Publication Type
Journal Article
Version
publishedVersion
Publication Date
3-2025
Abstract
Attack graph construction seeks to convert textual cyber threat intelligence (CTI) reports into structuredrepresentations, portraying the evolutionary traces of cyber attacks. Even though previous research hasproposed various methods to construct attack graphs, they generally suffer from limited generalizationcapability to diverse knowledge types as well as requirement of expertise in model design and tuning.Addressing these limitations, we seek to utilize Large Language Models (LLMs), which have achieved enormoussuccess in a broad range of tasks given exceptional capabilities in both language understanding and zeroshot task fulfillment. Thus, we propose a fully automatic LLM-based framework to construct attack graphsnamed: AttacKG+. Our framework consists of four consecutive modules: rewriter, parser, identifier, andsummarizer, each of which is implemented by instruction prompting and in-context learning empowered byLLMs. Furthermore, we upgrade the existing attack knowledge schema and propose a comprehensive version.We represent a cyber attack as a temporally unfolding event, each temporal step of which encapsulatesthree layers of representation, including behavior graph, MITRE TTP labels, and state summary. Extensiveevaluation demonstrates that: (1) our formulation seamlessly satisfies the information needs in threat eventanalysis, (2) our construction framework is effective in faithfully and accurately extracting the informationdefined by AttacKG+. and (3) our attack graph directly benefits downstream security practices such as attackreconstruction. All the code and datasets will be released upon acceptance.
Keywords
Cyber threat intelligence analysis, Attack graph construction, Large Language Models
Discipline
Artificial Intelligence and Robotics | Programming Languages and Compilers
Research Areas
Intelligent Systems and Optimization
Areas of Excellence
Digital transformation
Publication
Computers and Security
Volume
150
First Page
1
Last Page
16
ISSN
0167-4048
Identifier
10.1016/j.cose.2024.104220
Publisher
Elsevier
Citation
ZHANG, Yongheng; DU, Tingwen; MA, Yunshan; WANG, Xiang; XIE, Yi; YANG, Guozheng; LU, Yuliang; and CHANG, Ee‑Chien.
AttacKG+: Boosting attack graph construction with large language models. (2025). Computers and Security. 150, 1-16.
Available at: https://ink.library.smu.edu.sg/sis_research/10929
Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-No Derivative Works 4.0 International License.
Included in
Artificial Intelligence and Robotics Commons, Programming Languages and Compilers Commons