Identifying Adversaries’ Signatures Using Knowledge Representations of Cyberattack Techniques on Cloud Infrastructure


  • Gilliam Van der Merwe Stellenbosch University
  • Muller University of Stellenbosch
  • Wilhelm van der Merwe University of Stellenbosch
  • Dewald Blaauw University of Stellenbosch



cloud infrastructure, cybersecurity, knowledge representation, advanced persistent threats


Advanced Persistent Threats (APTs) have increased in parallel to growing cloud infrastructure and cloud Software-as-a-Service (SaaS) needs, exposing new vulnerabilities within the cloud environment. Moreover, APT groups are becoming more sophisticated and organised which needs to be addressed by the research community to enable faster response and more importantly, prevent threats within the domain. The MITRE ATT&CK Cloud framework offers one of the leading structured inventories within this context. Our research is to expose patterns and signatures of a select group of APT’s on the MITRE Cloud Framework by using Formal Concept Analysis (FCA) to construct a “lattice graph” and an ontology. The goal is to develop a better conceptualisation of the MITRE ATT&CK Cloud Matrix framework for cyber security experts to be able to proactively act upon adversary techniques. The MITRE ATT&CK framework was retrieved, cleaned, and pre-processed to construct the lattice and ontology using data cleaning methods, FCA tools such as Concept Explorer, and the Web Ontology Language (OWL), with additional symbolic reasoning and inference generation. This resulted in knowledge representations/graphs, which are highly efficient representations of this knowledge field. The underlying linkages between techniques and targets specific to those APTs are further exposed and enriched and presented visually and integrated into the ontology. The ontology gives formalisation to associations and implications between techniques, tactics, and APTs – enabling cyber security practitioners to forecast potential targets and techniques based on their scenario, but also to attribute certain technique patterns and signatures to individual APTs. Cyber security practitioners can query from this knowledge graph and formulate strategic proactive measures. From these findings, the applications and constraints of the APTs’ cyber-attack techniques and their associated patterns were determined. The findings provide a guideline for future additional research in the field of AI knowledge representation in cybersecurity, as well as highlighting certain limitations in this field of research.