KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques
This work addresses the need for proactive cyber defense by enabling interpretable attack path forecasting, though it is incremental as it builds on existing datasets and models.
The paper tackles the problem of predicting and mapping cyberattack techniques by developing a phase-aware, multi-model machine learning framework that emulates adversarial behavior across the Cyber Kill Chain phases, achieving F1-scores from 97.47% to 99.83% with an ensemble method.
The escalating complexity and volume of cyberattacks demand proactive detection strategies that go beyond traditional rule-based systems. This paper presents a phase-aware, multi-model machine learning framework that emulates adversarial behavior across the seven phases of the Cyber Kill Chain using the MITRE ATT&CK Enterprise dataset. Techniques are semantically mapped to phases via ATTACK-BERT, producing seven phase-specific datasets. We evaluate LightGBM, a custom Transformer encoder, fine-tuned BERT, and a Graph Neural Network (GNN), integrating their outputs through a weighted soft voting ensemble. Inter-phase dependencies are modeled using directed graphs to capture attacker movement from reconnaissance to objectives. The ensemble consistently achieved the highest scores, with F1-scores ranging from 97.47% to 99.83%, surpassing GNN performance (97.36% to 99.81%) by 0.03%--0.20% across phases. This graph-driven, ensemble-based approach enables interpretable attack path forecasting and strengthens proactive cyber defense.