{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T18:04:26Z","timestamp":1783965866650,"version":"3.55.0"},"reference-count":53,"publisher":"Elsevier BV","license":[{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/tdm\/userlicense\/1.0\/"},{"start":{"date-parts":[[2026,11,1]],"date-time":"2026-11-01T00:00:00Z","timestamp":1793491200000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.elsevier.com\/legal\/tdmrep-license"},{"start":{"date-parts":[[2026,6,27]],"date-time":"2026-06-27T00:00:00Z","timestamp":1782518400000},"content-version":"vor","delay-in-days":0,"URL":"http:\/\/creativecommons.org\/licenses\/by-nc-nd\/4.0\/"}],"content-domain":{"domain":["elsevier.com","sciencedirect.com"],"crossmark-restriction":true},"short-container-title":["Computers &amp; Security"],"published-print":{"date-parts":[[2026,11]]},"DOI":"10.1016\/j.cose.2026.105040","type":"journal-article","created":{"date-parts":[[2026,6,27]],"date-time":"2026-06-27T15:42:31Z","timestamp":1782574951000},"page":"105040","update-policy":"https:\/\/doi.org\/10.1016\/elsevier_cm_policy","source":"Crossref","is-referenced-by-count":0,"special_numbering":"C","title":["Extending the ATT&amp;CK coverage of logical attack graphs"],"prefix":"10.1016","volume":"170","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7745-1377","authenticated-orcid":false,"given":"David","family":"Tayouri","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Nick","family":"Baum","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Alina","family":"Marchenko","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0008-7904-2452","authenticated-orcid":false,"given":"Ortal","family":"Lavi","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Asaf","family":"Shabtai","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-7229-3899","authenticated-orcid":false,"given":"Rami","family":"Puzis","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"78","reference":[{"key":"10.1016\/j.cose.2026.105040_b1","doi-asserted-by":"crossref","first-page":"1","DOI":"10.9790\/4200-14040110","article-title":"Intelligent threat detection and response systems for safeguarding cloud-hosted electronic health records from cyber attacks","volume":"14","author":"Akinola","year":"2024","journal-title":"IOSR J. VLSI Signal Process. (IOSR-JVSP)"},{"key":"10.1016\/j.cose.2026.105040_b2","series-title":"2023 Eighth International Conference on Mobile and Secure Services (MobiSecServ)","first-page":"1","article-title":"An attack scenario reconstruction approach using alerts correlation and a dynamic attack graph","author":"Alrehaili","year":"2023"},{"key":"10.1016\/j.cose.2026.105040_b3","article-title":"MITRE att&ck as a framework for cloud threat investigation","author":"Basra","year":"2020","journal-title":"Cent. Long-Term Cybersecur. (CLTC): Berkeley, Italy"},{"issue":"4","key":"10.1016\/j.cose.2026.105040_b4","doi-asserted-by":"crossref","first-page":"220","DOI":"10.1002\/prs.680220408","article-title":"An asset-based approach for industrial cyber security vulnerability analysis","volume":"22","author":"Baybutt","year":"2003","journal-title":"Process. Saf. Prog."},{"key":"10.1016\/j.cose.2026.105040_b5","series-title":"2009 IEEE 17th International Conference on Program Comprehension","first-page":"158","article-title":"To camelcase or under_score","author":"Binkley","year":"2009"},{"key":"10.1016\/j.cose.2026.105040_b6","doi-asserted-by":"crossref","unstructured":"Binyamini, H., Bitton, R., Inokuchi, M., Yagyu, T., Elovici, Y., Shabtai, A., 2021. A Framework for Modeling Cyber Attack Techniques from Security Vulnerability Descriptions. In: Proceedings of the 27th ACM SIGKDD Conference on Knowledge Discovery & Data Mining. pp. 2574\u20132583.","DOI":"10.1145\/3447548.3467159"},{"key":"10.1016\/j.cose.2026.105040_b7","series-title":"2023 3rd International Conference on Advance Computing and Innovative Technologies in Engineering","first-page":"2411","article-title":"Threat evaluation of enterprise utilizations via graphical modeling","author":"Chandna","year":"2023"},{"key":"10.1016\/j.cose.2026.105040_b8","series-title":"2024 16th International Conference on COMmunication Systems & NETworkS","first-page":"43","article-title":"A systematic study for understanding the security risks in 5G core network","author":"Dixit","year":"2024"},{"key":"10.1016\/j.cose.2026.105040_b9","series-title":"Fujitsu to highlight AI-powered network technologies at MWC Barcelona","author":"Fujitsu","year":"2025"},{"issue":"12","key":"10.1016\/j.cose.2026.105040_b10","doi-asserted-by":"crossref","first-page":"6","DOI":"10.1016\/S1361-3723(20)30127-5","article-title":"Understanding the full cost of cyber security breaches","volume":"2020","author":"Furnell","year":"2020","journal-title":"Comput. Fraud Secur."},{"key":"10.1016\/j.cose.2026.105040_b11","unstructured":"GPT4All, 0000. GPT4All Python SDK. [Online]. Available: https:\/\/docs.gpt4all.io\/gpt4all_python\/home.html."},{"key":"10.1016\/j.cose.2026.105040_b12","series-title":"Fault tree handbook","author":"Haasl","year":"1981"},{"key":"10.1016\/j.cose.2026.105040_b13","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1016\/j.cosrev.2017.09.001","article-title":"A survey on the usability and practical applications of graphical security models","volume":"26","author":"Hong","year":"2017","journal-title":"Comput. Sci. Rev."},{"issue":"1","key":"10.1016\/j.cose.2026.105040_b14","first-page":"80","article-title":"Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains","volume":"1","author":"Hutchins","year":"2011","journal-title":"Lead. Issues Inf. Warf. Secur. Res."},{"key":"10.1016\/j.cose.2026.105040_b15","doi-asserted-by":"crossref","unstructured":"Iannacone, M., Bohn, S., Nakamura, G., Gerth, J., Huffer, K., Bridges, R., Ferragut, E., Goodall, J., 2015. Developing an ontology for cyber security knowledge graphs. In: Proceedings of the 10th Annual Cyber and Information Security Research Conference. pp. 1\u20134.","DOI":"10.1145\/2746266.2746278"},{"key":"10.1016\/j.cose.2026.105040_b16","doi-asserted-by":"crossref","unstructured":"Inokuchi, M., Ohta, Y., Kinoshita, S., Yagyu, T., Stan, O., Bitton, R., Elovici, Y., Shabtai, A., 2019. Design Procedure of Knowledge Base for Practical Attack Graph Generation. In: Proceedings of the 2019 ACM Asia Conference on Computer and Communications Security. pp. 594\u2013601.","DOI":"10.1145\/3321705.3329853"},{"key":"10.1016\/j.cose.2026.105040_b17","series-title":"Cyber security breaches survey 2020","author":"Johns","year":"2020"},{"key":"10.1016\/j.cose.2026.105040_b18","first-page":"1","article-title":"Enhancing cloud security: harnessing bayesian game theory for a dynamic defense mechanism","author":"Kandoussi","year":"2024","journal-title":"Clust. Comput."},{"key":"10.1016\/j.cose.2026.105040_b19","series-title":"IFIP Working Conference on the Practice of Enterprise Modeling","first-page":"1","article-title":"Comparing two techniques for intrusion visualization","author":"Katta","year":"2010"},{"key":"10.1016\/j.cose.2026.105040_b20","series-title":"Computer and Network Security Essentials","first-page":"585","article-title":"A cognitive and concurrent cyber kill chain model","author":"Khan","year":"2018"},{"key":"10.1016\/j.cose.2026.105040_b21","series-title":"The security risk assessment handbook: A complete guide for performing security risk assessments","author":"Landoll","year":"2005"},{"key":"10.1016\/j.cose.2026.105040_b22","series-title":"2024 IEEE International Systems Conference (SysCon)","first-page":"1","article-title":"Towards developing a scalable cyber risk assessment and mitigation framework","author":"Malik","year":"2024"},{"key":"10.1016\/j.cose.2026.105040_b23","series-title":"2020 International Conference on Cyber Security and Protection of Digital Services (Cyber Security)","first-page":"1","article-title":"Automated vulnerability testing via executable attack graphs","author":"Malzahn","year":"2020"},{"key":"10.1016\/j.cose.2026.105040_b24","unstructured":"Meta, 0000. Llama 3.1. [Online]. Available: https:\/\/llama.meta.com\/."},{"key":"10.1016\/j.cose.2026.105040_b25","series-title":"Code llama: Open foundation models for code","author":"Meta","year":"2023"},{"key":"10.1016\/j.cose.2026.105040_b26","series-title":"Orca 2: Teaching small language models how to reason","author":"Microsoft Research","year":"2023"},{"key":"10.1016\/j.cose.2026.105040_b27","unstructured":"MITRE, 0000a. MITRE ATT&CK Web Site. [Online]. Available: https:\/\/attack.mitre.org\/."},{"key":"10.1016\/j.cose.2026.105040_b28","unstructured":"MITRE, 0000b. MITRE ATT&CK Technique T1070 Indicator Removal. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1070\/."},{"key":"10.1016\/j.cose.2026.105040_b29","unstructured":"MITRE, 0000c. APT29 Operational Flow. [Online]. Available: https:\/\/attackevals.mitre-engenuity.org\/enterprise\/apt29\/operational-flow."},{"key":"10.1016\/j.cose.2026.105040_b30","unstructured":"MITRE, 0000d. MITRE ATT&CK Technique T1072 Software Deployment Tools. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1072\/."},{"key":"10.1016\/j.cose.2026.105040_b31","unstructured":"MITRE, 0000e. MITRE ATT&CK Sub-technique T1070.009 Clear Persistence. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1070\/009\/."},{"key":"10.1016\/j.cose.2026.105040_b32","unstructured":"MITRE, 0000f. MITRE ATT&CK Technique T1189 Drive-by Compromise. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1189\/."},{"key":"10.1016\/j.cose.2026.105040_b33","unstructured":"MITRE, 0000g. MITRE ATT&CK Technique T1021 Remote Services. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1021\/."},{"key":"10.1016\/j.cose.2026.105040_b34","unstructured":"MITRE, 0000h. MITRE ATT&CK Technique T1047 Windows Management Instrumentation. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1047\/."},{"key":"10.1016\/j.cose.2026.105040_b35","unstructured":"MITRE, 0000i. MITRE ATT&CK Technique T1052 Exfiltration Over Physical Medium. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1052\/."},{"key":"10.1016\/j.cose.2026.105040_b36","unstructured":"MITRE, 0000j. MITRE ATT&CK Technique T1560 Archive Collected Data. [Online]. Available: https:\/\/attack.mitre.org\/techniques\/T1560\/."},{"key":"10.1016\/j.cose.2026.105040_b37","unstructured":"MITRE, 0000k. MITRE ATT&CK Contribute. [Online]. Available: https:\/\/attack.mitre.org\/resources\/contribute\/."},{"key":"10.1016\/j.cose.2026.105040_b38","unstructured":"OpenAI, 0000. GPT4. [Online]. Available: https:\/\/openai.com\/index\/gpt-4\/."},{"key":"10.1016\/j.cose.2026.105040_b39","series-title":"A Logic-Programming Approach to Network Security Analysis","author":"Ou","year":"2005"},{"key":"10.1016\/j.cose.2026.105040_b40","series-title":"Proceedings of the 13th ACM Conference on Computer and Communications Security","first-page":"336","article-title":"A scalable approach to attack graph generation","author":"Ou","year":"2006"},{"key":"10.1016\/j.cose.2026.105040_b41","doi-asserted-by":"crossref","unstructured":"Phillips, C., Swiler, L.P., 1998. A graph-based system for network-vulnerability analysis. In: Proceedings of the 1998 Workshop on New Security Paradigms. pp. 71\u201379.","DOI":"10.1145\/310889.310919"},{"key":"10.1016\/j.cose.2026.105040_b42","unstructured":"Research, N., 0000. Nous Research. [Online]. Available: https:\/\/nousresearch.com\/."},{"issue":"05","key":"10.1016\/j.cose.2026.105040_b43","first-page":"1","article-title":"A comprehensive review of artificial intelligence applications in enhancing cybersecurity threat detection and response mechanisms","volume":"3","author":"Sankaram","year":"2024","journal-title":"Glob. Mainstream J. Bus. Econ. Dev. Proj. Manag."},{"key":"10.1016\/j.cose.2026.105040_b44","series-title":"2023 International Conference on Smart Energy Systems and Technologies","first-page":"1","article-title":"Investigation of multi-stage attack and defense simulation for data synthesis","author":"Sen","year":"2023"},{"key":"10.1016\/j.cose.2026.105040_b45","first-page":"1","article-title":"An efficient cyber threat prediction using a novel artificial intelligence technique","author":"Sharma","year":"2024","journal-title":"Multimedia Tools Appl."},{"key":"10.1016\/j.cose.2026.105040_b46","series-title":"Threat modeling: 12 available methods","author":"Shevchenko","year":"2018"},{"key":"10.1016\/j.cose.2026.105040_b47","article-title":"Mitre att&ck: Design and philosophy","author":"Strom","year":"2018","journal-title":"Tech. Rep."},{"key":"10.1016\/j.cose.2026.105040_b48","unstructured":"Tayouri, D., Baum, N., Shabtai, A., Puzis, R., 0000. APT29 GitHub. [Online]. Available: https:\/\/github.com\/ozzycore\/apt29-modeling."},{"key":"10.1016\/j.cose.2026.105040_b49","first-page":"1","article-title":"A survey of mulval extensions and their attack scenarios coverage","author":"Tayouri","year":"2023","journal-title":"IEEE Access"},{"key":"10.1016\/j.cose.2026.105040_b50","series-title":"2020 IEEE 10th International Conference on Electronics Information and Emergency Communication","first-page":"289","article-title":"CVSS-based multi-factor dynamic risk assessment model for network system","author":"Wang","year":"2020"},{"key":"10.1016\/j.cose.2026.105040_b51","unstructured":"Xinming (Simon) Ou, D.S.Z., 0000.MulVAL: A logic-based enterprise network security analyzer. [Online]. Available: http:\/\/www.arguslab.org\/software\/mulval.html\/."},{"issue":"16","key":"10.1016\/j.cose.2026.105040_b52","doi-asserted-by":"crossref","first-page":"9467","DOI":"10.3390\/app13169467","article-title":"Deep reinforcement learning for intelligent penetration testing path design","volume":"13","author":"Yi","year":"2023","journal-title":"Appl. Sci."},{"key":"10.1016\/j.cose.2026.105040_b53","series-title":"2013 International Conference on Anti-Counterfeiting, Security and Identification","first-page":"1","article-title":"Overview on attack graph generation and visualization technology","author":"Yi","year":"2013"}],"container-title":["Computers &amp; Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826002166?httpAccept=text\/xml","content-type":"text\/xml","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/api.elsevier.com\/content\/article\/PII:S0167404826002166?httpAccept=text\/plain","content-type":"text\/plain","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2026,7,13]],"date-time":"2026-07-13T17:13:47Z","timestamp":1783962827000},"score":1,"resource":{"primary":{"URL":"https:\/\/linkinghub.elsevier.com\/retrieve\/pii\/S0167404826002166"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,11]]},"references-count":53,"alternative-id":["S0167404826002166"],"URL":"https:\/\/doi.org\/10.1016\/j.cose.2026.105040","relation":{},"ISSN":["0167-4048"],"issn-type":[{"value":"0167-4048","type":"print"}],"subject":[],"published":{"date-parts":[[2026,11]]},"assertion":[{"value":"Elsevier","name":"publisher","label":"This article is maintained by"},{"value":"Extending the ATT&CK coverage of logical attack graphs","name":"articletitle","label":"Article Title"},{"value":"Computers & Security","name":"journaltitle","label":"Journal Title"},{"value":"https:\/\/doi.org\/10.1016\/j.cose.2026.105040","name":"articlelink","label":"CrossRef DOI link to publisher maintained version"},{"value":"article","name":"content_type","label":"Content Type"},{"value":"\u00a9 2026 The Authors. Published by Elsevier Ltd.","name":"copyright","label":"Copyright"}],"article-number":"105040"}}