A survey of cyber threat attribution: Challenges, techniques, and future directions

IF 5.4 2区计算机科学 Q1 COMPUTER SCIENCE, INFORMATION SYSTEMS

Computers & Security Pub Date : 2025-08-07 DOI:10.1016/j.cose.2025.104606

Nilantha Prasad , Abebe Diro , Matthew Warren , Mahesh Fernando

{"title":"A survey of cyber threat attribution: Challenges, techniques, and future directions","authors":"Nilantha Prasad , Abebe Diro , Matthew Warren , Mahesh Fernando","doi":"10.1016/j.cose.2025.104606","DOIUrl":null,"url":null,"abstract":"<div><div>The escalating sophistication of cyberattacks, exemplified by supply chain compromises, AI-driven obfuscation, and politically motivated campaigns, makes accurate attribution a critical yet elusive challenge for national security and economic stability. The inability to reliably trace attacks to their source undermines deterrence, distorts policy responses, and erodes trust in digital ecosystems. Traditional methods struggle with the sheer volume of digital evidence, rapidly evolving adversary tactics, and the inherent complexities of cross-border operations. Moreover, existing literature often provides fragmented analyses, focuses narrowly on cyber threat intelligence sharing or specific threat types, or predates significant advancements in AI/ML tailored for attribution. This survey offers a comprehensive, interdisciplinary review of cyber threat attribution, bridging these critical gaps by systematically analyzing its multifaceted dimensions: technical, legal, geopolitical, social, and economic. Employing a rigorous, PRISMA-ScR compliant methodology that included structured screening and quality assessment across six major databases, we critically appraise current techniques and identify a paradigm shift toward data-driven, intelligent approaches. A key contribution is our novel taxonomy, which structures attribution research by attribution confidence & granularity (the Level of attribution), analytical domains (the “How” and “Where” of evidence processing) and adversarial motivation & profile (the “Why” and “Who”), providing a crucial framework for systematic cross-study comparisons in a complex field. Our findings underscore the transformative potential of emerging AI/ML techniques, particularly graph neural networks, in automating analysis, identifying subtle patterns, and extracting crucial insights from vast datasets, thereby revolutionizing attribution accuracy. This research provides actionable insights for practitioners and policymakers, offering a comprehensive roadmap to advance cyber defense and foster a more resilient and secure global digital ecosystem.</div></div>","PeriodicalId":51004,"journal":{"name":"Computers & Security","volume":"157 ","pages":"Article 104606"},"PeriodicalIF":5.4000,"publicationDate":"2025-08-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Computers & Security","FirstCategoryId":"94","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S0167404825002950","RegionNum":2,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The escalating sophistication of cyberattacks, exemplified by supply chain compromises, AI-driven obfuscation, and politically motivated campaigns, makes accurate attribution a critical yet elusive challenge for national security and economic stability. The inability to reliably trace attacks to their source undermines deterrence, distorts policy responses, and erodes trust in digital ecosystems. Traditional methods struggle with the sheer volume of digital evidence, rapidly evolving adversary tactics, and the inherent complexities of cross-border operations. Moreover, existing literature often provides fragmented analyses, focuses narrowly on cyber threat intelligence sharing or specific threat types, or predates significant advancements in AI/ML tailored for attribution. This survey offers a comprehensive, interdisciplinary review of cyber threat attribution, bridging these critical gaps by systematically analyzing its multifaceted dimensions: technical, legal, geopolitical, social, and economic. Employing a rigorous, PRISMA-ScR compliant methodology that included structured screening and quality assessment across six major databases, we critically appraise current techniques and identify a paradigm shift toward data-driven, intelligent approaches. A key contribution is our novel taxonomy, which structures attribution research by attribution confidence & granularity (the Level of attribution), analytical domains (the “How” and “Where” of evidence processing) and adversarial motivation & profile (the “Why” and “Who”), providing a crucial framework for systematic cross-study comparisons in a complex field. Our findings underscore the transformative potential of emerging AI/ML techniques, particularly graph neural networks, in automating analysis, identifying subtle patterns, and extracting crucial insights from vast datasets, thereby revolutionizing attribution accuracy. This research provides actionable insights for practitioners and policymakers, offering a comprehensive roadmap to advance cyber defense and foster a more resilient and secure global digital ecosystem.

查看原文本刊更多论文

网络威胁归因调查：挑战、技术和未来方向

网络攻击的复杂性不断升级，例如供应链破坏，人工智能驱动的混淆和政治动机的活动，使准确的归因成为国家安全和经济稳定的关键但难以捉摸的挑战。无法可靠地追踪攻击的源头会破坏威慑，扭曲政策反应，并侵蚀对数字生态系统的信任。传统方法难以应对海量的数字证据、快速演变的对手战术以及跨境行动固有的复杂性。此外，现有文献通常提供碎片化的分析，狭隘地关注网络威胁情报共享或特定威胁类型，或者先于为归因量身定制的AI/ML取得重大进展。本调查对网络威胁归因进行了全面、跨学科的回顾，通过系统地分析其多方面：技术、法律、地缘政治、社会和经济，弥合了这些关键差距。采用严格的PRISMA-ScR兼容方法，包括在六个主要数据库中进行结构化筛选和质量评估，我们批判性地评估了当前的技术，并确定了向数据驱动的智能方法的范式转变。一个关键的贡献是我们的新分类法，它通过归因置信度来构建归因研究。粒度（归因水平）、分析领域（证据处理的“如何”和“在哪里”）和对抗动机；简介（“为什么”和“谁”），为一个复杂领域的系统交叉研究比较提供了一个至关重要的框架。我们的研究结果强调了新兴AI/ML技术的变革潜力，特别是图形神经网络，在自动化分析，识别微妙模式，从大量数据集中提取关键见解，从而彻底改变归因准确性。本研究为从业者和政策制定者提供了可操作的见解，提供了全面的路线图，以推进网络防御，培养更具弹性和安全性的全球数字生态系统。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Computers & Security 工程技术-计算机：信息系统

CiteScore

12.40

自引率

7.10%

发文量

365

审稿时长

10.7 months

期刊介绍： Computers & Security is the most respected technical journal in the IT security field. With its high-profile editorial board and informative regular features and columns, the journal is essential reading for IT security professionals around the world. Computers & Security provides you with a unique blend of leading edge research and sound practical management advice. It is aimed at the professional involved with computer security, audit, control and data integrity in all sectors - industry, commerce and academia. Recognized worldwide as THE primary source of reference for applied research and technical expertise it is your first step to fully secure systems.