Saved in:
Bibliographic Details
Main Authors: Rani, Nanda, Shukla, Sandeep Kumar
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2506.10175
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866909646283866112
author Rani, Nanda
Shukla, Sandeep Kumar
author_facet Rani, Nanda
Shukla, Sandeep Kumar
contents Effective attribution of Advanced Persistent Threats (APTs) increasingly hinges on the ability to correlate behavioral patterns and reason over complex, varied threat intelligence artifacts. We present AURA (Attribution Using Retrieval-Augmented Agents), a multi-agent, knowledge-enhanced framework for automated and interpretable APT attribution. AURA ingests diverse threat data including Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IoCs), malware details, adversarial tools, and temporal information, which are processed through a network of collaborative agents. These agents are designed for intelligent query rewriting, context-enriched retrieval from structured threat knowledge bases, and natural language justification of attribution decisions. By combining Retrieval-Augmented Generation (RAG) with Large Language Models (LLMs), AURA enables contextual linking of threat behaviors to known APT groups and supports traceable reasoning across multiple attack phases. Experiments on recent APT campaigns demonstrate AURA's high attribution consistency, expert-aligned justifications, and scalability. This work establishes AURA as a promising direction for advancing transparent, data-driven, and scalable threat attribution using multi-agent intelligence.
format Preprint
id arxiv_https___arxiv_org_abs_2506_10175
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle AURA: A Multi-Agent Intelligence Framework for Knowledge-Enhanced Cyber Threat Attribution
Rani, Nanda
Shukla, Sandeep Kumar
Cryptography and Security
Effective attribution of Advanced Persistent Threats (APTs) increasingly hinges on the ability to correlate behavioral patterns and reason over complex, varied threat intelligence artifacts. We present AURA (Attribution Using Retrieval-Augmented Agents), a multi-agent, knowledge-enhanced framework for automated and interpretable APT attribution. AURA ingests diverse threat data including Tactics, Techniques, and Procedures (TTPs), Indicators of Compromise (IoCs), malware details, adversarial tools, and temporal information, which are processed through a network of collaborative agents. These agents are designed for intelligent query rewriting, context-enriched retrieval from structured threat knowledge bases, and natural language justification of attribution decisions. By combining Retrieval-Augmented Generation (RAG) with Large Language Models (LLMs), AURA enables contextual linking of threat behaviors to known APT groups and supports traceable reasoning across multiple attack phases. Experiments on recent APT campaigns demonstrate AURA's high attribution consistency, expert-aligned justifications, and scalability. This work establishes AURA as a promising direction for advancing transparent, data-driven, and scalable threat attribution using multi-agent intelligence.
title AURA: A Multi-Agent Intelligence Framework for Knowledge-Enhanced Cyber Threat Attribution
topic Cryptography and Security
url https://arxiv.org/abs/2506.10175