{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T10:05:22Z","timestamp":1776074722126,"version":"3.50.1"},"reference-count":33,"publisher":"Springer Science and Business Media LLC","issue":"3","license":[{"start":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T00:00:00Z","timestamp":1776038400000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T00:00:00Z","timestamp":1776038400000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Int. J. Inf. Secur."],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>The operational effectiveness of Security Operation Centres (SOCs) is increasingly hindered as analysts are overwhelmed with low-signal alerts from heterogeneous detection systems, leading to cognitive fatigue and impairing the ability to detect complex, multi-stage intrusions like Advanced Persistent Threats (APTs). To overcome the limitations of heuristic-based aggregation and the brittleness of supervised models in data-scarce environments, we present a fully unsupervised framework for the automated generation of high-level, MITRE ATT&amp;CK-enriched meta-alerts. Our pipeline systematically integrates Graph Neural Networks (GNNs) to reconstruct coherent event sequences from noisy telemetry, Large Language Models (LLMs) for contextual summarization, and an advanced semantic clustering module based on transformer embeddings to group alerts with high contextual fidelity. The core of our contribution is a novel hybrid mapping engine that synergistically fuses a symbolic cybersecurity ontology with a BERT-based semantic classifier, demonstrably overcoming the individual weaknesses of each approach. We present a rigorous empirical evaluation using large-scale datasets from the NATO CCDCOE Crossed Swords exercise (XS), intentionally retaining their inherent noise and heterogeneity to validate the real-world applicability of our framework. Our results demonstrate that the framework achieves a significant reduction in alert triage volume while ensuring that no critical threats are dropped. Notably, our hybrid mapping engine achieves an F1-score of 87%, outperforming non-hybrid baselines. This work provides a validated blueprint for moving from reactive alert triage to proactive, context-aware threat investigation in modern SOCs.<\/jats:p>","DOI":"10.1007\/s10207-026-01254-w","type":"journal-article","created":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:27:35Z","timestamp":1776072455000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["From logs to tactics: unsupervised reconstruction of APT campaigns with MITRE-enriched meta-alerts"],"prefix":"10.1007","volume":"25","author":[{"given":"Francesco","family":"Ferazza","sequence":"first","affiliation":[]},{"given":"Cosimo","family":"Melella","sequence":"additional","affiliation":[]},{"given":"Konstantinos","family":"Mersinas","sequence":"additional","affiliation":[]},{"given":"Ricardo","family":"Lugo","sequence":"additional","affiliation":[]},{"given":"Rain","family":"Ottis","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,4,13]]},"reference":[{"key":"1254_CR1","unstructured":"CrowdStrike, Advanced Persistent Threats (APT) Explained, (2024). [Online]. Available: https:\/\/www.crowdstrike.com\/en-us\/cybersecurity-101\/threat-intelligence\/advanced-persistent-threat-apt\/. Accessed: May 2025"},{"key":"1254_CR2","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103583","volume":"137","author":"X Wang","year":"2024","unstructured":"Wang, X., Yang, X., Liang, X., Zhang, X., Zhang, W., Gong, X.: Combating alert fatigue with AlertPro: Context-aware alert prioritization using reinforcement learning for multi-step attack detection. Computers & Security 137, 103583 (2024)","journal-title":"Computers & Security"},{"issue":"9","key":"1254_CR3","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3723158","volume":"57","author":"S Tariq","year":"2025","unstructured":"Tariq, S., Chhetri, M.B., Nepal, S., Paris, C.: Alert fatigue in security operations centres: Research challenges and opportunities. ACM Comput. Surv. 57(9), 1\u201338 (2025)","journal-title":"ACM Comput. Surv."},{"key":"1254_CR4","unstructured":"MITRE Corporation, \u201cMITRE ATT&CK,\u201d Accessed: May 2025. [Online]. Available: https:\/\/attack.mitre.org\/"},{"key":"1254_CR5","doi-asserted-by":"publisher","first-page":"162642","DOI":"10.1109\/ACCESS.2020.3021499","volume":"8","author":"M Khosravi","year":"2020","unstructured":"Khosravi, M., Tork Ladani, B.: Alerts correlation and causal analysis for APT based cyber attack detection. IEEE Access 8, 162642\u2013162656 (2020)","journal-title":"IEEE Access"},{"key":"1254_CR6","doi-asserted-by":"crossref","unstructured":"Wei, S., et al.: \u201cFusing security alerts improves cyber-security: An alert normalization framework for heterogeneous devices,\u201d IEEE Transactions on Dependable and Secure Computing, (2023)","DOI":"10.1109\/DSC59305.2023.00011"},{"key":"1254_CR7","doi-asserted-by":"crossref","unstructured":"Wang, T., et al.: Identifying truly suspicious events and false alarms based on alert graph, In: Proc. IEEE Int. Conf, Communications (ICC) (2020)","DOI":"10.1109\/BigData47090.2019.9006555"},{"key":"1254_CR8","unstructured":"Kipf, T.N., Welling, M.: Variational graph auto-encoders, arXiv preprint arXiv:1611.07308 (2016)"},{"key":"1254_CR9","unstructured":"Devlin, J., et al.: BERT: Pre-training of deep bidirectional transformers for language understanding, arXiv preprint arXiv:1810.04805 (2018)"},{"key":"1254_CR10","unstructured":"IBM and Morning Consult, Global Security Operations Center Study Results, (2023). [Online]. Available: https:\/\/www.ibm.com\/downloads\/cas\/5AEDAOJN. Accessed: May 2025"},{"key":"1254_CR11","unstructured":"NATO Cooperative Cyber Defence Centre of Excellence, Crossed Swords, (2024). [Online]. Available: https:\/\/ccdcoe.org\/exercises\/crossed-swords\/. Accessed: May 2025"},{"key":"1254_CR12","doi-asserted-by":"crossref","unstructured":"Ranade, P., Piplai, A., Joshi, A., Finin, T.: Cybert: contextualized embeddings for the cybersecurity domain. In: 2021 IEEE International Conference on Big Data (Big Data), pp. 3334\u20133342. IEEE (2021)","DOI":"10.1109\/BigData52589.2021.9671824"},{"key":"1254_CR13","unstructured":"Strom, B.E., Applebaum, A., Miller, D.P., Nickels, K.C., Pennington, A.G., Thomas, C.B.: \u201cMITRE ATT&CK: Design and philosophy,\u201d MITRE Corp., Tech. Rep., (2018)"},{"key":"1254_CR14","unstructured":"Piet, J., Fang, V., Khare, R., Coull, S., Paxson, V., Popa, R.A., Wagner, D.: Semantic-aware parsing for security logs. arXiv [Internet] (2025). arXiv:2506.17512. Available from: https:\/\/arxiv.org\/abs\/2506.17512. Cited 7 Apr 2026"},{"key":"1254_CR15","unstructured":"Ester, M., Kriegel, H.-P., Sander, J., Xu, X.: A density-based algorithm for discovering clusters in large spatial databases with noise, In: Proc. 2nd Int. Conf. Knowledge Discovery and Data Mining (KDD), pp.\u00a0226\u2013231 (1996)"},{"key":"1254_CR16","unstructured":"Sozol, M.S., Saki, G.M., Rahman, M.M.: Anomaly detection in cybersecurity with graph-based approaches. Int. J. Sci. Res. Eng. Manag. (IJSREM) 8(8), 1\u20137 (2024)"},{"key":"1254_CR17","doi-asserted-by":"crossref","unstructured":"Bilot, T., El Madhoun, N., Al Agha, K., Zouaoui, A.: Graph neural networks for intrusion detection: a survey. IEEE Access 11, 49114\u201349139 (2023)","DOI":"10.1109\/ACCESS.2023.3275789"},{"key":"1254_CR18","doi-asserted-by":"publisher","first-page":"278","DOI":"10.1016\/j.future.2015.01.001","volume":"55","author":"M Ahmed","year":"2016","unstructured":"Ahmed, M., Mahmood, A.N., Islam, M.R.: A survey of anomaly detection techniques in financial domain. Futur. Gener. Comput. Syst. 55, 278\u2013288 (2016)","journal-title":"Futur. Gener. Comput. Syst."},{"key":"1254_CR19","doi-asserted-by":"crossref","unstructured":"Reimers, N., Gurevych, I.: Sentence-BERT: Sentence embeddings using siamese BERT-networks, In: Proc. Conf. Empirical Methods in Natural Language Processing (EMNLP), pp.\u00a03982\u20133992 (2019)","DOI":"10.18653\/v1\/D19-1410"},{"issue":"11","key":"1254_CR20","doi-asserted-by":"publisher","first-page":"205","DOI":"10.21105\/joss.00205","volume":"2","author":"L McInnes","year":"2017","unstructured":"McInnes, L., Healy, J., Astels, S.: hdbscan: Hierarchical density based clustering. Journal of Open Source Software 2(11), 205 (2017)","journal-title":"Journal of Open Source Software"},{"key":"1254_CR21","unstructured":"Syed, Z., Padia, A., Finin, T.: UCO: A unified cybersecurity ontology, In: Proc. AAAI Workshop on Artificial Intelligence for Cyber Security (2016)"},{"key":"1254_CR22","doi-asserted-by":"crossref","unstructured":"Aghaei, E., Niu, X., Shadid, W., Al-Shaer, E.: SecureBERT: a domain-specific language model for cybersecurity. In: Li, F., Liang, K., Lin, Z., Katsikas, S.K. (eds.) Security and Privacy in Communication Networks. Secure Comm 2022. Lecture Notes of the Institute for Computer Sciences, Social Informatics and Telecommunications Engineering, vol. 462. Springer, Cham. https:\/\/doi.org\/10.1007\/978-3-031-25538-0_3 (2023)","DOI":"10.1007\/978-3-031-25538-0_3"},{"key":"1254_CR23","doi-asserted-by":"crossref","unstructured":"Piplai, A., Mittal, S., Joshi, A., Finin, T., Holt, J., Zak, R.: Creating cybersecurity knowledge graphs from malware after action reports. IEEE Access 8, 211691\u2013211703 (2020)","DOI":"10.1109\/ACCESS.2020.3039234"},{"key":"1254_CR24","first-page":"80","volume":"1","author":"EM Hutchins","year":"2011","unstructured":"Hutchins, E.M., Cloppert, M.J., Amin, R.M.: Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues in Information Warfare and Security Research 1, 80 (2011)","journal-title":"Leading Issues in Information Warfare and Security Research"},{"key":"1254_CR25","doi-asserted-by":"crossref","unstructured":"Mirheidari, S.A., Arshad, S., Jalili, R.: Alert correlation algorithms: A survey and taxonomy. In: International Symposium on Cyberspace Safety and Security, pp. 183\u2013197. Springer International Publishing, Cham (2013)","DOI":"10.1007\/978-3-319-03584-0_14"},{"key":"1254_CR26","unstructured":"Davies, T.: Topological data analysis for anomaly detection in host-based logs, arXiv preprint arXiv:2204.07074 (2022)"},{"key":"1254_CR27","unstructured":"Huang, Y., Feng, X., Feng, X., Qin, B.: The factual inconsistency problem in abstractive text summarization: A survey, arXiv preprint arXiv:2104.14839 (2021)"},{"key":"1254_CR28","unstructured":"Sharma, A.R.: How MITRE ATT&CK alignment supercharges your SIEM, Securonix Blog (2025)"},{"key":"1254_CR29","unstructured":"Albanese, M.: et al.: Towards AI-driven human-machine co-teaming for adaptive and agile cyber security operation centers, arXiv preprint arXiv:2501.01234, (2025)"},{"key":"1254_CR30","unstructured":"MITRE Corporation, CALDERA: Automated Adversary Emulation System, (2024). [Online]. Available: https:\/\/caldera.mitre.org\/. Accessed: May 2025"},{"key":"1254_CR31","doi-asserted-by":"crossref","unstructured":"Du, M., et al.: DeepLog: Anomaly detection and diagnosis from system logs through deep learning, In: Proc. ACM SIGSAC Conf. Computer and Communications Security, pp.\u00a01285\u20131298 (2017)","DOI":"10.1145\/3133956.3134015"},{"key":"1254_CR32","unstructured":"OpenAI, GPT-3.5-turbo model card, (2023). [Online]. Available: https:\/\/platform.openai.com\/docs\/models\/gpt-3-5-turbo. Accessed: May 2025"},{"key":"1254_CR33","doi-asserted-by":"crossref","unstructured":"Manning, C.D., Raghavan, P., Sch\u00fctze, H.: Introduction to Information Retrieval. Cambridge University Press, ch.\u00a08 (2008) (Evaluation in information retrieval)","DOI":"10.1017\/CBO9780511809071"}],"container-title":["International Journal of Information Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01254-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1007\/s10207-026-01254-w","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/s10207-026-01254-w.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T09:28:08Z","timestamp":1776072488000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/s10207-026-01254-w"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,4,13]]},"references-count":33,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2026,6]]}},"alternative-id":["1254"],"URL":"https:\/\/doi.org\/10.1007\/s10207-026-01254-w","relation":{},"ISSN":["1615-5270"],"issn-type":[{"value":"1615-5270","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,4,13]]},"assertion":[{"value":"28 January 2026","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 April 2026","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 April 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing Interests"}},{"value":"The results\/data\/figures in this manuscript have not been published elsewhere, nor are they under consideration by another publisher.","order":3,"name":"Ethics","group":{"name":"EthicsHeading","label":"Dual Publication"}},{"value":"All of the material is owned by the authors and\/or no permissions are required.","order":4,"name":"Ethics","group":{"name":"EthicsHeading","label":"Third Party Material"}}],"article-number":"79"}}