APT Attack Inference and Multidimensional Visual Representation | Research Square window.SnipcartSettings = { analytics: { enabled: false } }; (function() { var accessVector = localStorage.getItem('access_vector') || ''; window.dataLayer = window.dataLayer || []; if (accessVector) { window.dataLayer.push({ user: { profile: { profileInfo: { snid: accessVector } } } }); } })(); (function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-K279D39R'); Browse Preprints In Review Journals COVID-19 Preprints AJE Video Bytes Research Tools Research Promotion AJE Professional Editing AJE Rubriq About Preprint Platform In Review Editorial Policies Our Team Advisory Board Help Center Sign In Submit a Preprint Cite Share Download PDF Research Article APT Attack Inference and Multidimensional Visual Representation Weiwu Ren, Mingqi Xia, Qi Zhang, Cong Liang This is a preprint; it has not been peer reviewed by a journal. https://doi.org/ 10.21203/rs.3.rs-8631020/v1 This work is licensed under a CC BY 4.0 License Status: Posted Version 1 posted You are reading this latest preprint version Abstract With the continuous growth of threat intelligence data and the increasing complexity of attack chains, attributing Advanced Persistent Threat (APT) attacks to specific organizations and validating attack behaviors have become challenging due to the limited interpretability and credibility of prediction results. Although graph-based APT organization prediction methods are capable of modeling the relationships among attack entities, their outputs still require further verification and analysis in the context of real-world attack scenarios. To address this issue, this paper builds upon the AARGS model for APT organization prediction and introduces a large language model to perform semantic reasoning and high-level relationship completion on the predicted results. By automatically parsing and reasoning over attack behaviors described in real threat intelligence texts, a comprehensive semantic representation of the attack chain is constructed and systematically compared with the model’s prediction outcomes. Furthermore, three-dimensional reconstruction of attack chains, together with temporal evolution and geographic propagation visualizations, is employed to intuitively present and analyze the dynamic evolution of attack paths. Experimental results demonstrate that the proposed approach effectively enhances the interpretability and reliability of APT attribution results, providing strong support for APT traceability analysis and informed defense decision-making. APT Attacks Attack Chain Modeling Large Language Model Reasoning Visual Analytics Full Text Additional Declarations No competing interests reported. Cite Share Download PDF Status: Posted Version 1 posted You are reading this latest preprint version Research Square lets you share your work early, gain feedback from the community, and start making changes to your manuscript prior to peer review in a journal. As a division of Research Square Company, we’re committed to making research communication faster, fairer, and more useful. We do this by developing innovative software and high quality services for the global research community. Our growing team is made up of researchers and industry professionals working together to solve the most critical problems facing scientific publishing. Also discoverable on Platform About Our Team In Review Editorial Policies Advisory Board Help Center Resources Author Services Accessibility API Access RSS feed Manage Cookie Preferences © Research Square 2026 | ISSN 2693-5015 (online) Privacy Policy Terms of Service Do Not Sell My Personal Information {"props":{"pageProps":{"initialData":{"identity":"rs-8631020","acceptedTermsAndConditions":true,"allowDirectSubmit":true,"archivedVersions":[],"articleType":"Research Article","associatedPublications":[],"authors":[{"id":585379625,"identity":"ab105861-072f-47c0-b389-c7732e57bed1","order_by":0,"name":"Weiwu Ren","email":"","orcid":"","institution":"Changchun University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Weiwu","middleName":"","lastName":"Ren","suffix":""},{"id":585379626,"identity":"60a71225-d6de-4063-865a-8725aaf565fb","order_by":1,"name":"Mingqi Xia","email":"","orcid":"","institution":"Changchun University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Mingqi","middleName":"","lastName":"Xia","suffix":""},{"id":585379627,"identity":"0f4d823e-5b63-434e-97d4-148213b8c8b0","order_by":2,"name":"Qi Zhang","email":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAZAAAAAyAQMAAABI0h/eAAAABlBMVEX///8AAABVwtN+AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAA30lEQVRIiWNgGAWjYDACCTD5T45N/vCBAx9+EK/lgDG/BFviwZk9JGhJnDmDx/gwBxsROuRnNz97+KXsDuOG2z0fDjPwMMjzix3Ar4VxzjFzY5lzz5gN7pzdcLjAgsFw5uwE/FqYJRLMpCXbmNkMDuRuODyDhyHB4DYBLWwS6d9AWngMDuQ8OMzDRoQWHokcM8mPbYclJGfkMBCnRUIip0ya4VyaAT/PMQNgIEsQ9ov8jPRtkj/KbOrb2Jsff/jww0aeX5qAFhBg5kFEhwRh5SDA+IOYGBwFo2AUjIKRCwBWR0cU5VMQWAAAAABJRU5ErkJggg==","orcid":"","institution":"Network Security Department of the Jilin Branch of the National Computer Network Emergency Response Center","correspondingAuthor":true,"prefix":"","firstName":"Qi","middleName":"","lastName":"Zhang","suffix":""},{"id":585379630,"identity":"65e3c58d-214e-475f-9727-2adb6a73d4f0","order_by":3,"name":"Cong Liang","email":"","orcid":"","institution":"Changchun University of Science and Technology","correspondingAuthor":false,"prefix":"","firstName":"Cong","middleName":"","lastName":"Liang","suffix":""}],"badges":[],"createdAt":"2026-01-18 11:53:15","currentVersionCode":1,"declarations":"","doi":"10.21203/rs.3.rs-8631020/v1","doiUrl":"https://doi.org/10.21203/rs.3.rs-8631020/v1","draftVersion":[],"editorialEvents":[],"editorialNote":"","failedWorkflow":false,"files":[{"id":102743104,"identity":"4a7674e9-dbd9-4ca7-a831-9efc4bc41bd4","added_by":"auto","created_at":"2026-02-16 08:12:15","extension":"pdf","order_by":1,"title":"","display":"","copyAsset":false,"role":"manuscript-pdf","size":6233058,"visible":true,"origin":"","legend":"","description":"","filename":"Manuscriptfile.pdf","url":"https://assets-eu.researchsquare.com/files/rs-8631020/v1_covered_6294e402-f024-4d3b-85c9-d5db246a78b9.pdf"}],"financialInterests":"No competing interests reported.","formattedTitle":"APT Attack Inference and Multidimensional Visual Representation","fulltext":[],"fulltextSource":"","fullText":"","funders":[],"hasAdminPriorityOnWorkflow":false,"hasManuscriptDocX":false,"hasOptedInToPreprint":true,"hasPassedJournalQc":"","hasAnyPriority":false,"hideJournal":true,"highlight":"","institution":"","isAcceptedByJournal":false,"isAuthorSuppliedPdf":true,"isDeskRejected":"","isHiddenFromSearch":false,"isInQc":false,"isInWorkflow":false,"isPdf":true,"isPdfUpToDate":true,"isWithdrawnOrRetracted":false,"journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true},"keywords":"APT Attacks, Attack Chain Modeling, Large Language Model Reasoning, Visual Analytics","lastPublishedDoi":"10.21203/rs.3.rs-8631020/v1","lastPublishedDoiUrl":"https://doi.org/10.21203/rs.3.rs-8631020/v1","license":{"name":"CC BY 4.0","url":"https://creativecommons.org/licenses/by/4.0/"},"manuscriptAbstract":"With the continuous growth of threat intelligence data and the increasing complexity of attack chains, attributing Advanced Persistent Threat (APT) attacks to specific organizations and validating attack behaviors have become challenging due to the limited interpretability and credibility of prediction results. Although graph-based APT organization prediction methods are capable of modeling the relationships among attack entities, their outputs still require further verification and analysis in the context of real-world attack scenarios. To address this issue, this paper builds upon the AARGS model for APT organization prediction and introduces a large language model to perform semantic reasoning and high-level relationship completion on the predicted results. By automatically parsing and reasoning over attack behaviors described in real threat intelligence texts, a comprehensive semantic representation of the attack chain is constructed and systematically compared with the model’s prediction outcomes. Furthermore, three-dimensional reconstruction of attack chains, together with temporal evolution and geographic propagation visualizations, is employed to intuitively present and analyze the dynamic evolution of attack paths. Experimental results demonstrate that the proposed approach effectively enhances the interpretability and reliability of APT attribution results, providing strong support for APT traceability analysis and informed defense decision-making.","manuscriptTitle":"APT Attack Inference and Multidimensional Visual Representation","msid":"","msnumber":"","nonDraftVersions":[{"code":1,"date":"2026-02-04 11:56:01","doi":"10.21203/rs.3.rs-8631020/v1","editorialEvents":[{"type":"communityComments","content":0}],"status":"published","journal":{"display":true,"email":"
[email protected]","identity":"researchsquare","isNatureJournal":false,"hasQc":true,"allowDirectSubmit":true,"externalIdentity":"","sideBox":"","snPcode":"","submissionUrl":"/submission","title":"Research Square","twitterHandle":"researchsquare","acdcEnabled":true,"dfaEnabled":false,"editorialSystem":"","reportingPortfolio":"","inReviewEnabled":false,"inReviewRevisionsEnabled":true}}],"origin":"","ownerIdentity":"473f5f0c-7cae-4f8b-93c2-6ec0c8bfd732","owner":[],"postedDate":"February 4th, 2026","published":true,"recentEditorialEvents":[],"rejectedJournal":[],"revision":"","amendment":"","status":"posted","subjectAreas":[],"tags":[],"updatedAt":"2026-02-16T08:11:52+00:00","versionOfRecord":[],"versionCreatedAt":"2026-02-04 11:56:01","video":"","vorDoi":"","vorDoiUrl":"","workflowStages":[]},"version":"v1","identity":"rs-8631020","journalConfig":"researchsquare"},"__N_SSP":true},"page":"/article/[identity]/[[...version]]","query":{"redirect":"/article/rs-8631020","identity":"rs-8631020","version":["v1"]},"buildId":"XKTyCvWXoU3ODBz1xrDgd","isFallback":false,"isExperimentalCompile":false,"dynamicIds":[84888],"gssp":true,"scriptLoader":[]}
Text is read by the "Ask this paper" AI Q&A widget below.
Extraction quality varies by source — PMC NXML preserves structure
cleanly, OA-HTML may include some navigation residue, and OA-PDF can
have broken hyphenation. The publisher copy
(via DOI)
is the canonical version.