| Issue |
Security and Safety
Volume 4, 2025
Security and Safety in Network Simulation and Evaluation
|
|
|---|---|---|
| Article Number | 2024019 | |
| Number of page(s) | 19 | |
| Section | Other Fields | |
| DOI | https://doi.org/10.1051/sands/2024019 | |
| Published online | 25 February 2025 | |
Research Article
Uncovering multi-step attacks with threat knowledge graph reasoning
1
Peng Cheng Laboratory, Shenzhen, 518000, China
2
CHN Energy, Beijing, 100000, China
3
University of Electronic Science and Technology of China, Shenzhen, 518110, China
4
Harbin Institute of Technology (Shenzhen), Shenzhen, 518055, China
* Corresponding author (email: guzhaoquan@hit.edu.cn)
Received:
29
April
2024
Revised:
25
October
2024
Accepted:
29
October
2024
The rapid advancement of information technologies has significantly intensified the focus on cyberspace security across various sectors. In this evolving landscape, attackers deploy many techniques- including exploits, weakness identification, and complex multi-step attacks- to gain unauthorized access to systems. Conversely, defenders harness insights from a variety of sources to pinpoint potential threats. Prominent public cybersecurity databases such as the Adversarial Tactics, Techniques, and Common Knowledge (ATT&CK), Common Attack Pattern Enumeration and Classification (CAPEC), Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Platform Enumeration (CPE) provide extensive data on security entities and their interrelations, playing a pivotal role in enriching the understanding of cybersecurity challenges and assisting in comprehensive defensive analyses. However, the semantic cross-analysis of these databases, crucial for identifying obscure threat patterns, remains underexploited. In this study, we amalgamate data from these disparate sources into a cohesive threat knowledge graph and introduce a novel knowledge representation learning approach, A4CKGE (ATT&CK-CAPEC-CWE-CVE-CPE Knowledge Graph Embedding). This method utilizes advanced structural and textual analytics to predict interactions among security entities such as products, vulnerabilities, weaknesses, and multi-step attack sequences, employing complex attack templates generated through a Large Language Model (LLM). Our extensive experiments demonstrate that this approach significantly outperforms existing state-of-the-art methods in effectively predicting these relationships. The findings validate the efficacy of our threat knowledge graph in unveiling hidden connections, thereby highlighting its potential to strengthen cybersecurity defenses substantially.
Key words: Security database / Knowledge graph embedding / Knowledge graph reasoning
Citation: Xiang X, Ma C, Zeng L, Feng W, Xie Y and Gu Z. Uncovering multi-step attacks with threat knowledge graph reasoning. Security and Safety 2025; 4: 2024019. https://doi.org/10.1051/sands/2024019
© The Author(s) 2025. Published by EDP Sciences and China Science Publishing & Media Ltd.
This is an Open Access article distributed under the terms of the Creative Commons Attribution License (https://creativecommons.org/licenses/by/4.0), which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Current usage metrics show cumulative count of Article Views (full-text article views including HTML views, PDF and ePub downloads, according to the available data) and Abstracts Views on Vision4Press platform.
Data correspond to usage on the plateform after 2015. The current usage metrics is available 48-96 hours after online publication and is updated daily on week days.
Initial download of the metrics may take a while.