Commenced in January 2007
Frequency: Monthly
Edition: International
Paper Count: 31097
A Reasoning Method of Cyber-Attack Attribution Based on Threat Intelligence

Authors: Li Qiang, Yang Ze-Ming, Liu Bao-Xu, Jiang Zheng-Wei


With the increasing complexity of cyberspace security, the cyber-attack attribution has become an important challenge of the security protection systems. The difficult points of cyber-attack attribution were forced on the problems of huge data handling and key data missing. According to this situation, this paper presented a reasoning method of cyber-attack attribution based on threat intelligence. The method utilizes the intrusion kill chain model and Bayesian network to build attack chain and evidence chain of cyber-attack on threat intelligence platform through data calculation, analysis and reasoning. Then, we used a number of cyber-attack events which we have observed and analyzed to test the reasoning method and demo system, the result of testing indicates that the reasoning method can provide certain help in cyber-attack attribution.

Keywords: Reasoning, Bayesian networks, Threat Intelligence, cyber-attack attribution, Kill Chain

Digital Object Identifier (DOI):

Procedia APA BibTeX Chicago EndNote Harvard JSON MLA RIS XML ISO 690 PDF Downloads 2016


[1] Trend Micro, Targetted Attacks (EB/OL). http://www.trendmicr, 2016-3-11.
[2] Wheeler D A, Larsen G N. Techniques for cyber attack attribution (R). Institute for Defense Analyses Alexandria VA, 2003.
[3] Kantzer Khanwei. Cyber Attack Attribution: An Asymmetrical Risk to US National Security (D). Princeton University Princeton, New Jersey, 2011.
[4] Tony Code. Attributions and Arrests: Lessons from Chinese Hacker (EB/OL). attributions_andarr.html, 2015-11-03.
[5] Hutchins E M, Cloppert M J, Amin R M. Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains (J). Leading Issues in Information Warfare & Security Research, 2011, 1: 80.
[6] Caltagirone S, Pendergast A, Betz C. The diamond model of intrusion analysis (R). Center for Cyber Intelligence Analysis and Threat Research Hanover MD, 2013.
[7] ThreatConnect Inc. Methodology Creating Order, Pivot by Pivot (EB/OL)., 2016-3-13.
[8] ThreatConnect Inc., Defense Group Inc. CAMERASHY- Closing the Aperture on China’s Unit 78020 (EB/OL).,2015-9-24.
[9] Zhai Y, Ning P, Iyer P, et al. Reasoning about complementary intrusion evidence (C)//Computer Security Applications Conference, 2004. 20th Annual. IEEE, 2004: 39-48.
[10] Ning P, Xu D, Healey C G, et al. Building Attack Scenarios through Integration of Complementary Alert Correlation Method (C) //NDSS. 2004, 4: 97-111.
[11] Wee Y Y, Cheah W P, Tan S C, et al. Causal Discovery and Reasoning for Intrusion Detection using Bayesian Network (J). International Journal of Machine Learning and Computing, 2011, 1(2): 185.
[12] Gartner. Definition: Threat Intelligence (EB/OL). https://www.,2013-5-16.
[13] Paul Gervais, Nine Cyber Security Trends for 2016 (EB/OL)., 2015-12-15.
[14] Ji J Z, Liu C N, Sha Z Q. Bayesian Belief Network Model Learning, Inference and Applications (J). Computer Engineering and Applications, 2003, 39(5): 24-27.
[15] Liu J N. Research on Bayesian Networks Inference (M). Hefei. Hefei University of Technology,2007.