Attack hypothesis generation

Aviad Elitzur, Rami Puzis, Polina Zilberman

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

7 Scopus citations


In recent years, the perpetrators of cyber-attacks have been playing a dynamic cat and mouse game with cybersecurity analysts who try to trace the attack and reconstruct the attack steps. While analysts rely on alert correlations, machine learning, and advanced visualizations in order to come up with sound attack hypotheses, they primarily rely on their knowledge and experience. Cyber Threat Intelligence (CTI) on past similar attacks may help with attack reconstruction by providing a deeper understanding of the tools and attack patterns used by attackers. In this paper, we present the Attack Hypothesis Generator (AHG) which takes advantage of a knowledge graph derived from threat intelligence in order to generate hypotheses regarding attacks that may be present in an organizational network. Based on five recommendation algorithms we have developed and preliminary analysis provided by a security analyst, AHG provides an attack hypothesis comprised of yet unobserved attack patterns and tools presumed to have been used by the attacker. The proposed algorithms can help security analysts by improving attack reconstruction and proposing new directions for investigation. Experiments show that when implemented with the MITRE ATTCK knowledge graph, our algorithms can significantly increase the accuracy of the analyst's preliminary analysis.

Original languageEnglish
Title of host publicationProceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019
EditorsJoel Brynielsson
PublisherInstitute of Electrical and Electronics Engineers
Number of pages8
ISBN (Electronic)9781728167350
StatePublished - 1 Nov 2019
Event2019 European Intelligence and Security Informatics Conference, EISIC 2019 - Oulu, Finland
Duration: 26 Nov 201927 Nov 2019

Publication series

NameProceedings of the 2019 European Intelligence and Security Informatics Conference, EISIC 2019


Conference2019 European Intelligence and Security Informatics Conference, EISIC 2019


  • Attack hypothesis
  • Knowledge graphs
  • Threat intelligence

ASJC Scopus subject areas

  • Artificial Intelligence
  • Computer Science Applications
  • Information Systems
  • Information Systems and Management
  • Safety, Risk, Reliability and Quality


Dive into the research topics of 'Attack hypothesis generation'. Together they form a unique fingerprint.

Cite this