Cyber Kill Chain-based Multi-stage Attack Detection Using Graph Neural Networks
Abstract
Advanced persistent threats (APTs) and multi-stage cyberattacks have grown considerably in sophistication, systematically evading conventional rule-based intrusion detection systems. This study presents a novel detection framework that integrates the cyber kill chain (CKC) model with heterogeneous graph attention networks (HGAT) to enable accurate, stage-aware identification of complex attack campaigns in enterprise networks. By representing network telemetry, system call traces, and authentication logs as heterogeneous graphs, the proposed approach captures structural dependencies and temporal correlations across all seven CKC phases—from reconnaissance through actions on objectives. Experimental evaluation on four benchmark datasets—DARPA TC, CICIDS-2018, LANL 2015, and UNSW-NB15—demonstrates an overall detection accuracy of 97.40%, a macro F1-score of 96.93%, and a false positive rate of 1.80%, outperforming seven state-of-the-art baseline methods by significant margins. Stage-level analysis confirms consistently high detection rates across all CKC phases, while ablation studies validate the critical contribution of each architectural component. The results confirm that graph-based relational modelling combined with kill chain semantics provides a robust and interpretable solution for next-generation threat detection, with computational characteristics consistent with near-real-time enterprise deployment pending field validation.
References
A. Alshamrani, S. Myneni, A. Chowdhary, and D. Huang, “A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities,” IEEE Commun. Surveys Tuts., vol. 21, no. 2, pp. 1851–1877, 2019.
S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. N. Venkatakrishnan, “HOLMES: Real-time APT detection through correlation of suspicious information flows,” in Proc. IEEE Symp. Secur. Privacy, May 2019.
L. Bilge and T. Dumitraș, “Before we knew it: An empirical study of zero-day attacks in the real world,” in Proc. ACM Conf. Comput. Commun. Secur. (CCS), 2012, pp. 833–844.
H. Liu, B. Lang, M. Liu, and H. Yan, “CNN and RNN-based payload classification methods for attack detection,” Knowl.-Based Syst., vol. 163, pp. 332–341, 2019.
Y. Shen, E. Mariconti, P. A. Vervier, and G. Stringhini, “Tiresias: Predicting security events through deep learning,” in Proc. ACM SIGSAC Conf. Comput. Commun. Secur. (CCS), 2018, pp. 592–605.
T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” in Proc. Int. Conf. Learn. Represent. (ICLR), 2017.
P. Veličković et al., “Graph attention networks,” Trans. Mach. Learn. Res., vol. 2, no. 4, pp. 1–12, 2018.
J. Zhou et al., “Graph neural networks: A review of methods and applications,” AI Open, vol. 1, pp. 57–81, 2020.
W. Wang, M. Zhu, J. Wang, X. Zeng, and Z. Yang, “End-to-end encrypted traffic classification with one-dimensional convolution neural networks,” in Proc. IEEE Int. Conf. Intell. Secur. Informatics (ISI), 2017.
W. W. Lo, S. Layeghy, M. Sarhan, M. Gallagher, and M. Portmann, “E-GraphSAGE: A graph neural network-based intrusion detection system for IoT,” in Proc. IEEE/IFIP Netw. Oper. Manage. Symp. (NOMS), Apr. 2022.
M. Zhong, M. Lin, C. Zhang, and Z. Xu, “A survey on graph neural networks for intrusion detection systems: Methods, trends and challenges,” Comput. Secur., vol. 141, Art. no. 103821, Jun. 2024.
N. Lin et al., “Malware detection in virtualized environments through API call graph analysis,” in Proc. Int. Conf. Signal Image Process. (ICSIP), Jul. 2025, pp. 1–9.
X. Huang, Q. Song, Y. Li, and X. Hu, “Graph recurrent networks with attributed random walks for dynamic anomaly detection,” in Proc. ACM SIGKDD Int. Conf. Knowl. Discov. Data Mining (KDD), 2019, pp. 732–740.
J. E. Dávila-Huayhuapuma, E. Vílchez-Roncal, and C. A. Alvarado Silva, “The cyber kill chain methodology as a business defense tool: A systematic review of its application and efficacy,” Int. J. Interact. Mobile Technol., vol. 19, no. 12, pp. 160–179, Jun. 2025.
Y. Hu, F. Zou, J. Han, X. Sun, and Y. Wang, “LLM-TIKG: Threat intelligence knowledge graph construction utilizing large language model,” Comput. Secur., Art. no. 103999, Jul. 2024.
J. Zeng et al., “WATSON: Abstracting behaviors from audit logs via aggregation of contextual semantics,” in Proc. Netw. Distrib. Syst. Secur. Symp. (NDSS), 2021.
H. Friji, I. Mavromatis, A. Sanchez-Mompo, P. Carnelli, A. Olivereau, and A. Khan, “Multi-stage attack detection and prediction using graph neural networks: An IoT feasibility study,” arXiv, 2024.
A. Sharma, S. Rani, and M. Shabaz, “A comprehensive review of explainable AI in cybersecurity: Decoding the black box,” ICT Express, Oct. 2025.
P. K. Manadhata and J. M. Wing, “An attack surface metric,” IEEE Trans. Softw. Eng., vol. 37, no. 3, pp. 371–386, May 2011.
X. Tang, Y. Li, Y. Sun, H. Yao, P. Mitra, and S. Wang, “Transferring robustness for graph neural networks against poisoning attacks,” in Proc. ACM Int. Conf. Web Search Data Mining (WSDM), 2020, pp. 600–608.
X. Han, T. Pasquier, and M. Seltzer, “Provenance-based intrusion detection: Opportunities and challenges,” in Proc. USENIX Conf. Theory Pract. Provenance (TaPP), 2018, p. 3.
E. Rossi, B. Chamberlain, F. Frasca, D. Eynard, F. Monti, and M. Bronstein, “Temporal graph networks for deep learning on dynamic graphs,” arXiv, Oct. 2020.
D. Xu, C. Ruan, E. Korpeoglu, S. Kumar, and K. Achan, “Inductive representation learning on temporal graphs,” arXiv, Feb. 2020.
W. L. Hamilton, R. Ying, and J. Leskovec, “Inductive representation learning on large graphs,” in Proc. Adv. Neural Inf. Process. Syst. (NeurIPS), 2017, pp. 1025–1035.
