Categorization and Risk Assessment of Cyber-Attack Chains: Sub-Chain Approach Using LSTM for Predictive Modeling

Categorization and Risk Assessment of Cyber-Attack Chains: Sub-Chain Approach Using LSTM for Predictive Modeling | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article Categorization and Risk Assessment of Cyber-Attack Chains: Sub-Chain Approach Using LSTM for Predictive Modeling Parham Rajab nezhad, Shahriar Bijani This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-9472866/v1 This work is licensed under a CC BY 4.0 License Status: Under Review Version 1 posted 10 You are reading this latest preprint version Abstract This paper proposes a novel framework for the analysis, classification, and risk prediction of cyber-attack chains, addressing the limitations of existing ATT&CK-based detection methods that overlook sequential dependencies and evolving risks in advanced persistent threat (APT) campaigns. The framework defines conditions for attack chain formation, constructs structured representations, and categorizes them into distinct classes for enhanced interpretability. Probabilistic risk values for sequences of MITRE ATT&CK techniques are computed using a first-order Markov model, integrating each technique’s impact score and mitigation effectiveness to produce quantitative risk assessments. These continuous risk scores are further modeled using a Long Short-Term Memory (LSTM) network to predict future risks, which are subsequently transformed into discrete, interpretable categories through K-Means clustering. Experiments on real-world attack datasets demonstrate high predictive accuracy and effective multi-class discrimination, enabling early detection, informed risk prioritization, and proactive defense in complex cyber threat environments. This approach bridges the gap between probabilistic risk assessment and deep sequential modeling, providing actionable insights for Security Operation Centers (SOCs). LSTM Risk Assessment Cyber-Attack Chains MITRE ATT&CK First-order Markov chain Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Under Review Version 1 posted Reviews received at journal 11 May, 2026 Reviews received at journal 26 Apr, 2026 Reviewers agreed at journal 25 Apr, 2026 Reviewers agreed at journal 25 Apr, 2026 Reviewers agreed at journal 23 Apr, 2026 Reviewers agreed at journal 23 Apr, 2026 Reviewers invited by journal 22 Apr, 2026 Editor assigned by journal 22 Apr, 2026 Submission checks completed at journal 22 Apr, 2026 First submitted to journal 20 Apr, 2026 You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-9472866","acceptedTermsAndConditions":true,"allowDirectSubmit":false,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":631924237,"identity":"004b456e-324a-4015-be28-633bcf20ab3a","order_by":0,"name":"Parham Rajab nezhad","email":"","orcid":"","institution":"Shahed University","correspondingAuthor":false,"prefix":"","firstName":"Parham","middleName":"Rajab","lastName":"nezhad","suffix":""},{"id":631924239,"identity":"e9a76f86-1b05-48f6-a36b-bc734a498f1a","order_by":1,"name":"Shahriar Bijani","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA4ElEQVRIiWNgGAWjYBACe2aGBAYGAxsGAwYeBhBiYGAmoMWwGawljQQtBgfA1GEkLYSAYTvDw88FBeftzdnPHnzwhsFOnoGd9wFeLUC/JEvPMLiduLMnL9lwDkOyYQMzuwFBv0jzGNxOMDiQYybNw8CcwMDMRsAvhxmSf/MYnLM3OP/G/DcPQz1RWtKAthxg3HAjx4yZh+EwYS1Ah6VZ8xgkJ2648cZYco7BccM2Qlrs+c8k3+b5Ywd0WI7hhzcV1fL8/MfwawHGRQKyOxkYCNgBAuwHCKsZBaNgFIyCkQ0Amqg6CiPE028AAAAASUVORK5CYII=","orcid":"","institution":"Shahed University","correspondingAuthor":true,"prefix":"","firstName":"Shahriar","middleName":"","lastName":"Bijani","suffix":""}],"badges":[],"createdAt":"2026-04-20 13:24:53","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-9472866/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-9472866/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":108168774,"identity":"7a93ea7c-6add-44d9-873b-fa27a800e812","added_by":"auto","created_at":"2026-04-30 06:35:47","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":471861,"visible":true,"origin":"","legend":"","description":"","filename":"RiskAssessmentofCyberAttackChains.pdf","url":"https://assets-eu.researchsquare.com/files/rs-9472866/v1_covered_2dfb066e-ef42-41d2-a0c1-ae0496eb4275.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"Categorization and Risk Assessment of Cyber-Attack Chains: Sub-Chain Approach Using LSTM for Predictive Modeling","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":false,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"[email protected]","identity":"journal-of-computer-virology-and-hacking-techniques","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"jicv","sideBox":"Learn more about [Journal of Computer Virology and Hacking Techniques](http://link.springer.com/journal/11416)","snPcode":"11416","submissionUrl":"https://submission.springernature.com/new-submission/11416/3","title":"Journal of Computer Virology and Hacking Techniques","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false},"keywords":"LSTM, Risk Assessment, Cyber-Attack Chains, MITRE ATT\u0026CK, First-order Markov chain","lastPublishedDoi":"10.21203/rs.3.rs-9472866/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-9472866/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"\u003cp\u003eThis paper proposes a novel framework for the analysis, classification, and risk prediction of cyber-attack chains, addressing the limitations of existing ATT\u0026amp;CK-based detection methods that overlook sequential dependencies and evolving risks in advanced persistent threat (APT) campaigns. The framework defines conditions for attack chain formation, constructs structured representations, and categorizes them into distinct classes for enhanced interpretability. Probabilistic risk values for sequences of MITRE ATT\u0026amp;CK techniques are computed using a first-order Markov model, integrating each technique\u0026rsquo;s impact score and mitigation effectiveness to produce quantitative risk assessments. These continuous risk scores are further modeled using a Long Short-Term Memory (LSTM) network to predict future risks, which are subsequently transformed into discrete, interpretable categories through K-Means clustering. Experiments on real-world attack datasets demonstrate high predictive accuracy and effective multi-class discrimination, enabling early detection, informed risk prioritization, and proactive defense in complex cyber threat environments. This approach bridges the gap between probabilistic risk assessment and deep sequential modeling, providing actionable insights for Security Operation Centers (SOCs).\u003c/p\u003e","manuscriptTitle":"Categorization and Risk Assessment of Cyber-Attack Chains: Sub-Chain Approach Using LSTM for Predictive Modeling","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-04-30 06:35:35","doi":"10.21203/rs.3.rs-9472866/v1","editorialEvents":[{"type":"communityComments","content":0},{"type":"editorInvitedReview","content":"","date":"2026-05-11T09:27:12+00:00","index":"hide","fulltext":""},{"type":"editorInvitedReview","content":"","date":"2026-04-26T18:04:28+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"148406873956142889696650382281997652446","date":"2026-04-25T14:00:05+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"59265064121527793434342172655276889751","date":"2026-04-25T06:58:42+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"309416063934621001860057089154001171610","date":"2026-04-23T08:20:34+00:00","index":"hide","fulltext":""},{"type":"reviewerAgreed","content":"191619321846008544153342575714977710793","date":"2026-04-23T06:20:31+00:00","index":"hide","fulltext":""},{"type":"reviewersInvited","content":"","date":"2026-04-22T17:09:54+00:00","index":"","fulltext":""},{"type":"editorAssigned","content":"","date":"2026-04-22T07:50:30+00:00","index":"","fulltext":""},{"type":"checksComplete","content":"","date":"2026-04-22T07:50:04+00:00","index":"","fulltext":""},{"type":"submitted","content":"Journal of Computer Virology and Hacking Techniques","date":"2026-04-20T13:15:43+00:00","index":"","fulltext":""}],"status":"published","journal":{"display":true,"email":"[email protected]","identity":"journal-of-computer-virology-and-hacking-techniques","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":false,"externalIdentity":"jicv","sideBox":"Learn more about [Journal of Computer Virology and Hacking Techniques](http://link.springer.com/journal/11416)","snPcode":"11416","submissionUrl":"https://submission.springernature.com/new-submission/11416/3","title":"Journal of Computer Virology and Hacking Techniques","twitterHandle":"","acdcEnabled":true,"dfaEnabled":true,"editorialSystem":"stoa","reportingPortfolio":"Springer Hybrid","inReviewEnabled":true,"inReviewRevisionsEnabled":false}}],"origin":"","ownerIdentity":"c36c749b-fe48-43d3-ad98-6a3ddff9e447","owner":[],"postedDate":"April 30th, 2026","published":true,"recentEditorialEvents":[{"type":"editorInvitedReview","content":"","date":"2026-05-11T09:27:12+00:00","index":48,"fulltext":""}],"rejectedJournal":[],"revision":"","amendment":"","status":"under-review","subjectAreas":[],"tags":[],"updatedAt":"2026-04-30T06:35:36+00:00","versionOfRecord":[],"versionCreatedAt":"2026-04-30 06:35:35","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-9472866","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-9472866","identity":"rs-9472866","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}