A Compact Vulnerability Knowledge Graph for Risk Assessment

Software vulnerabilities, also known as flaws, bugs or weaknesses, are common in modern informationsystems, putting critical data of organizations and individuals at cyber risk. Due to the scarcity of resources,initial risk assessment is becoming a necessary step to prioritize vulnerabilities and make better decisions onremediation, mitigation, and patching. Datasets containing historical vulnerability information are crucialdigital assets to enable AI-based risk assessments. However, existing datasets focus on collecting informationon individual vulnerabilities while simply storing them in relational databases, disregarding their structuralconnections. This article constructs a compact vulnerability knowledge graph, VulKG, containing over 276 Knodes and 1 M relationships to represent the connections between vulnerabilities, exploits, affected products,vendors, referred domain names, and more. We provide a detailed analysis of VulKG modeling and construction,demonstrating VulKG-based query and reasoning, and providing a use case of applying VulKG to a vulnerabilityrisk assessment task, i.e., co-exploitation behavior discovery. Experimental results demonstrate the value ofgraph connections in vulnerability risk assessment tasks. VulKG offers exciting opportunities for more noveland significant research in areas related to vulnerability risk assessment.