KillChainGraph: ML Framework for Predicting and Mapping ATT&CK Techniques

TL;DR

This paper introduces KillChainGraph, a machine learning framework that predicts and maps cyberattack techniques across the entire Kill Chain, utilizing ensemble models and graph-based dependencies for improved proactive cybersecurity defense.

Contribution

It presents a novel phase-aware, multi-model ML framework with semantic mapping and graph modeling to predict attack phases and paths, outperforming existing methods.

Findings

Ensemble approach achieved F1-scores up to 99.83%.

Graph modeling improved inter-phase dependency understanding.

Semantic mapping via ATTACK-BERT enhanced phase-specific data accuracy.

Abstract

The escalating complexity and volume of cyberattacks demand proactive detection strategies that go beyond traditional rule-based systems. This paper presents a phase-aware, multi-model machine learning framework that emulates adversarial behavior across the seven phases of the Cyber Kill Chain using the MITRE ATT&CK Enterprise dataset. Techniques are semantically mapped to phases via ATTACK-BERT, producing seven phase-specific datasets. We evaluate LightGBM, a custom Transformer encoder, fine-tuned BERT, and a Graph Neural Network (GNN), integrating their outputs through a weighted soft voting ensemble. Inter-phase dependencies are modeled using directed graphs to capture attacker movement from reconnaissance to objectives. The ensemble consistently achieved the highest scores, with F1-scores ranging from 97.47% to 99.83%, surpassing GNN performance (97.36% to 99.81%) by 0.03%--0.20% across phases. This graph-driven, ensemble-based approach enables interpretable attack path forecasting and strengthens proactive cyber defense.