A knowledge extrapolation model for attack inference based on graph attention networks and relation mapping
摘要
With the rapid development of Internet technologies, complex attacks such as advanced persistent threats (APT) have become increasingly frequent. Attack knowledge reasoning has emerged as a critical technique for detecting and responding to such threats, enabling the inference of potential attack paths and supporting security decision-making. However, existing methods are mostly based on the closed-world assumption and adopt a single-step reasoning strategy, which makes it difficult to uncover the multi-hop relationships hidden in complex attack behaviors, and lacks the ability to model unknown entities and relationships. To address these challenges, this paper proposes an attack knowledge extrapolation model based on graph attention networks (GAT) and relation mapping. The model first constructs a mapping topology graph within a cybersecurity knowledge graph and leverages neighborhood structures to generate feature representations for unknown entities and relations. Then, it integrates graph attention mechanisms with residual connections to adaptively aggregate informative neighbor features, thereby enhancing the expressiveness of entity and relation embeddings. Finally, a scoring function is employed to infer and predict unknown attack-related entity–relation triples. Experiments conducted on several real-world cybersecurity datasets show that the proposed method substantially enhances performance on common evaluation metrics like mean reciprocal rank (MRR) and Hits@N, confirming its effectiveness and applicability in open-world attack knowledge reasoning tasks.