AURA: A Multi-Agent Intelligence Framework for Knowledge-Enhanced Cyber Threat Attribution

TL;DR

AURA is a multi-agent framework that leverages retrieval-augmented generation and large language models to improve the accuracy, interpretability, and scalability of cyber threat attribution for advanced persistent threats.

Contribution

This paper introduces AURA, a novel multi-agent, knowledge-enhanced system that combines RAG and LLMs for automated, interpretable, and scalable APT attribution.

Findings

High attribution consistency on recent APT campaigns

Expert-aligned natural language justifications

Scalable retrieval and reasoning across attack phases

Abstract

Effective attribution of Advanced Persistent Threats (APTs) increasingly hinges on the ability to correlate behavioral patterns and reason over complex, varied threat intelligence artifacts. We present AURA (Attribution Using Retrieval-Augmented Agents), a multi-agent, knowledge-enhanced framework for automated and interpretable APT attribution. AURA ingests diverse threat data including Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IoCs), malware details, adversarial tools, and temporal information, which are processed through a network of collaborative agents. These agents are designed for intelligent query rewriting, context-enriched retrieval from structured threat knowledge bases, and natural language justification of attribution decisions. By combining Retrieval-Augmented Generation (RAG) with Large Language Models (LLMs), AURA enables contextual linking of threat behaviors to known APT groups and supports traceable reasoning across multiple attack phases. Experiments on recent APT campaigns demonstrate AURA's high attribution consistency, expert-aligned justifications, and scalability. This work establishes AURA as a promising direction for advancing transparent, data-driven, and scalable threat attribution using multi-agent intelligence.