ATTAXML: Behaviour-Based Prediction of MITRE ATT&CK Techniques in Ransomware with Extreme Multi-label Learning
摘要
Ransomware remains a critical cybersecurity threat, requiring more than binary detection to support timely, effective responses. This paper introduces ATTAXML, a framework that applies extreme multi-label learning (XML) to predict the MITRE ATT&CK techniques exhibited by ransomware, based on behavioural analysis. Unlike conventional detection methods that provide only a binary or multiclass classification, ATTAXML outputs a tactical profile of techniques aligned with the ATT&CK framework, offering greater situational awareness. We evaluate ATTAXML using MLRan, a real-world behavioural ransomware dataset comprising dynamic features such as API calls, file operations, and registry activity. The study addresses two research questions: (RQ1) how accurately XML models can predict ATT&CK techniques from behavioural traces, and (RQ2) which types of features are most informative for different techniques and tactics. Using standard multi-label metrics, our best model achieves a Precision@5 of 81.33% and an nDCG@5 of 91.59%, indicating that most of the top-ranked predicted techniques match the true observed behaviours. Importantly, the framework consistently identifies key ransomware behaviours (including backup inhibition and file encryption) and maps them to high-impact ATT&CK tactics such as Defence Evasion and Impact. Feature–technique analysis shows that registry access, mass file changes, and API misuse are strong predictors of specific adversarial techniques. To the best of our knowledge, ATTAXML is the first application of XML to predicting ATT&CK techniques in ransomware. It delivers interpretable, technique-level outputs from behavioural data, supporting more informed incident response and automated threat profiling. Source code is publicly available at https://github.com/faithfulco/ATTAXML .