METHOD FOR DETECTING PATTERNS IN THE EVOLUTION OF CYBERATTACK TECHNIQUES BASED ON TOPOLOGICAL DATA ANALYSIS
DOI:
https://doi.org/10.28925/2663-4023.2025.29.933Keywords:
cyber resilience, artificial intelligence, information and communication system, patterns, evolution of cyber attacks, topological data analysisAbstract
In the context of improving the cyber resilience of special information and communication systems (ICS), the task of studying the evolution of cyber attacks, caused by their increasing dynamism and unpredictability, is considered. It is shown that existing approaches (temporal graphs, assessment of technique prevalence, chain analysis, change detection, comparison of taxonomy versions) mostly capture statistical and sequential aspects and do not reveal hidden invariants and structural relationships between cyberattack techniques. A method based on topological data analysis is proposed, which models techniques in a common interpreted space of structural, graph and semantic features (without neural network compression) and uses weighted cosine distance to construct Vietoris–Rips simplicial complexes and dynamic persistent diagrams with consistent cross-version comparison of homology classes. Thresholds are standardized and characteristics are unified for inter-version comparability; criteria and parameters are fixed, ensuring reproducibility of results and independence of conclusions from the choice of scale. The method identifies two types of patterns: topological trends (changes in connectivity, fragmentation, and cyclicality of the technique space over time) and trajectory invariants—chains of homology classes that are tracked seamlessly across versions using formal coverage and persistence criteria. A demonstration analysis of the MITRE ATT&CK taxonomy (versions 14.1–17.0) revealed a pattern of change with significant restructuring in major releases and a tendency towards fragmentation of the technique space. Integral invariants are interpreted as stable boundaries/contours between clusters of techniques and can be used to predict changes and plan analytics updates, implementing the principle of cyber resilience evolution.
Downloads
References
Фесьоха, В. (2024). Особливості протистояння оборонного та наступального штучного інтелектів у кіберпросторі. International Science Journal of Engineering & Agriculture, 3(4), 105–114. https://doi.org/10.46299/j.isjea.20240304.11.
Фесьоха, В., & Субач, І. (2025). КОНЦЕПТУАЛЬНА ОСНОВА ПІДВИЩЕННЯ КІБЕРСТІЙКОСТІ ІНФОРМАЦІЙНО-КОМУНІКАЦІЙНИХ СИСТЕМ В УМОВАХ ЕВОЛЮЦІЇ КІБЕРЗАГРОЗ. Електронне фахове наукове видання «Кібербезпека: освіта, наука, техніка», 4(28), 511–528. https://doi.org/10.28925/2663-4023.2025.28.856.
The MITRE Corporation. MITRE ATT&CK®. Retrieved September 15, 2025, from https://attack.mitre.org.
The MITRE Corporation. CAPEC™: Common attack pattern enumeration and classification. Retrieved September 15, 2025, from https://capec.mitre.org/.
The MITRE Corporation. MITRE D3FEND™. Retrieved September 15, 2025, from https://d3fend.mitre.org/.
Rahman, M. R., Wroblewski, B., Matthews, Q., Morgan, B., Menzies, T., & Williams, L. (2024). Mining temporal attack patterns from cyberthreat intelligence reports [Preprint]. arXiv. https://arxiv.org/abs/2401.01883.
Zhang, Y., Du, T., Ma, Y., Wang, X., Xie, Y., Yang, G., Lu, Y., & Chang, E.-C. (2025). AttacKG+: Boosting attack graph construction with Large Language Models. Computers & Security, 150, 104220. https://doi.org/10.1016/j.cose.2024.104220.
Nadeem, A., Verwer, S. E., Moskal, S., & Yang, S. J. (2022). Alert-driven attack graph generation using S-PDFA. IEEE Transactions on Dependable and Secure Computing, 19(2), 731–746.
Ahmadou, F., Ghaffarzadegan, S., Nour, B., Pourzandi, M., Debbabi, M., & Assi, C. (2025). Automated attack testflow extraction from cyber threat report using BERT for contextual analysis. arXiv. https://arxiv.org/abs/2507.07244.
Abo-alian, A., Youssef, M., & Badr, N. L. (2025). A data-driven approach to prioritize MITRE ATT&CK techniques for Active Directory adversary emulation. Scientific Reports, 15, 27776. https://doi.org/10.1038/s41598-025-12948-x.
Center for Threat-Informed Defense. (2021). Sightings Ecosystem: A data-driven analysis of ATT&CK in the wild (Report No. CT0039). MITRE Engenuity. https://ctid.mitre-engenuity.org/.
Fetterman, R., & Chacon, T. (2024, October 10). Macro-ATT&CK 2024: A five-year perspective. Splunk Blog. https://www.splunk.com/en_us/blog/security/macro-att-ck-2024-a-five-year-perspective.html.
Rodríguez, M., Betarte, G., & Calegari, D. (2024). A process mining-based method for attacker profiling using the MITRE ATT&CK taxonomy. Journal of Internet Services and Applications, 15(1), Article 1. https://doi.org/10.5753/jisa.2023.3902.
Choi, S., Yun, J.-H., & Min, B.-G. (2021). Probabilistic attack sequence generation and execution based on MITRE ATT&CK for ICS datasets. In Proceedings of the Cyber Security Experimentation and Test Workshop (CSET ’21) (pp. 1–8). Association for Computing Machinery. https://doi.org/10.1145/3474718.3474722.
Maffia, L., Nisi, D., Kotzias, P., Lagorio, G., Aonzo, S., & Balzarotti, D. (2021). Longitudinal study of the prevalence of malware evasive techniques. arXiv. https://arxiv.org/abs/2112.11289.
Yang, L., Guo, W., Hao, Q., Ciptadi, A., Ahmadzadeh, A., Xing, X., & Wang, G. (2021). CADE: Detecting and explaining concept drift samples for security applications. In Proceedings of the 30th USENIX Security Symposium (USENIX Security ’21). USENIX Association.
Landauer, M., Skopik, F., Stojanović, B., Flatscher, A., & Ullrich, T. (2025). A review of time-series analysis for cyber security analytics: From intrusion detection to attack prediction. International Journal of Information Security, 24(3). https://doi.org/10.1007/s10207-024-00921-0.
CTI Butler. (2024, November 4). An analysis of the changes in ATT&CK version 16.0. CTI Butler Blog. https://www.ctibutler.com/blog/analysis_mitre_attack_16/.
Pennington, A., & Ajmo, J. (2022, April 25). ATT&CK goes to v11: Structured detections, beta sub-techniques for mobile, and ICS joins the band. MITRE ATT&CK Blog (Medium). https://medium.com/mitre-attack/att-ck-goes-to-v11-599a9112a025.
Pennington, A., & Burns, J. (2020, October 27). Bringing PRE into Enterprise. MITRE ATT&CK Blog (Medium). https://medium.com/mitre-attack/the-retirement-of-pre-attack-4b73ffecd3d3.
MITRE. (2025, April). Updates: MITRE ATT&CK (Version 17). Retrieved September 9, 2025, from https://attack.mitre.org/resources/updates/.
Kindelan, R., Frías, J., Cerda, M., & Hitschfeld, N. (2021). Classification based on Topological Data Analysis. arXiv. https://arxiv.org/abs/2102.03709.
Davies, T. (2022). A review of topological data analysis for cybersecurity. arXiv. https://arxiv.org/abs/2202.08037.
Tidjon, L. N., & Khomh, F. (2022). Reliable malware analysis and detection using topology data analysis. arXiv. https://arxiv.org/abs/2211.01535.
Bihl, T. J., Gutierrez, R. J., Bauer, K. W., Boehmke, B. C., & Saie, C. (2020). Topological data analysis for enhancing embedded analytics for enterprise cyber log analysis and forensics. Proceedings of the 53rd Hawaii International Conference on System Sciences, 1937–1946. https://doi.org/10.24251/HICSS.2020.238.
Carlsson, E., Carlsson, G., & de Silva, V. (2006). An algebraic topological method for feature identification. International Journal of Computational Geometry & Applications, 16(4), 291–314. https://doi.org/10.1142/S021819590600204X.
Attali, D., Lieutier, A., & Salinas, D. (2013). Vietoris–Rips complexes also provide topologically correct reconstructions of sampled shapes. Computational Geometry, 46(4), 448–465. https://doi.org/10.1016/j.comgeo.2012.02.009.
Published
How to Cite
Issue
Section
License
Copyright (c) 2025 Віталій Фесьоха, Ігор Субач
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
