Attack Hypotheses Generation Based on Threat Intelligence Knowledge Graph

Florian Klaus Kaiser, Uriel Dardik, Aviad Elitzur, Polina Zilberman, Nir Daniel, Marcus Wiens, Frank Schultmann, Yuval Elovici, Rami Puzis

Research output: Contribution to journalArticlepeer-review

7 Scopus citations


Cyber threat intelligence on past attacks may help with attack reconstruction and the prediction of the course of an ongoing attack by providing deeper understanding of the tools and attack patterns used by attackers. Therefore, cyber security analysts employ threat intelligence, alert correlations, machine learning, and advanced visualizations in order to produce sound attack hypotheses. In this article, we present AttackDB, a multi-level threat knowledge base that combines data from multiple threat intelligence sources to associate high-level ATT&CK techniques with low-level telemetry found in behavioral malware reports. We also present the Attack Hypothesis Generator which relies on knowledge graph traversal algorithms and a variety of link prediction methods to automatically infer ATT&CK techniques from a set of observable artifacts. Results of experiments performed with 53K VirusTotal reports indicate that the proposed algorithms employed by the Attack Hypothesis Generator are able to produce accurate adversarial technique hypotheses with a mean average precision greater than 0.5 and area under the receiver operating characteristic curve of over 0.8 when it is implemented on the basis of AttackDB. The presented toolkit will help analysts to improve the accuracy of attack hypotheses and to automate the attack hypothesis generation process.

Original languageEnglish
Pages (from-to)4793-4809
Number of pages17
JournalIEEE Transactions on Dependable and Secure Computing
Issue number6
StatePublished - 4 Jan 2023


  • Attack hypotheses
  • cyber threat intelligence
  • data fusion
  • link prediction

ASJC Scopus subject areas

  • Electrical and Electronic Engineering
  • General Computer Science


Dive into the research topics of 'Attack Hypotheses Generation Based on Threat Intelligence Knowledge Graph'. Together they form a unique fingerprint.

Cite this