the risk scores and rankings of devices and vulnerabilities, enabling risk assessments of both. Experimental results demonstrate that the proposed vulnerability risk calculation model oriented towards influence relationships can more reasonably evaluate the actual risks of vulnerabilities in specific network scenarios.
• A network risk model based on Bayesian attack graphs (BAGs) is proposed, which enables risk assessment of device nodes in a network. Firstly, a BAG incorporating the influence relationships among vulnerabilities is defined to model the network environment. Secondly, for vulnerability nodes, the exploitation probability is quantified by considering the influence relationships among vulnerabilities. For network device nodes, the conditional probability is calculated based on the parent vulnerability nodes of the device condition nodes. The reachability probability of the device condition nodes is then derived using the joint conditional probability of the current node and its parent nodes, thereby inferring the likelihood of an attacker successfully compromising the device within a given network topology. This provides cybersecurity managers with insights for defense strategy support. Finally, compared to the original BAG method, the proposed model offers a more accurate assessment of the risks associated with the exploitation of vulnerabilities and the compromise of devices within the network.

6. Conclusions

This article studies the automatic prediction of the impact relationship between vulnerabilities, and then proposes a vulnerability risk calculation model and a network risk assessment model based on the Bayesian attack graph of the impact relationship. The proposed model has achieved good performance. However, this study still has certain limitations in terms of depth and breadth. In order to further improve the accuracy and practicality of the model, future research can introduce more advanced neural network methods, such as ConvKB and graph attention network (GAT). These methods have unique advantages in handling complex graph structured data and relationship modeling, and are expected to bring better results for predicting vulnerability impact relationships and risk assessment. Meanwhile, in order to cope with large-scale network environments, using single hot encoding may lead to issues such as high dimensionality. In future research, other encoding techniques such as frequency and target encoding will be used to make it suitable for large datasets.