{"id":"https://openalex.org/W7154016164","doi":"https://doi.org/10.1007/s10207-026-01254-w","title":"From logs to tactics: unsupervised reconstruction of APT campaigns with MITRE-enriched meta-alerts","display_name":"From logs to tactics: unsupervised reconstruction of APT campaigns with MITRE-enriched meta-alerts","publication_year":2026,"publication_date":"2026-04-13","ids":{"openalex":"https://openalex.org/W7154016164","doi":"https://doi.org/10.1007/s10207-026-01254-w"},"language":"en","primary_location":{"id":"doi:10.1007/s10207-026-01254-w","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01254-w","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01254-w.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"hybrid","oa_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01254-w.pdf","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5092779917","display_name":"Francesco Ferazza","orcid":"https://orcid.org/0009-0005-3280-2678"},"institutions":[{"id":"https://openalex.org/I184558857","display_name":"Royal Holloway University of London","ror":"https://ror.org/04g2vpn86","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I184558857"]},{"id":"https://openalex.org/I4210166050","display_name":"H\u00f4pital Militaire Moulay Ismail","ror":"https://ror.org/02x0hgx61","country_code":"MA","type":"healthcare","lineage":["https://openalex.org/I4210166050"]}],"countries":["GB","MA"],"is_corresponding":true,"raw_author_name":"Francesco Ferazza","raw_affiliation_strings":["Marina Militare, Rome, Italy","Royal Holloway University of London, Egham, UK"],"affiliations":[{"raw_affiliation_string":"Marina Militare, Rome, Italy","institution_ids":["https://openalex.org/I4210166050"]},{"raw_affiliation_string":"Royal Holloway University of London, Egham, UK","institution_ids":["https://openalex.org/I184558857"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5092779918","display_name":"Cosimo Melella","orcid":"https://orcid.org/0009-0009-6970-9396"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":false,"raw_author_name":"Cosimo Melella","raw_affiliation_strings":["Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133495989","display_name":"Konstantinos Mersinas","orcid":null},"institutions":[{"id":"https://openalex.org/I184558857","display_name":"Royal Holloway University of London","ror":"https://ror.org/04g2vpn86","country_code":"GB","type":"education","lineage":["https://openalex.org/I124357947","https://openalex.org/I184558857"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Konstantinos Mersinas","raw_affiliation_strings":["Royal Holloway University of London, Egham, UK"],"affiliations":[{"raw_affiliation_string":"Royal Holloway University of London, Egham, UK","institution_ids":["https://openalex.org/I184558857"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5028282216","display_name":"Ricardo G. Lugo","orcid":"https://orcid.org/0000-0003-2012-5700"},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":false,"raw_author_name":"Ricardo Lugo","raw_affiliation_strings":["Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5133508901","display_name":"Rain Ottis","orcid":null},"institutions":[{"id":"https://openalex.org/I111112146","display_name":"Tallinn University of Technology","ror":"https://ror.org/0443cwa12","country_code":"EE","type":"education","lineage":["https://openalex.org/I111112146"]}],"countries":["EE"],"is_corresponding":false,"raw_author_name":"Rain Ottis","raw_affiliation_strings":["Tallinn University of Technology, Tallinn, Estonia"],"affiliations":[{"raw_affiliation_string":"Tallinn University of Technology, Tallinn, Estonia","institution_ids":["https://openalex.org/I111112146"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5092779917"],"corresponding_institution_ids":["https://openalex.org/I184558857","https://openalex.org/I4210166050"],"apc_list":{"value":2590,"currency":"EUR","value_usd":3190},"apc_paid":{"value":2590,"currency":"EUR","value_usd":3190},"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.93887195,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":null,"biblio":{"volume":"25","issue":"3","first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.2583000063896179,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.2583000063896179,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.17890000343322754,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.07069999724626541,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cluster-analysis","display_name":"Cluster analysis","score":0.5928000211715698},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.4221000075340271},{"id":"https://openalex.org/keywords/triage","display_name":"Triage","score":0.4203000068664551},{"id":"https://openalex.org/keywords/pipeline","display_name":"Pipeline (software)","score":0.3869999945163727},{"id":"https://openalex.org/keywords/analytics","display_name":"Analytics","score":0.36890000104904175},{"id":"https://openalex.org/keywords/graph","display_name":"Graph","score":0.36739999055862427},{"id":"https://openalex.org/keywords/event","display_name":"Event (particle physics)","score":0.34209999442100525},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.33970001339912415},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.33070001006126404}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8680999875068665},{"id":"https://openalex.org/C73555534","wikidata":"https://www.wikidata.org/wiki/Q622825","display_name":"Cluster analysis","level":2,"score":0.5928000211715698},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.47429999709129333},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.42649999260902405},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.4221000075340271},{"id":"https://openalex.org/C2777120189","wikidata":"https://www.wikidata.org/wiki/Q780067","display_name":"Triage","level":2,"score":0.4203000068664551},{"id":"https://openalex.org/C43521106","wikidata":"https://www.wikidata.org/wiki/Q2165493","display_name":"Pipeline (software)","level":2,"score":0.3869999945163727},{"id":"https://openalex.org/C79158427","wikidata":"https://www.wikidata.org/wiki/Q485396","display_name":"Analytics","level":2,"score":0.36890000104904175},{"id":"https://openalex.org/C132525143","wikidata":"https://www.wikidata.org/wiki/Q141488","display_name":"Graph","level":2,"score":0.36739999055862427},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3601999878883362},{"id":"https://openalex.org/C2779662365","wikidata":"https://www.wikidata.org/wiki/Q5416694","display_name":"Event (particle physics)","level":2,"score":0.34209999442100525},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.33970001339912415},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.33070001006126404},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.31859999895095825},{"id":"https://openalex.org/C90805587","wikidata":"https://www.wikidata.org/wiki/Q10944557","display_name":"Word (group theory)","level":2,"score":0.30709999799728394},{"id":"https://openalex.org/C25810664","wikidata":"https://www.wikidata.org/wiki/Q44325","display_name":"Ontology","level":2,"score":0.30390000343322754},{"id":"https://openalex.org/C145804949","wikidata":"https://www.wikidata.org/wiki/Q478123","display_name":"Situation awareness","level":2,"score":0.30379998683929443},{"id":"https://openalex.org/C84418412","wikidata":"https://www.wikidata.org/wiki/Q3246940","display_name":"Digital forensics","level":2,"score":0.3000999987125397},{"id":"https://openalex.org/C155911762","wikidata":"https://www.wikidata.org/wiki/Q422321","display_name":"Blueprint","level":2,"score":0.2919999957084656},{"id":"https://openalex.org/C8038995","wikidata":"https://www.wikidata.org/wiki/Q1152135","display_name":"Unsupervised learning","level":2,"score":0.2879999876022339},{"id":"https://openalex.org/C184337299","wikidata":"https://www.wikidata.org/wiki/Q1437428","display_name":"Semantics (computer science)","level":2,"score":0.2816999852657318},{"id":"https://openalex.org/C50644808","wikidata":"https://www.wikidata.org/wiki/Q192776","display_name":"Artificial neural network","level":2,"score":0.2786000072956085},{"id":"https://openalex.org/C142944206","wikidata":"https://www.wikidata.org/wiki/Q1786137","display_name":"Proactivity","level":2,"score":0.2782000005245209},{"id":"https://openalex.org/C66322947","wikidata":"https://www.wikidata.org/wiki/Q11658","display_name":"Transformer","level":3,"score":0.27149999141693115},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.26429998874664307},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.2623000144958496},{"id":"https://openalex.org/C177774035","wikidata":"https://www.wikidata.org/wiki/Q1246948","display_name":"Granularity","level":2,"score":0.25999999046325684},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.2581999897956848},{"id":"https://openalex.org/C178489894","wikidata":"https://www.wikidata.org/wiki/Q8789","display_name":"Cryptography","level":2,"score":0.25589999556541443}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1007/s10207-026-01254-w","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01254-w","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01254-w.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1007/s10207-026-01254-w","is_oa":true,"landing_page_url":"https://doi.org/10.1007/s10207-026-01254-w","pdf_url":"https://link.springer.com/content/pdf/10.1007/s10207-026-01254-w.pdf","source":{"id":"https://openalex.org/S164062316","display_name":"International Journal of Information Security","issn_l":"1615-5262","issn":["1615-5262","1615-5270"],"is_oa":false,"is_in_doaj":false,"is_core":true,"host_organization":"https://openalex.org/P4310319900","host_organization_name":"Springer Science+Business Media","host_organization_lineage":["https://openalex.org/P4310319900","https://openalex.org/P4310319965"],"host_organization_lineage_names":["Springer Science+Business Media","Springer Nature"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"International Journal of Information Security","raw_type":"journal-article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.41185232996940613,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7154016164.pdf","grobid_xml":"https://content.openalex.org/works/W7154016164.grobid-xml"},"referenced_works_count":15,"referenced_works":["https://openalex.org/W178280372","https://openalex.org/W2084512860","https://openalex.org/W2601243251","https://openalex.org/W2767094836","https://openalex.org/W2970641574","https://openalex.org/W2997634552","https://openalex.org/W3008066310","https://openalex.org/W3083012366","https://openalex.org/W4213009331","https://openalex.org/W4226346873","https://openalex.org/W4319079731","https://openalex.org/W4376480418","https://openalex.org/W4388571717","https://openalex.org/W4390679748","https://openalex.org/W4408343551"],"related_works":[],"abstract_inverted_index":{"Abstract":[0],"The":[1,112],"operational":[2],"effectiveness":[3],"of":[4,45,51,67,114,140,172,205],"Security":[5],"Operation":[6],"Centres":[7],"(SOCs)":[8],"is":[9,117],"increasingly":[10],"hindered":[11],"as":[12],"analysts":[13],"are":[14,195],"overwhelmed":[15],"with":[16,108,130],"low-signal":[17],"alerts":[18,107],"from":[19,85,152,218],"heterogeneous":[20],"detection":[21],"systems,":[22],"leading":[23],"to":[24,31,80,105,167,222],"cognitive":[25],"fatigue":[26],"and":[27,48,95,165],"impairing":[28],"the":[29,43,49,64,137,153,169,179],"ability":[30],"detect":[32],"complex,":[33],"multi-stage":[34],"intrusions":[35],"like":[36],"Advanced":[37],"Persistent":[38],"Threats":[39],"(APTs).":[40],"To":[41],"overcome":[42],"limitations":[44],"heuristic-based":[46],"aggregation":[47],"brittleness":[50],"supervised":[52],"models":[53],"in":[54,185,227],"data-scarce":[55],"environments,":[56],"we":[57],"present":[58,144],"a":[59,118,126,131,145,182,213],"fully":[60],"unsupervised":[61],"framework":[62,180],"for":[63,92,216],"automated":[65],"generation":[66],"high-level,":[68],"MITRE":[69],"ATT&amp;CK-enriched":[70],"meta-alerts.":[71],"Our":[72,175],"pipeline":[73],"systematically":[74],"integrates":[75],"Graph":[76],"Neural":[77],"Networks":[78],"(GNNs)":[79],"reconstruct":[81],"coherent":[82],"event":[83],"sequences":[84],"noisy":[86],"telemetry,":[87],"Large":[88],"Language":[89],"Models":[90],"(LLMs)":[91],"contextual":[93,110],"summarization,":[94],"an":[96,203],"advanced":[97],"semantic":[98,133],"clustering":[99],"module":[100],"based":[101],"on":[102],"transformer":[103],"embeddings":[104],"group":[106],"high":[109],"fidelity.":[111],"core":[113],"our":[115,173,198],"contribution":[116],"novel":[119],"hybrid":[120,199],"mapping":[121,200],"engine":[122,201],"that":[123,178,191],"synergistically":[124],"fuses":[125],"symbolic":[127],"cybersecurity":[128],"ontology":[129],"BERT-based":[132],"classifier,":[134],"demonstrably":[135],"overcoming":[136],"individual":[138],"weaknesses":[139],"each":[141],"approach.":[142],"We":[143],"rigorous":[146],"empirical":[147],"evaluation":[148],"using":[149],"large-scale":[150],"datasets":[151],"NATO":[154],"CCDCOE":[155],"Crossed":[156],"Swords":[157],"exercise":[158],"(XS),":[159],"intentionally":[160],"retaining":[161],"their":[162],"inherent":[163],"noise":[164],"heterogeneity":[166],"validate":[168],"real-world":[170],"applicability":[171],"framework.":[174],"results":[176],"demonstrate":[177],"achieves":[181,202],"significant":[183],"reduction":[184],"alert":[186,220],"triage":[187,221],"volume":[188],"while":[189],"ensuring":[190],"no":[192],"critical":[193],"threats":[194],"dropped.":[196],"Notably,":[197],"F1-score":[204],"87%,":[206],"outperforming":[207],"non-hybrid":[208],"baselines.":[209],"This":[210],"work":[211],"provides":[212],"validated":[214],"blueprint":[215],"moving":[217],"reactive":[219],"proactive,":[223],"context-aware":[224],"threat":[225],"investigation":[226],"modern":[228],"SOCs.":[229]},"counts_by_year":[],"updated_date":"2026-04-15T05:59:14.812645","created_date":"2026-04-14T00:00:00"}