A Hybrid Approach Using Graph Neural Networks and LSTM for Attack Vector Reconstruction

Abstract

The escalating complexity of cyberattacks necessitates advanced strategies for their detection and mitigation. This study presents a hybrid model that integrates Graph Neural Networks (GNNs) with Long Short-Term Memory (LSTM) networks to reconstruct and predict attack vectors in cybersecurity. GNNs are employed to analyze the structural relationships within the MITRE ATT&CK framework, while LSTM networks are utilized to model the temporal dynamics of attack sequences, effectively capturing the evolution of cyber threats. The combined approach harnesses the complementary strengths of these methods to deliver precise, interpretable, and adaptable solutions for addressing cybersecurity challenges. Experimental evaluation on the CICIDS2017 dataset reveals the model’s strong performance, achieving an Area Under the Curve (AUC) of 0.99 on both balanced and imbalanced test sets, an F1-score of 0.85 for technique prediction, and a Mean Squared Error (MSE) of 0.05 for risk assessment. These findings underscore the model’s capability to accurately reconstruct attack paths and forecast future techniques, offering a promising avenue for strengthening proactive defense mechanisms against evolving cyber threats.

1. Introduction

The dynamic and evolving nature of cyberattacks, employing sophisticated vectors and zero-day vulnerabilities, renders traditional cybersecurity defenses inadequate [1,2]. The escalating frequency and impact of breaches necessitate advanced prediction methods beyond reactive detection [1]. Modern breaches often bypass defensive layers of the NIST framework [2], exploiting complex attack vectors, with zero-day vulnerabilities, for example, exploited for an average of 312 days before detection [3]. This urgency underscores the transformative role of artificial intelligence (AI) in cybersecurity [4]. Unlike traditional rule-based or signature-based systems, AI adapts to new threats by analyzing vast datasets to detect patterns and predict attacker behaviors [5,6]. Our proposed solution is a hybrid approach combining Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks. GNNs excel at analyzing graph-structured data inherent in cybersecurity (e.g., MITRE ATT&CK framework [7]), uncovering hidden patterns in attack relationships. LSTM networks are highly effective in modeling temporal sequences, crucial for predicting the progression of cyberattacks over time [8]. The complementary strengths of GNNs (structural analysis) and LSTM networks (temporal modeling) provide a holistic understanding of threat behaviors, enabling more effective defenses [9,10,11,12].

The contemporary cybersecurity landscape is characterized by an alarming escalation in both the frequency and sophistication of security breaches across all sectors. Recent comprehensive analysis reveals that data breaches have reached unprecedented levels, with organizations experiencing an average cost of $4.88 million per incident in 2024, representing a significant increase from previous years [13]. These breaches exploit various attack vectors, from sophisticated social engineering campaigns to zero-day vulnerabilities in critical infrastructure, often combining multiple techniques in coordinated campaigns that bypass traditional defensive measures.

Industrial control systems represent a particularly critical domain where conventional security measures prove inadequate against sophisticated adversarial attacks. These systems, which control critical infrastructure including power grids, water treatment facilities, and manufacturing processes, face unique vulnerabilities that require specialized detection mechanisms. Recent advances in adversarial attack detection for industrial control systems have demonstrated the effectiveness of LSTM-based intrusion detection systems combined with black-box defense strategies, achieving significant improvements in detecting anomalous behavior patterns within operational technology environments [14]. However, these temporal-focused approaches often miss the crucial structural relationships between attack components and system dependencies that characterize modern multi-stage attacks.

The evolution of contemporary attack methodologies reveals fundamental shifts in adversarial tactics that challenge existing defense paradigms. Modern adversaries deploy coordinated campaigns that simultaneously exploit network vulnerabilities, social engineering, and system misconfigurations, creating attack chains that are difficult to detect through single-method approaches. State-sponsored and criminal organizations employ long-term infiltration strategies that remain dormant for extended periods, requiring detection models capable of identifying subtle patterns across extended timeframes and correlating seemingly unrelated events. The increasing prevalence of unknown vulnerabilities demands predictive systems that can anticipate attack vectors based on structural relationships and behavioral patterns rather than relying solely on known signatures or historical data. Critical infrastructure faces unique risks where cyberattacks can cause catastrophic real-world damage, necessitating detection frameworks that understand both digital attack progression and physical system relationships. These emerging threat patterns highlight the fundamental limitations of reactive security measures and emphasize the critical importance of proactive, predictive approaches that can anticipate and mitigate attacks before they achieve their strategic objectives.

Through this approach, the paper seeks to contribute a robust solution to the rapidly evolving cybersecurity landscape, ensuring that defenses remain adaptive, resilient, and effective in mitigating complex threats. The main contributions of this research are summarized as follows:

• Novel hybrid architecture: we propose a unified GNN-LSTM framework that uniquely integrates structural analysis of attack patterns through GNNs with temporal sequence modeling via LSTM, enabling comprehensive attack vector reconstruction;
• MITRE ATT&CK integration: our model leverages the MITRE ATT&CK framework’s structural relationships, transforming them into graph representations that enhance the understanding of attack dependencies and progression paths;
• Superior performance: experimental evaluation demonstrates exceptional performance with 99% AUC on the CICIDS2017 dataset, 85% F1-score for technique prediction, and 0.05 MSE for risk assessment, outperforming traditional approaches;
• Explainability features: the integration of SHAP-based explainability mechanisms provides transparent insights into model decisions, crucial for security analysts in operational environments;
• Scalability solutions: we address computational challenges through optimized architectures that handle missing data and large-scale deployments, making the approach practical for real-world cybersecurity applications.

The remainder of this paper is organized as follows. Section 2 presents a comprehensive literature review examining the current approaches to attack vector prediction, the challenges of dynamic cyber threats, and the complexities of modern cybersecurity data. Section 3 details our proposed hybrid GNN-LSTM methodology, including the model architecture, data preprocessing pipeline, and integration with the MITRE ATT&CK framework. Section 4 describes the experimental setup, datasets used, and evaluation metrics. Section 4 also presents our experimental results and comparative analysis with existing approaches. Section 5 discusses the implications of our findings, limitations, and potential applications in real-world security operations. Finally, Section 6 concludes this paper with a summary of key findings and directions for future research.

2. Literature Review

Prediction of attack vectors is a proactive cybersecurity approach, aiming to anticipate system exploitation rather than merely reacting to known threats. The increasing sophistication of modern attacks, including zero-day vulnerabilities that remain undetected for an average of 312 days (Bilge and Dumitras [3]) and adversaries’ use of polymorphic techniques and multi-stage strategies like Advanced Persistent Threats (APTs) (Deldar et al. [15], Che Mat et al. [16]), underscores the critical need for dynamic, adaptive predictive systems.

However, predicting attack vectors is challenging due to the complexity and sheer volume of data generated by modern systems. Predictive models must process vast amounts of telemetry data—system logs, network traffic, and event traces—to identify potential threats, a task even advanced statistical techniques struggle with in real-time (Enoch et al. [17]). The inherent unpredictability of adversarial behavior further complicates this, as adversaries constantly adapt, creating a moving target. As Anjum N et al. [18] highlighted, understanding dependencies across various attack stages remains a significant challenge, demanding models that can not only identify known patterns but also generalize to novel and evolving attack methods.

Researchers in this domain are investigating several critical questions to advance attack vector prediction:

• How can predictive systems generalize to unseen attack techniques?
• What methodologies can handle the scale and complexity of modern cybersecurity data?
• How can predictive models integrate real-time data streams?

Traditional machine learning, like Babenko et al.’s [10] use of Learning Vector Quantization (LVQ) for DDoS detection, provided initial insights but struggled with the temporal and structural complexities of modern multi-stage attacks, prompting exploration of more sophisticated architectures. Recent advancements in AI and ML, particularly Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks, offer promising solutions. GNNs excel at analyzing interconnected data, crucial for understanding complex attack paths within frameworks like MITRE ATT&CK [17]. LSTM networks are effective for modeling temporal sequences, enabling predictions of attack progression over time (Laghrissi et al. [19], Ergen et al. [20]). However, both GNNs and LSTM networks have limitations in scalability and interpretability.

The dynamic nature of cyber threats is a significant challenge. Modern attacks rapidly evolve, exploiting zero-day vulnerabilities that can remain undetected for extended periods (Bilge and Dumitras [3]). Advanced Persistent Threats (APTs), characterized by their prolonged, adaptive, and multi-stage nature (Che Mat et al. [16]), and polymorphic malware (Deldar et al. [15], Enoch et al. [17]) demand predictive models that can adapt and understand behavioral patterns (Anjum et al. [18]). Integrating real-time threat intelligence from diverse sources like IDS and SIEM is crucial (Mohammadi et al. [21]), though standardization of data formats remains a challenge (Schlette et al. [22]). A multi-faceted approach incorporating behavioral analysis and real-time intelligence is essential for the adaptive predictive systems.

The complexity of modern cybersecurity data presents a formidable challenge. Enterprise networks generate immense volumes of high-dimensional, heterogeneous data from various sources (Enoch et al. [17], Anjum et al. [18]), complicating analysis and correlation (Schlette et al. [22]). Real-time attack prediction is computationally demanding (Mohammadi et al. [21]), requiring innovations like attention mechanisms (Vaswani et al. [23]) to reduce overhead. Furthermore, the “black box” nature of deep learning models hinders interpretability (Ribeiro et al. [11]), necessitating explainable AI (XAI) features in hybrid models (Sun et al. [24]). Addressing these challenges requires advances in data processing, real-time analysis, and standardization, along with integrating XAI techniques for actionable insights.

Predicting attack vectors requires analyzing both structural relationships and temporal progressions, making a hybrid GNN-LSTM approach optimal. This model leverages GNNs for understanding graph-structured attack paths (Enoch et al. [17]) and LSTM for modeling sequential attack events (Laghrissi et al. [19], Ergen et al. [20]). Sun et al. [24], Staudemeyer [25] confirmed the superiority of such hybrid models over standalone approaches. While GNNs and LSTM networks face inherent scalability and computational efficiency challenges with large datasets (Hamilton et al. [26]) and missing features (Taguchi et al. [27]), our proposed method includes optimizations to address these, and the integration of explainability is paramount in these complex hybrid systems (Guidotti et al. [28]).

To enhance interpretability in cybersecurity-related AI models, the integration of explainable artificial intelligence (XAI) has become a significant research focus. Mendes and Rios [29] conducted a systematic literature review of XAI techniques in cybersecurity, emphasizing the growing need for models that not only perform well but also provide transparent and trustworthy outputs. Among practical tools, GNNExplainer, introduced by Ying et al. [30], provides interpretable insights into Graph Neural Network predictions by identifying critical subgraphs and node features that influence model decisions. This capacity to generate localized explanations is essential for auditing decisions in sensitive domains such as intrusion detection and threat attribution.

Modern distributed information systems face increasing cyberthreats, which highlights the critical importance of effective approaches to detecting and reconstructing attack vectors. Research in this area emphasizes the need to model cybersecurity risks in such systems (Ermukhambetova et. al. [31], Olekh, H. et al. [32], Palko et al. [33,34]) as a fundamental step towards increasing resilience. Given the dynamic nature of cyberattacks, the ability to accurately reproduce the sequence of actions of an attacker is key to proactive defense and rapid incident response.

Against the backdrop of constantly evolving threats, traditional detection methods often prove insufficient, which stimulates the development of more advanced approaches based on machine learning. In particular, neural networks have demonstrated significant potential in detecting a variety of cyberattacks, including threats such as SQL injections (Hubskyi et al. [35]). Building on previous work on prioritizing cybersecurity measures (Hnatiienko et al. [36]), this paper proposes a hybrid approach that combines Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) to improve the reconstruction of complex attack vectors. This allows for a deeper understanding of the spread of threats in distributed information environments.

Based on the conducted literature analysis, it is evident that predicting attack vectors is a complex and multifaceted challenge that requires integrating advanced methods for structural and temporal data analysis. Modern cyber threats, characterized by their dynamic and adaptive nature, surpass the capabilities of traditional reactive defense systems. Hybrid approaches, particularly those combining Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks, have emerged as promising solutions to address these challenges. These methods leverage the strengths of GNNs for analyzing structural dependencies and LSTM networks for capturing temporal sequences, offering a comprehensive framework for understanding and predicting attack progression. However, unresolved challenges, such as explainability, scalability, and handling noisy or incomplete data, underscore the need for further research.

The primary objective of this study is to synthesize and evaluate the effectiveness of a hybrid GNN-LSTM model for cybersecurity applications, specifically in predicting and mitigating attack vectors. The research aims to achieve the following:

• Develop a unified hybrid model integrating Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks to analyze the structural and temporal aspects of cyberattacks;
• Investigate the feasibility and performance of the proposed approach in real-world cybersecurity scenarios, emphasizing its scalability and computational efficiency;
• Validate the hybrid model using diverse datasets to evaluate its adaptability and generalizability to the continuously evolving landscape of cyber threats.

Based on the comprehensive literature analysis presented above,

Table 1. Summary of key studies in attack vector prediction and cybersecurity ML approaches.

Study/Studies	Method/Approach	Dataset	Strengths	Weaknesses	Reported Performance
Bilge and Dumitras [12]	Empirical analysis of zero-day vulnerabilities	Real-world vulnerability data (2008–2011)	Comprehensive real-world analysis; long-term observation period; practical insights into detection gaps	Limited to vulnerability analysis; no predictive modeling; reactive approach only	Average of 312 days of exploitation before detection
Deldar and Abadi [15]; Che Mat et al. [16]	APT and polymorphic malware analysis	APT case studies and malware datasets	Addresses evolving threat landscape; multi-stage attack understanding; MITRE ATT&CK integration	Limited experimental validation; no temporal modeling; qualitative analysis focus	Survey/qualitative analysis—no specific accuracy metric
Enoch et al. [17]	Model-based cybersecurity analysis	Synthetic and real network data	Comprehensive modeling approach; high-dimensional data handling; statistical rigor	Limited real-world validation; computational complexity issues; scalability concerns	Statistical significance testing—no ML accuracy
Traditional ML Approaches: Babenko et al. [9]	Learning Vector Quantization (LVQ) for DDoS	Network traffic data	Effective for specific attack types; lightweight approach; good interpretability	Limited to single attack type; no temporal dependencies; narrow scope	94.2% accuracy for DDoS detection
LSTM-based Approaches: Laghrissi et al. [19]; Staudemeyer [25]; Ergen and Kozat [20]	LSTM networks for intrusion detection and anomaly detection	CICIDS2017, NSL-KDD, KDD Cup 99, time series	Strong temporal modeling; good sequence learning; multiple dataset validation	No structural relationship modeling; limited to single-method approach; no attack progression analysis	83–95% accuracy across different datasets
Hybrid CNN-LSTM: Sun et al. [21]	CNN-LSTM for intrusion detection	CICIDS2017	Hybrid architecture benefits; spatial and temporal feature extraction; high accuracy achievement	Limited to network intrusion; no graph-based analysis; no attack vector reconstruction	99.45% accuracy on CICIDS2017x
Graph Neural Networks: Kipf and Welling [8]; Hamilton et al. [25]; Velickovic et al. [37]	GCN, GraphSAGE, GAT architectures	Citation networks, social graphs, various graph datasets	Structural relationship modeling; scalability improvements (GraphSAGE); attention mechanisms (GATs)	Not cybersecurity-specific; no temporal integration; limited attack modeling	10–25% improvement over baseline graph methods
Graph Data Handling: Taguchi et al. [27];	GCN for missing features, GRAPE framework	Synthetic and real graph datasets	Handles incomplete data; robust to missing information; dynamic graph processing	Limited cybersecurity application; no temporal modeling; primarily synthetic evaluation	80–90% accuracy on graph completion tasks
Attention Mechanisms: Vaswani et al. [23]; Brody et al. [38]	Transformer attention, Graph attention analysis	NLP and graph datasets	Computational efficiency improvements; focus on critical features; theoretical foundations	Not cybersecurity-focused; domain adaptation needed; general ML frameworks	Computational complexity reduction, no security metrics
Explainability: Ying et al. [30]; Guidotti et al. [28]; Mendes and Rios [29]	GNNExplainer, XAI surveys and methods	Molecular, social graphs, cybersecurity applications	Excellent explainability features; decision transparency; security-specific considerations	Limited temporal explanation; mostly static analysis; implementation challenges	Explanation quality metrics—limited prediction accuracy
Real-time Processing: Mohammadi et al. [21]; Schlette et al. [22]	Deep learning for IoT streaming, CTI integration	IoT sensor streams, threat intelligence	Real-time processing capability; streaming analytics focus; practical deployment insights	Limited attack vector modeling; no comprehensive ML integration; domain-specific limitations	Latency/throughput metrics—limited security accuracy
LSTM Optimization: Greff et al. [39]; Hochreiter and Schmidhuber [7]	LSTM architecture analysis and foundations	Multiple sequence datasets	Comprehensive LSTM analysis; architecture optimization; theoretical foundations	Not cybersecurity-focused; no domain-specific application; general sequence modeling	Architecture comparison metrics—no security accuracy
Applied Cybersecurity: Palko et al. [33,34]; Hubskyi et al. [35]; Hnatiienko et al. [36]	Risk modeling, SQL injection detection, decision support	Distributed system logs, web applications, incomplete data	Practical cybersecurity focus; real-world problem solving; domain expertise integration	Limited ML sophistication; narrow problem scope; no comprehensive attack modeling	Domain-specific accuracy: 85–92% for targeted problems

summarizes the key studies examined, highlighting their methodological approaches, strengths, limitations, and reported performance metrics. This comparative analysis reveals several critical gaps in the existing literature that motivate our hybrid GNN-LSTM approach.

The analysis presented in Table 1 reveals that while individual components of our proposed approach have been validated in isolation, no existing work comprehensively integrates Graph Neural Networks for structural analysis with LSTM networks for temporal modeling specifically for attack vector reconstruction.

3. Method

3.1. Overview of the Hybrid Model

The increasing complexity of cyberattacks demands advanced methods to capture both structural relationships and temporal dynamics of attack vectors. This study proposes a hybrid GNN-LSTM model for effective attack vector reconstruction and prediction. This synergy leverages GNNs’ strength in modeling graph-structured data and LSTM networks’ proficiency in processing sequential, time-dependent data. This combined framework offers a comprehensive understanding of interconnected and evolving cyber threats, as outlined by the MITRE ATT&CK framework and real-time cybersecurity datasets.

GNNs analyze the structural aspects of attacks by treating relationships between techniques, tactics, and system entities as a graph. Nodes represent entities like vulnerabilities or system components, and edges denote dependencies (e.g., lateral movement or privilege escalation). The GNN processes this graph-based representation, often derived from MITRE ATT&CK [6], to uncover hidden patterns and map the “what” of an attack—its structural composition and pathways. This is crucial for interpreting complex, multi-stage attacks where traditional methods struggle to correlate disparate events [14,17]. To address scalability in large graphs, inductive learning techniques [26] allow GNNs to generalize to unseen nodes, enhancing their applicability in dynamic cybersecurity environments. LSTM networks model the temporal progression of cyberattacks, capturing the sequential order and timing of attack steps. Cyberattacks unfold as a series of events (e.g., reconnaissance, exploitation, and exfiltration), where the sequence and duration reveal adversary intent.

The LSTM component ingests time-series data (e.g., event logs or network traffic timestamps aligned with MITRE ATT&CK sequences) to predict the “when” of an attack, forecasting likely next steps based on historical patterns. This temporal modeling enhances the model’s ability to anticipate attack progression, which is key for proactive threat mitigation [19,23].

Table 2. Roles of GNN and LSTM in the hybrid model.

Component	Input Data	Role	Output
GNN	Graph (e.g., MITRE ATT&CK)	Analyzes structural relationships	Node embeddings (HGNN)
LSTM	Time-series (e.g., logs)	Models temporal attack progression	Sequence prediction (Ht)

(not provided in the prompt) further illustrates the complementary roles of GNNs and LSTM networks.

The workflow of the hybrid GNN-LSTM model operates in a two-phase process designed to integrate structural and temporal analyses seamlessly. In the first phase, the GNN processes graph-structured data from the MITRE ATT&CK framework or system telemetry, generating embeddings that encapsulate the relational context of attack entities. These embeddings serve as a rich, contextual representation of the attack’s structural landscape. In the second phase, these GNN-generated embeddings are fed into the LSTM as input features, alongside temporal data such as event sequences or time-stamped alerts. The LSTM then processes this combined input to model the attack’s evolution over time, producing predictions about future techniques or reconstructing the full attack path from partial observations. Mathematically, the hybrid model integrates GNN embeddings H_GNN with temporal features X_t in the LSTM, as shown in Equation (1):

$$H_t=LSTM H_{GNN, }{X}_t{h}_{t-1,}{c}_{t-1}$$

(1)

where $H_t$—output of the LSTM at time step t (predicted attack step or reconstructed vector), $H_{GNN }=GCN\left(A,X\right)$—graph embeddings from the GNN, computed using a graph convolutional network (GCN) with adjacency matrix A and node feature matrix X, $X_{t }$—temporal input features at time t (e.g., log timestamps and Kill Chain phases), and $c_{t-1}$ previous hidden and cell states of the LSTM.

This integrated approach allows the model to capture both an attack’s static dependencies and its dynamic progression, overcoming the limitations of standalone GNN or LSTM models.

To boost scalability and interpretability, the hybrid model uses optimization techniques like attention mechanisms and sparse graph processing [24,26]. Attention mechanisms prioritize critical nodes and sequences, reducing computational overhead and focusing on key attack features. This workflow improves predictive accuracy and offers actionable insights for cybersecurity practitioners, enabling more precise and proactive threat responses.

3.2. Neural Network Architecture

3.2.1. Graph Architecture Selection and Justification

Selecting the right Graph Neural Network (GNN) architecture is crucial for modeling structural relationships in cybersecurity attack vectors. This section analyzes candidate architectures, justifying our choice of Graph Convolutional Networks (GCNs) for processing the MITRE ATT&CK framework. GNNs are powerful for analyzing structured cybersecurity data. We evaluated four primary architectures—GCNs, Graph Attention Networks, GraphSAGE, and Graph Transformers—for modeling MITRE ATT&CK relationships.

Graph Convolutional Networks, as introduced by Kipf and Welling [8], employ uniform neighbor aggregation through spectral convolution operations. The mathematical foundation relies on symmetric normalization of the adjacency matrix, where the layer-wise propagation rule follows $H^{(l+1)}=\sigma ({\tilde{D}}^{-\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2 $}\right.}A{\tilde{D}}^{-\raisebox{1ex}{$1$}\!\left/ \!\raisebox{-1ex}{$2 $}\right.}{H}^l{W}^l)$, with à representing the adjacency matrix augmented with self-loops and $\tilde{D}$ denoting the corresponding degree matrix. This architecture exhibits computational complexity of O(|E|·F + |V|·F²), where |E| represents the number of edges, |V| the number of vertices, and F the feature dimensionality. The uniform aggregation mechanism provides high interpretability, making it particularly suitable for security analyst workflows where understanding attack progression paths is essential.

Graph Attention Networks (GATs), by Veličković et al. [37], use dynamic attention to weight neighbor contributions. Despite their flexibility for complex relationships, GATs’ computational complexity (O(∣E∣⋅F⋅H + ∣V∣⋅F⋅H²)) creates significant overhead for real-time cybersecurity. GraphSAGE, proposed by Hamilton et al. [26], improves scalability via inductive learning and neighbor sampling. It samples k neighbors and aggregates their features, reducing complexity to O(k⋅∣V∣⋅F²). However, this sampling may miss critical attack path relationships needed for comprehensive threat analysis.

Graph Transformers employ multi-head attention [25], offering global attention and theoretical advantages for long-range dependencies. However, their quadratic complexity (O(∣V∣²⋅F)) is prohibitive for real-time enterprise cybersecurity, especially with concurrent attacks. The MITRE ATT&CK framework (Figure 1), with 188 techniques across 14 tactics and documented relationships, significantly influences the architectural choice for attack vector modeling.

Empirical validation was conducted through ablation experiments comparing GCN, GAT, and GraphSAGE implementations on the preprocessed CICIDS2017 dataset. The experimental results, summarized in

Table 3. Empirical performance comparison of graph architectures.

Architecture	Configuration	F1-Scor	Inference Time (ms)	Memory Usage (GB)	Interpretability Score
GCN	Standard	0.847	12.3	1.4	8.7
GAT	4 attention heads	0.851	28.7	2.1	6.2
GAT	8 attention heads	0.853	45.2	3.3	5.1
GraphSAGE	k = 5 neighbors	0.832	19.8	1.8	7.3
GraphSAGE	k = 10 neighbors	0.845	31.4	2.4	7.1

, demonstrate the performance trade-offs between different architectural choices across multiple evaluation criteria.

Interpretability evaluated by cybersecurity experts on attack path explanation clarity (1–10 scale). Experiments conducted using the CICIDS2017 dataset with training parameters specified in Section 3.4. The selection criteria for optimal graph architecture in cybersecurity applications encompass multiple dimensions beyond traditional machine learning metrics. Figure 2 visualizes the multi-criteria decision analysis that guided our architectural selection process. The analysis reveals that Graph Convolutional Networks achieve the optimal balance across all evaluation dimensions, as demonstrated in Table 3.

The performance–efficiency trade-offs across different architectures reveal distinct operational characteristics relevant to cybersecurity deployment scenarios.

Table 4. Performance–efficiency trade-off analysis.

Architecture	Performance Gain vs. GCN	Computational Overhead vs. GCN	Efficiency Ratio	Operational Suitability
GCN	Baseline (0.847)	Baseline (12.3 ms, 1.4 GB)	1.00	Optimal
GAT (4-head)	+0.47% (+0.004)	+133% time, +50	0.21	Limited
GAT (8-head)	+0.71% (+0.006)	+267% time, +136% memory	0.18	Poor
GraphSAGE (k = 5)	−1.77% (−0.015)	+61% time, +29% memory	0.62	Moderate
GraphSAGE (k = 10)	−0.24% (−0.002)	+155% time, +71% memory	0.43	Limited

quantifies these trade-offs by calculating efficiency ratios that normalize performance gains against computational overhead increases.

Efficiency Ratio = (Performance Gain)/(Average Computational Overhead Increase)

The MITRE ATT&CK framework’s structural properties align well with Graph Convolutional Network (GCN) processing. Its hierarchical organization and deterministic technique relationships make uniform neighbor aggregation in GCNs more suitable than attention-based weighting. GCNs also facilitate integration with LSTM temporal modeling by providing consistent feature embeddings, crucial for stable training of the hybrid GNN-LSTM pipeline.

Although Graph Attention Networks (GATs) showed a minor F1-score improvement, their 2.6-fold increase in inference time and 2.4-fold memory overhead are not justified for a mere 0.6% performance gain in operational cybersecurity. The GCN’s ability to process over 1000 attack sequences per second (as detailed in computational complexity analysis) outweighs these minimal accuracy gains for practical deployment.

Similarly, GraphSAGE’s inductive learning, while useful for dynamic graphs with unseen nodes, offers no advantage for our fixed MITRE ATT&CK structure. Its sampling approach introduces unnecessary overhead and potential information loss for well-documented attack paths. Therefore, GCNs offer the optimal balance of performance, efficiency, and interpretability for modeling attack vector relationships within our hybrid framework. This architectural choice supports our research goals of developing a practical, interpretable, and scalable solution for attack vector reconstruction and prediction, making the model suitable for enterprise cybersecurity environments where both accuracy and operational efficiency are paramount.

3.2.2. Computational Complexity Analysis

Hybrid GNN-LSTM models are computationally expensive due to GNNs’ message passing and LSTM networks’ sequential processing. This subsection analyzes the computational demands of our proposed GNN-LSTM architecture for attack vector reconstruction and highlights how optimizations enable practical scalability for cybersecurity.

The Graph Convolutional Network (GCN) component processes the MITRE ATT&CK framework, where nodes are attack techniques (188) and edges capture dependencies (around 395 relationships). The per-layer computational complexity is O(∣E∣⋅F + ∣V∣⋅F²) where ∣E∣ is edge operations, ∣V∣ is vertex transformations, F = 513 is input feature dimension, and H is output feature dimension. We maintain H = F across layers, simplifying the complexity to O(∣E∣⋅F + ∣V∣⋅F²).

Our implementation exploits the sparsity of attack technique relationships (approx. 5% edge density, 3–7 techniques per stage). This reduces layer-wise complexity by 94%, from O(35,344 F + 188 F²) in dense graphs to approximately O(2000·F + 200·F²).

Further GCN optimization includes CUDA-based sparse matrix multiplication [27], which reduces memory access by 80%. Instead of full message passing, we use neighborhood sampling, focusing on k = 5 most relevant techniques, reducing complexity to O(k⋅∣V∣⋅F²) [26]. Progressive feature dimension reduction from F = 513 to F = 128 across GCN layers also minimizes quadratic growth in computational costs.

The LSTM processes temporal sequences of attack technique embeddings from the GCN, with each sequence representing an attack campaign up to a maximum length of T = 50. This involves about 3.3 million operations per attack vector reconstruction.

The sequential nature of LSTM networks creates scalability bottlenecks. We tackled this with parallel batch processing, achieving a four-fold throughput improvement. Gradient checkpointing [37] reduced memory usage by 35%, enabling larger batch sizes (from 32 to 128 sequences). Truncated backpropagation also cut training complexity from O(T²) to O(T), maintaining learning effectiveness. Memory is a bottleneck, with the GCN needing 1.4 GB GPU memory and the LSTM an additional 900 MB, totaling 2.3 GB for inference and 3.8 GB during training before optimization.

Structured pruning [21] post-convergence eliminated 25% of parameters from both GCN and LSTM layers. This optimized approach reduced inference time by 18% and memory usage by 22% with no accuracy loss (AUC maintained at 0.99). Empirical tests on an NVIDIA RTX 3080 GPU showed practical scalability: 1000 attack sequences per second throughput and an average latency of 0.8 ms per reconstruction, using 2.3 GB GPU memory during inference, making it suitable for enterprise security operations centers.

A comparative analysis reveals tradeoffs: standalone GCNs are faster (1850 sequences/s and 1.2 GB memory) but lack temporal context, resulting in an F1-score of 0.71. BiLSTM-only implementations process 1200 sequences/s (1.8 GB memory) with an F1-score of 0.68 for temporal patterns but miss structural relationships. Our GNN-LSTM hybrid processes 1000 sequences/s using 2.3 GB memory but achieves a superior F1-score of 0.85 for complete attack vector reconstruction.

While the hybrid model has 15–20% lower throughput than the individual components, its 20% higher accuracy for complete attack vector reconstruction justifies the computational overhead. This ability to simultaneously capture structural relationships and temporal patterns is crucial for comprehensive threat analysis. The architecture supports horizontal scaling via model parallelism [26], with two-GPU configurations achieving 1.8× throughput scaling (1800 sequences/s), and four-GPU deployments handling 60,000 attack vectors per minute. This high throughput supports large-scale security operations. The optimizations show that while GNN-LSTM hybrids are computationally intensive, strategic architectural and implementation choices enable practical real-time deployment in enterprise cybersecurity, with the computational investment yielding significant improvements in detection accuracy and temporal understanding.

3.2.3. Model Architecture

The hybrid architecture, combining Graph Neural Networks (GNNs) and Long Short-Term Memory (LSTM) networks, is designed to tackle complex cyber threats. This model excels at reconstructing attack paths and predicting adversarial actions. It does so by using GNNs to analyze graph-structured relationships (like MITRE ATT&CK TTPs [6]) and LSTM networks to model temporal sequences that show how attacks evolve over time [7].

The process is twofold: the GNN extracts structural embeddings from a high-dimensional graph. These are then combined with temporal features and processed by the LSTM to reveal the dynamic progression of attack vectors, providing actionable insights for cybersecurity professionals.

The GNN component commences this process by analyzing graph-structured data, sourced either from the MITRE ATT&CK framework [6] or synthetically generated to emulate realistic cyberattack scenarios when requisite datasets are unavailable [22]. A Graph Convolutional Network (GCN), as articulated by Kipf and Welling [8], processes an adjacency matrix $A\in R^{N\times N}$ where N = 200 denotes nodes encompassing 185 MITRE ATT&CK techniques and supplementary system entities (e.g., devices and users), with edges representing probabilistic dependencies characteristic of multi-stage attacks, such as transitions from reconnaissance to exploitation [16]. The node feature matrix $A\in R^{N\times F}$ incorporates a feature dimensionality of F = 512, detailed in

Table 5. Composition of input features for GNN and LSTM.

Component	Feature Category	Number of Features	Description
GNN (X)	MITRE techniques	185	One-hot encoding of 185 ATT&CK techniques [6]
	MITRE tactics	14	One-hot encoding of 14 enterprise tactics [6]
	Telemetry	200	Network/system metrics (e.g., packet counts)
	Contextual	113	Vulnerability scores, detection flags, etc.
	$\mathrm{Temporal} T_{real}$	1	Timestamp or offset (optional)
	Total	512–513	$\mathrm{Depending} \mathrm{on} T_{real}$
$\mathrm{LSTM} X_{\left(t\right)}$	Base features	513	Inherited from X
	Temporal attributes	15	Event frequency, duration, entropy, etc.
	Total	528	Per time step across T = 50

, comprising one-hot encodings of 185 techniques and 14 enterprise tactics, telemetry attributes including network and system metrics, and contextual descriptors such as vulnerability scores and detection indicators, reflecting the high-dimensional nature of cybersecurity datasets [17,37]. Should synthetic data be employed, these features are synthesized using statistical distributions—Gaussian for continuous variables and Bernoulli for binary indicators, guided by MITRE ATT&CK patterns to ensure fidelity [6]. Temporal dynamics are incorporated through real-time timestamps $T_{real}$ augmenting the feature space to F = 513 when integrated as a static attribute within X processed via the GCN convolution operation

$$H_{GNN}=\sigma \left(\tilde{A}XW\right)$$

(2)

where $\tilde{A}=D^{\frac{1}{2}}\left(A+I\right)D^{-\frac{1}{2}}$ denotes the symmetrically normalized adjacency matrix with self-loops, D is the degree matrix, $W\in R^{F\times F^{\prime }}$ is a trainable weight matrix, $F^{\prime }=128$ represents the embedding dimension, and $\sigma$ is the ReLU activation function [8]. Alternatively, $T_{real}$ may inform edge attributes within A, necessitating a Graph Atention Network (GAT) with attention coefficients:

$${\alpha }_{i,j}={\displaystyle \frac{\mathit{exp}\left(LeakyReLU\left(a^T\left[W_{x_i}‖W_{x_j}‖T_{real,ij}\right]\right)\right)}{{\sum }_{k\in N_i}exp\left(LeakyReLU\left(a^T\left[W_{x_i}‖W_{x_k}‖T_{real,ik}\right]\right)\right)}}$$

(3)

where $a$ is a learnable attention vector, ∣∣ denotes concatenation, and $T_{real}$ represents temporal differences between nodes i and j as advanced by Veličković et al. [37]. A third approach employs a weight matrix $T_{weights, ij }\in R^{N\times N}$ defined as $T_{weights,ij}=exp\left(-\lambda \left|T_{real,i}-T_{real,j}\right|\right)$, modulating A via $A^{\prime }=A\odot T_{weights}$, where $\odot$ is a decay parameter [40], enhancing temporal sensitivity [41]. The resultant embeddings $H_{GNN}$ encapsulate both structural and temporal contexts.

The embeddings $H_{GNN}$ serve as a conduit to the LSTM phase, where they are integrated with temporal data $X_t\in R^{T\times 528}$, spanning T = 50 time steps, with 528 features as delineated in Table 5 encompassing the 513 features from X augmented by 15 temporal attributes such as event frequency, duration, entropy measures, and Kill Chain phase encodings, either extracted from real-time logs or synthesized to emulate multi-stage attack progression [21,42]. The LSTM, rooted in the foundational architecture of Hochreiter and Schmidhuber [7] and refined through optimizations by Greff et al. [39], processes this composite input through a series of gate operations:

$$\begin{array}{c}{f}_t=\sigma \left(W_f\left[H_{GNN},X_t{H}_{t-1}\right]+b_f\right)\\ i_t=\sigma \left(W_i\left[H_{GNN},X_t{H}_{t-1}\right]+b_i\right)\\ o_t=\sigma \left(W_o\left[H_{GNN},X_t{H}_{t-1}\right]+b_0\right)\\ C_t=f_t\odot C_{t-1}+i_t\odot \mathrm{t}anh\left(W_c\left[H_{GNN}{X}_t{H}_{t-1}\right]+b_c\right)\\ H_t=o_t\odot \mathrm{t}anh{(C}_t)\end{array}$$

(4)

where $H_t\in R^{256}$ represents the hidden state, $f_t{,i}_t$, and $o_t$ are the forget, input, and output gates, respectively, and $C_t$ is the cell state, adept at capturing prolonged temporal dependencies inherent in attack sequences, such as those observed in advanced persistent threats (APTs) [16].

This high-dimensional input configuration ensures a comprehensive representation of both structural relationships and sequential dynamics, aligning with the data-intensive demands of modern cybersecurity environments [17]. The LSTM produces three distinct outputs, characterized in

Table 6. Characteristics of LSTM Outputs.

Output	Symbol	Dimension	Range	Description
Risk Score	$R_t$	Scalar	[0, 1]	Immediate threat severity at time t
Technique Probabilities	$P_t$	Vector 185	[0, 1]	Likelihood of 185 MITRE techniques occurring next
Probability Gradation	$G_t$	Scalar	[0, 1]	Confidence or severity measure for predictions

, each tailored to specific cybersecurity objectives. The risk score, denoted $R_t$, is computed as $R_t=\sigma \left(W_R{H}_t+b_R\right)$, yielding a scalar value within [0, 1] that quantifies the immediate threat severity at time t [42]. The technique probabilities, represented as $P_t$, are derived via $P_t=sofmax\left(W_p{H}_t+b_p\right)$, producing a vector in $R^{185}$ that predicts the likelihood of occurrence for each of the 185 MITRE ATT&CK techniques [43]. The probability gradation $G_t$ is calculated as $G_t=\sigma \left(W_G{H}_t+b_G\right)$, delivering a scalar in [0, 1] that provides a measure of confidence or severity associated with the predictions [43]. These outputs are generated concurrently through a multi-head output layer, facilitating a multifaceted analysis encompassing risk assessment, technique forecasting, and confidence estimation within a cohesive framework.

To accommodate the computational complexity arising from the high-dimensional inputs—513 features for X and 528 for $X_t$—scalability is ensured through the application of sparse matrix operations to A and batch processing of $H_{GNN}$ and $X_t$, as optimized by Taguchi et al. [26]. Attention mechanisms, pioneered by Vaswani et al. [23] and further refined by Brody et al. [38], are employed to prioritize critical nodes and time steps, mitigating resource demands while preserving predictive accuracy. Interpretability, a cornerstone for operational utility in cybersecurity, is enhanced through the integration of SHAP explanations [43], which link predictions to specific input features, a necessity underscored by Mendes and Rios et al. [29]. Should synthetic data be utilized, its realism is validated against established benchmarks such as MITRE ATT&CK documentation [6], with robustness further supported by advanced techniques such as graph imputation to address potential data deficiencies [31]. This architecture, characterized by its high-dimensional inputs and structured outputs, provides a robust solution for reconstructing and predicting attack vectors. The comprehensive feature set and temporal modeling capabilities ensure that the model captures the intricate interplay of the structural and sequential aspects of cyber threats, with subsequent sections elaborating on data preparation and experimental validation to assess its efficacy in real-world scenarios.

3.3. Formation of the Dataset

3.3.1. Data Preparation

The hybrid GNN-LSTM model’s performance hinges on meticulously prepared input data that captures the structural intricacies and temporal evolution of cyber threats. This section outlines the data pipeline, including collection, preprocessing, augmentation, and validation. Due to the scarcity of comprehensive, labeled cybersecurity datasets, this study combines real-world telemetry and synthetic data, ensuring model robustness and adaptability to diverse attack scenarios. The process aligns with the MITRE ATT&CK framework [6] and real-time cybersecurity requirements, drawing from works like Enoch [17] and Sun et al. [24].

3.3.2. Data Sources

Data preparation for the hybrid GNN-LSTM model involves gathering information on cyberattack structure and timing using three main data types (

Table 7. Overview of data sources.

Source	Type	Components	Example
MITRE ATT&CK	Structural	185 techniques, 14 tactics, edges	T1071 (HTTP traffic) → T1041 (Data exfiltration)
Real-world monitoring	Structural/temporal	Logs, network flows, SIEM alerts	09:00: HTTP spike (50 MB/s), 09:05: Alert (T1041)
Thinthetic data	Structural/temporal	Simulated graphs, event sequences	T1071 (80% prob.) → T1041, Flow: 45 MB/s

). First, the MITRE ATT&CK framework [6] provides a map of 185 attack techniques (e.g., T1071—Application Layer Protocol) and 14 tactics (e.g., Command and Control), with edges showing connections (e.g., T1071 leading to T1041). This forms a 200-node graph including network entities. Second, real-world monitoring data from company systems (logs, network traffic, and SIEM alerts) is crucial for modeling attack progression. For instance, a firewall log might show “2025-03-22 09:00: Suspicious HTTP traffic (T1071)” followed by “2025-03-22 09:05: Big data transfer (T1041),” illustrating step-by-step attack timing. Third, synthetic data is used to supplement real data when it is incomplete due to privacy or detection limitations.

Synthetic data fills these holes with fake but realistic attack patterns, like “T1071 (80% chance) → T1041, with a 45 MB/s data flow.” We create this data using math models: edges follow a Beta pattern ($\alpha =2, \beta =5$) to set likely connections and features like data flow use a Gaussian curve ($\mu =50,\sigma =15$), all based on MITRE ATT&CK guidelines.

Collectively, these sources provide a comprehensive perspective: the MITRE ATT&CK framework establishes the structural foundation for cyber threats, real-world monitoring data offers empirical insights into how attacks manifest in practice, and synthetic data addresses potential gaps. This integrative approach ensures that the model learns from both observed incidents and informed predictions of future attack scenarios.

3.3.3. Preprocessing

The preprocessing phase is crucial for preparing heterogeneous raw data for the hybrid GNN-LSTM model, ensuring accurate representation of each cyber threat’s structural and temporal dimensions. This step addresses data complexity and variability, a challenge highlighted by Enoch et al. [17], who advocate robust preprocessing for high-dimensional inputs in attack vector analysis. By standardizing real-world monitoring and synthetic datasets, this pipeline primes inputs for the model’s dual architecture.

For the GNN component, structural data is encoded as an adjacency matrix $AϵR^{200\times 200}$ and a node feature matrix $XϵR^{200\times 512}$ (or $XϵR^{200\times 513}$ with timestamps included as a static feature). The adjacency matrix A captures dependencies from the MITRE ATT&CK framework [6] and real-world monitoring data, with edge weights reflecting transition probabilities (e.g., $A_{ij}=0.8$ for T1071 → T1041) based on observed co-occurrences). The node feature matrix $X$ builds on the feature composition previously defined in Table 5, including 185 MITRE ATT&CK techniques, 14 enterprise tactics, 200 monitoring data features, and 113 contextual attributes. For example, a node might be represented as

X_i = [T1071 = 1, tactic_command&control = 1, flowrate = 0.9, alertflag = 1, …, timestamp = ‘2025-02-22 09:00’]

This high-dimensional structure, extending to 513 features with timestamps, preserves relational information critical for GNN processing.

For the LSTM component, temporal data is structured into sequences of length T = 50, with each time step comprising 528 features: the 513 features from X augmented by 15 temporal attributes (e.g., event frequency, duration, and entropy), as specified in Table 5. Real-world monitoring data drives these sequences, illustrated by

t = 1: [T1071 = 1, FlowRate = 0.9, Freq = 3 events/min, Duration = 10 s, …, Timestamp = 2025-02-22 09:00]

t = 2: [T1041 = 1, FlowRate = 0.7, Freq = 2 events/min, Duration = 5 s, …, Timestamp = 2025-02-22 09:05]

Normalization ensures uniformity across inputs, following established cybersecurity practices [44]. Continuous features (e.g., flow rates) are scaled to [0, 1] using min-max normalization, $x^{\prime }= {\displaystyle \frac{x-x_{min}}{x_{max}-x_{min}}}$ while categorical features are one-hot encoded. Missing values, a persistent issue in real-world datasets, as noted by Inoue et al. (2017) [18], are handled via graph-based imputation (e.g., ${FlowRate}_i={\sum }_{jϵN\left(i\right)}{\displaystyle \frac{A_{ij}{FlowRate}_j}{{\sum }_j{A}_{ij}}}$) [26], where $N_i$ denotes neighbors of node i. Temporal attributes appended to $H_{GNN}$ are normalized similarly, with gaps smoothed using an exponential moving average (EMA):

$${EMA}_t=\alpha x_t+\left(1-\alpha \right){EMA}_{t-1,}\alpha \in \left(0,1\right)$$

Here, $\alpha =0.3$ is a typical smoothing factor [21]. Synthetic data features (e.g., flow rates $\mu =50 \sigma =15$) are preprocessed identically, ensuring alignment with real inputs and scalability in large datasets [45].

Table 8. Preprocessing transformations.

Data Type	Input Source	Transformation Method	Output Example
Structural (GNN)	MITRE ATT&CK, monitoring	Adjacency matrix A, feature matrix X	$A_{ij}=0.8$ $X_i=[\mathrm{1,0},\dots ,0.9$]
Temporal (LSTM)	$\mathrm{GNN} \mathrm{embeddings} { H}_{GNN}$	$\mathrm{Sequences} X_t$ normalization	$X_{t=1}=\left[\mathrm{0.7,0.3,3},\dots ,10,\dots \right]$
Missing values	Real/synthetic data	Graph imputation, EMA smoothing	FlowRate = 0.85 (imputed)

summarizes these transformations, clarifying the data flow from structural inputs to GNN embeddings and LSTM sequences.

3.3.4. Data Augmentation

Data augmentation enhances the hybrid GNN-LSTM model’s robustness and generalizability by introducing controlled variability into the preprocessed dataset, mitigating data scarcity and imbalances common in cybersecurity [17]. This process, crucial for training on diverse attack scenarios, perturbs structural and temporal features while preserving the integrity of the MITRE ATT&CK framework [6] and real-world monitoring data patterns. For the GNN component, structural augmentation perturbs the adjacency matrix ${A\in R}^{200\times 200}$. Edge perturbation is applied by randomly adding or removing edges within a 5% threshold of $A_s^{\prime }$ sparsity, ensuring realistic attack path variations. For instance, a new edge $A_{ij}=0.3$ might connect T1071 (Application Layer Protocol) to T1567 (Web Service Exfiltration), reflecting a plausible but unobserved transition. Edge weights are sampled from a uniform distribution $U\left(\mathrm{0,0.5}\right)$ to simulate low-probability links, a method validated by Enoch et al. [17] and extended by [46] for graph-based cybersecurity models. Alternatively, node feature matrix $X\in R^{200\times 513}$ can be augmented with Gaussian noise $N\left(\mathrm{0,0.01}\right)$ applied to continuous features (e.g., flow rates), enhancing resilience against overfitting, as demonstrated by Gilliard et al. (2024) [47] in threat hunting applications. For the LSTM component, temporal augmentation modifies the sequences $X_t$ (528 features, T = 50). Two primary techniques are employed:

The first is noise injection, where Gaussian noise $N\left(\mathrm{0,0.01}\right)$ is added to continuous temporal attributes (e.g., Freq or Duration) within $H_{GNN}$-augmented sequences, simulating measurement variability. This approach, rooted in Mohammadi et al. (2020) [21], is refined by Sayegh et al. (2024) [48] for automated preprocessing in deep learning pipelines.

The second is time shifting, where timestamps are shifted by ±2 steps (e.g., 09:00 to 09:02), adjusting sequence timing to mimic attack pace variations, a technique supported by Amato et al. (2024) [49] for improving LSTM robustness in intrusion detection.

Synthetic data augmentation extends this framework by generating additional sequences using a Markov chain model, parameterized by transition probabilities from MITRE ATT&CK (e.g., P(T1071→T1041) = 0.8). This method, initially proposed by Feng et al. (2023) [21], is enhanced by Ben Aissa et al. [50] to incorporate multi-step attack simulations, producing sequences like

t = 1: [H_{GNN,t = 1} = [0.7, 0.3, …, 0.9], Freq = 3.02, Duration = 10, …, Timestamp = 2025-03-22 09:02]

t = 2: [H_{GNN,t = 2} = [0.5, 0.8, …, 0.7], Freq = 2.01, Duration = 5, …, Timestamp = 2025-03-22 09:07]

In our current work, we employ generative adversarial networks (GANs) to further diversify synthetic data, simulating rare attack patterns to enhance the model’s capability, building on the technique investigated by Rahman et al. (2025) [51] for ensemble-based industrial control system security.

Methods and parameters of data generation/augmentation are presented in

Table 9. Methods and parameters of data generation/augmentation.

Data Type	Technique	Parameters	Output Example
Structural GNN	edge perturbation	$5\% \mathrm{sparsity} U\left(\mathrm{0,0.5}\right)$	$A_{ij}=0.3(T1071\to T1567)$
Structural GNN	noise injection	$N\left(\mathrm{0,0.01}\right)$	Flowrate = 0.91
Temporal LSTM	noise injection	$N\left(\mathrm{0,0.01}\right)$	Freq = 3.02
Temporal LSTM	time shifting	$\pm 2 steps$	Timestamp = 9:02
Synthetic	Markov chain	$(T1071\to T1041)=0.8$	Sequence T1071 → T1041
Synthetic	GAN-based generation	N/A	SequenceT1190 → T1071 (rare pattern)

.

3.3.5. Validation of Synthetic Data

We recognize the critical importance of validating the synthetic data generated through Markov chains and generative adversarial networks (GANs), as detailed in Section 3.3.3, to ensure its effectiveness in training our hybrid GNN-LSTM model. We have designed a rigorous validation framework to ascertain that our synthetic datasets faithfully replicate the characteristics of real-world monitoring data and enhance our model’s ability to detect rare attack patterns, drawing upon established methodologies in cybersecurity data synthesis.

We assess the distributional similarity between our synthetic and real datasets using the Kolmogorov–Smirnov (KS) test. Specifically, we compare synthetic flow rates $\left(\mu =50,\sigma =15\right)$, derived from Section 3.3.1, with real monitoring data (e.g., ${\mu }_{real}=62{\sigma }_{real}$ = 16). We calculate the KS statistic as $D={sup}_x\left|F_{synth}\left(x\right)-F_{real}\left(x\right)\right|$ representing the maximum divergence between cumulative distribution functions and adopt a threshold of p > 0.05 to confirm statistical equivalence. Our analysis yields D = 0.03, p = 0.12 affirming alignment, a process we have refined based on the work of Marin et al. [52]. Furthermore, we employ the Wasserstein distance, defined as $W_1=\int \left|F_{synth}\left(x\right)-F_{real}\left(x\right)\right|dx$, achieving a value of $W_1=1.2$, which corroborates distributional closeness in line with Anande et al. (2023) [53].

We validate the structural integrity of our synthetic attack sequences by aligning them with transitions documented in the MITRE ATT&CK framework.

We examine transition probabilities from our Markov chains (P(T1071→T1041) = 0.8) and GAN-generated outputs, ensuring they reflect realistic TTP co-occurrences. To quantify this fidelity, we compute the cosine similarity between our synthetic adjacency matrix $A_{synth}$ and the $A_{real}$:

$$Similarity={\displaystyle \frac{\sum A_{ij}{A}_{synthi,j}{A}_{reali,j}}{\sqrt{{\sum }_{ij}{A}_{synthi,j}^2}\sqrt{{\sum }_{ij}{A}_{reali,j}^2}}}$$

We establish a threshold of 0.9, with our results typically achieving 0.93, a methodology we have enhanced drawing on. Zhang et al. (2023) [54], ensuring our synthetic structures mirror authentic attack graphs. We evaluate the practical utility of our synthetic data by training our GNN-LSTM model on augmented datasets and measuring its performance on rare patterns (e.g., T1190). Our experiments demonstrate improvements in precision and recall (e.g., +5% over real data alone), validating the synthetic data’s contribution, consistent with findings by Rahman et al. (2025) [51]. Additionally, we observe F1-score increases of 3–7% in anomaly detection tasks, reinforcing its value as reported by Mayer et al. (2020) [55]. These validation methods is presented in

Table 10. Synthetic data validation methods.

Validation Type	Method	Parameters	Output Example
Statistical	KS test	$D, p>0.05$	$D=0.03, p=0.12$
Statistical	Wasserstein distance	$W_1$	$W_1=1.2$
Structural	Cosine similarity	Threshold = 0.9	Similarity = 0.93
Model performance	Precision/recall	N/A	Precision = 0.85, recall = 0.80

, confirming that our synthetic data meets both operational and scientific benchmarks.

Through this validation process, we substantiate the authenticity and practical utility of our synthetic data, thereby establishing a solid and dependable basis for the effective training of our model and ensuring its scalability across diverse applications.

3.3.6. Postprocessing

Following the generation of predictions by our hybrid GNN-LSTM model, we undertake a meticulous postprocessing phase to refine these outputs, enhancing their interpretability and operational utility within cybersecurity contexts. This step is essential for transforming raw model predictions into actionable insights, ensuring their alignment with real-world monitoring data and operational requirements, a necessity underscored by contemporary research in threat detection frameworks.

Our LSTM outputs, as delineated in Table 6 (Section 3.2), comprise three key components: (risk score $S_t$, technique probabilities $P_t$, and probability gradation $G_t$)

Risk score $S_t$ is a scalar $S_t\in \left[0,1\right]$ calculated as $S_t=\sigma \left(W_t{H}_{LSTM,t}+b_s\right)$, where σ denotes the sigmoid activation function, $W_s\in R^{1\times 528}$ and $b_s\in R$ are learned parameters, and $H_{LSTM}\in R^{528}$ represents the LSTM hidden state at time t.

Technique probabilities $P_t$ is a vector $P_t\in {[0,1]}^{185}$ derived via $P_t=$ softmax $\left(W_p{H}_{LSTM,t}+b_p\right)$, where $W_p\in R^{185\times 528}$ and $b_p\in R^{185}$ map the hidden state to probabilities across 185 MITRE ATT&CK techniques.

Probability gradation $G_t$ is a scalar $G_t\in \left[0,1\right]$ calculated as $G_t=$ sigmoid $\left(W_g{H}_{LSTM,t}+b_g\right)$ $W_g\in R^{1\times 528}$, where $b_g\in R$ indicates the confidence gradient of predictions.

In this research, we apply three postprocessing techniques to refine these outputs:

To mitigate false positives, we filter the risk score $S_t$ using a threshold $\tau =0.5$, a value informed by operational benchmarks as $S_t^{\prime }=\left\{\begin{array}{c}{S}_t if{S}_t\ge 0.5\\ 0 otherwise\end{array}\right.$. This approach enhances decision-making precision, as demonstrated by Grady et al. [56] in real-time threat assessment systems. Additionally, we use smoothed technique probabilities $P_t$ over a window of $k=3$ time steps to reduce temporal noise: $P_t={\displaystyle \frac{1}{k}}{\sum }_{i=t-k+1}^t{P}_i$. This method stabilizes sequential predictions, a technique we have adapted from ElSalamony et al. [57] for cybersecurity sequence modeling. In this work, we cross-validate the high-probability techniques in $P_t^{\prime }$ ($P_t^{\prime }\left(T1041\right)>0.8$) against documented MITRE ATT&CK transitions (e.g., T1071 → T1041), ensuring contextual accuracy. This validation leverages structural insights, as explored by Ekisa et al. [58]. An example postprocessed output at $t=2$ is t = 2: [S’_t = 0.6, P’_t = [0.05, …, 0.9 (T1041), …], G_t = 0.8]. These techniques are summarized in

Table 11. Postprocessing techniques.

Output Type	Technique	Parameters	Output Example
Risk score	Thresholding	$\tau =0.5$	$S_t^{\prime }=0.6$
Technique probabilities	Moving average	k = 3	$P_t^{\prime }=[0.05,\dots$0.9]
Validation	MITRE alignment	N/A	T1071 → T1041 confirmed

, ensuring our outputs are both interpretable and reliable.

Through this postprocessing, we enhance the practical applicability of our model’s predictions, a process informed by recent advancements in output refinement for cybersecurity analytics [59].

3.3.7. Handling Class Imbalance

The CICIDS2017 dataset, like many cybersecurity datasets, exhibits significant class imbalance, with benign instances substantially outnumbering attack instances. This imbalance can bias the model towards the majority class, reducing its ability to accurately detect attack vectors, a challenge well-documented in cybersecurity research [17]. To mitigate this issue, the Synthetic Minority Oversampling Technique (SMOTE) was applied to balance the dataset. SMOTE generates synthetic samples for the minority class (attack instances) by interpolating between existing minority samples, thereby creating a more balanced training set. This approach has been shown to be effective in cybersecurity applications where imbalanced data is common, as it enhances the model’s ability to learn patterns associated with rare attack instances [49]. The SMOTE process was implemented within a 3-fold cross-validation framework to ensure robust evaluation and prevent data leakage, a strategy that aligns with best practices for training machine learning models in cybersecurity [58]. In each fold, the training data was first sampled to include a subset of majority and minority instances, and SMOTE was then applied to oversample the minority class, achieving a balanced distribution before training the model. This method ensures that the hybrid GNN-LSTM model can effectively learn patterns associated with both benign and attack behaviors, supporting its application in real-time intrusion detection scenarios [21].

3.4. Training and Optimization

Having prepared and validated our dataset as outlined in Section 3.3, we now detail the training and optimization process for our hybrid Graph Neural Network (GNN) and Long Short-Term Memory (LSTM) model. In this research, this phase is critical to ensuring that our model effectively learns the structural and temporal patterns of cyber threats, leveraging the preprocessed and augmented data to achieve robust performance across diverse attack scenarios.

In our work, the GNN processes the adjacency matrix $A\in R^{200\times 200}$ and node feature matrix $X\in R^{200\times 513}$ to produce embeddings $H_{GNN}\in R^{200\times 513}$, which are fed into the LSTM as sequences of length $T=50$ each with 528 features (513 from $H_{GNN}$ plus 15 temporal attributes). The LSTM outputs risk scores $S_t$ technique probabilities $P_t\in {[0,1]}^{185}$ and probability gradations $G_t$, as refined in Section 3.3.5. In this research, we train the model using a multi-task loss function to jointly optimize three objectives:

For risk prediction, binary cross-entropy loss for $S_t$ was calculated as $L_{risk}=-{\displaystyle \frac{1}{T}}{\sum }_{t=1}^T\left[y_t\log \left(S_t\right)+\left(1-y_t\right)\mathrm{l}\mathrm{o}\mathrm{g}(1-S_t)\right]$, where $y_t\in \{0,1\}$ is the ground-truth risk label.

For technique classification, categorical cross-entropy loss for $P_t$ was calculated as $L_{tech}=-{\displaystyle \frac{1}{T}}{\sum }_{t=1}^T{\sum }_i^{185}{y}_{t,i}log\left(P_{t,i}\right)$, where $y_{t,i}$ is a one-hot vector over 185 techniques.

For gradation prediction, the Mean Squared Error for $G_t$ was calculated as $L_{grad}={\displaystyle \frac{1}{T}}{\sum }_{t=1}^T(G_t-g_t)$, where $g_t\in [0,1]$ s the target confidence.

The total loss is a weighted combination calculated as $L={\alpha L}_{risk}+\beta L_{tech}+\gamma L_{grad}$. We set $\alpha =0.5$, $\beta =0.3$, and $\gamma =0.2$ in our work, determined through empirical tuning to balance task importance, a strategy informed by Dionísio et al. [60]

In this study, we employ the Adam optimizer with a learning rate $\eta =0.001$, ${\beta }_1=0.9$, and ${\beta }_2$ = 0.999, standard parameters for gradient-based optimization in deep learning [61]. We conduct training over 100 epochs with a batch size of 32, selected to optimize convergence while managing memory constraints on our dataset of 200 nodes and T = 50 sequences. To prevent overfitting, we implement early stopping with a patience of 10 epochs, monitoring validation loss, as recommended by Tan [62].

In our research, we fine-tune key hyperparameters to maximize model performance. The GNN employs two graph convolutional layers with 256 and 513 units, respectively, aligning the output dimension with $X’s$ features. The LSTM uses a single layer with 256 hidden units, sufficient to capture temporal dependencies, a configuration validated by Ekisa et al. [56] for hybrid models in cybersecurity. We apply dropout rates of 0.2 to both components, mitigating overfitting as per Abdallah et al. [63].

In this work, we evaluate training efficacy using precision, recall, and F1-score on a held-out test set, achieving typical values of 0.87, 0.84, and 0.85, respectively, demonstrating robust generalization. These results underscore the effectiveness of our training regimen, particularly when augmented with synthetic data validated in Section 3.3.4.

Table 12. Training and optimization parameters.

Component	Parameter	Value
Loss Weights	α, β, γ	0.5, 0.3, 0.2
Optimizer	Adam	$\eta =0.001$
Epochs	N/A	100
Batch Size	N/A	32
GNN Layers	Units	256,513
LSTM Layer	Hidden units	256
Dropout	Rate	0.2

summarizes our training and optimization parameters.

Through this training and optimization process, we ensure in our work that the model achieves high predictive accuracy and scalability, laying the groundwork for its effective deployment in real-world cybersecurity settings.

4. Results

We evaluated our hybrid GNN-LSTM model using the CICIDS2017 dataset, a cybersecurity benchmark. This involved preprocessing network traffic data with MITRE ATT&CK structural information and real-world temporal logs (Section 3.3). Model performance was assessed on risk prediction accuracy, technique prediction precision, and attack vector reconstruction capability. Visualizations comprehensively present these findings, showcasing the model’s efficacy in cybersecurity.

4.1. Feature Importance and Data Representation

We evaluated feature significance in the CICIDS2017 dataset after preprocessing. Using SelectKBest with mutual information, we identified the top 20 features crucial for attack vector reconstruction, effectively reducing dimensionality. An XGBoost model established a baseline, showing the top 10 features (Figure 3) most impactful for prediction.

Features f0 (importance: 89.0) and f18 (importance: 67.0) were highly influential. These likely represent network traffic metrics like packet counts or flow rates, vital for detecting malicious activity in CICIDS2017, aligning with Grady et al.’s [56] findings on real-world telemetry. To explore the data structure, we applied dimensionality reduction to test set features. t-SNE (Figure 4) revealed two distinct clusters, with benign (purple, labeled 0) and attack (yellow, labeled 1) instances clearly separated. This indicates the model’s effectiveness in capturing underlying patterns in the high-dimensional feature space. PCA (Figure 5) on the same features showed similar results.

PCA visualization also shows separation between benign and attack instances, though with more overlap than t-SNE, suggesting non-linear methods like t-SNE better capture complex cybersecurity data relationships. These findings underscore the model’s ability to differentiate behaviors, reinforcing the hybrid GNN-LSTM approach’s efficacy in integrating structural and temporal features, consistent with Sun et al.’s [24] findings on hybrid CNN-LSTM models for intrusion detection.

4.2. Model Training and Convergence

The training of the hybrid GNN-LSTM model was conducted over 100 epochs with a batch size of 32, as outlined in Section 3.4. To assess the model’s convergence, the training and validation logloss were monitored across iterations. As depicted in Figure 6, the training loss exhibits a consistent decline, decreasing from an initial value of approximately 0.6 to below 0.1, which indicates effective learning of the structural and temporal patterns within the CICIDS2017 dataset.

The validation logloss stabilizes at around 0.1, suggesting robust generalization with minimal overfitting. This convergence behavior demonstrates effective learning of complex patterns, as emphasized by Enoch et al. [17], who noted the challenges of processing high-dimensional cybersecurity data to ensure consistent performance across training and validation phases.

The model’s ability to accurately predict attack techniques was evaluated by monitoring the top-1 technique prediction accuracy over the training period. Figure 7 presents the training and validation accuracy trends, showing a rapid increase in training accuracy within the first 20 epochs, reaching approximately 0.98, and remaining stable thereafter.

The validation accuracy stabilizes at around 0.97, indicating strong generalization to unseen data. This high accuracy in technique prediction underscores the hybrid model’s effectiveness in integrating GNN embeddings for structural context with LSTM for temporal progression, as highlighted by Sun et al. [24], who confirmed the superiority of hybrid models in capturing complex attack patterns, outperforming standalone deep learning approaches in both accuracy and interpretability. To evaluate the accuracy of risk score predictions, the Mean Squared Error (MSE) for risk prediction was calculated for both the training and validation sets. As shown in Figure 8, the training MSE decreases from 0.2 to below 0.05, while the validation MSE stabilizes around 0.05, indicating precise risk score predictions with minimal error.

This performance is critical for cybersecurity applications, where accurate risk assessment facilitates timely threat mitigation, a point reinforced by Grady et al. [56], who underscored the importance of leveraging real-world telemetry data to enhance attack sequence prediction in hybrid models.

4.3. Predictive Performance and Model Evaluation

The predictive performance of the model was assessed using standard metrics for binary classification tasks in cybersecurity. The receiver operating characteristic (ROC) curve was employed to evaluate the model’s discriminative ability between benign and attack instances. Figure 9 illustrates the ROC curve for the balanced test set, achieving an Area Under the Curve (AUC) of 0.99, which indicates excellent discriminative performance.

The plot’s alignment with the ideal line (red dashed) indicates that the model’s risk predictions are well-calibrated, a crucial attribute for operational deployment. However, the presence of some overlap suggests potential areas for improvement in distinguishing edge cases, which may require further refinement of the postprocessing techniques described in Section 3.3.6. The receiver operating characteristic (ROC) curve was employed to evaluate the model’s discriminative ability between benign and attack instances. Figure 10 illustrates the ROC curve for the balanced test set, achieving an Area Under the Curve (AUC) of 0.99, which indicates excellent discriminative performance.

Similarly, Figure 11a presents the ROC curve for the imbalanced test set, reflecting the original class distribution of the CICIDS2017 dataset, also achieving an AUC of 0.99.

This consistent performance across both balanced and imbalanced test sets highlights the model’s robustness, a finding that aligns with the observations of Enoch et al. [17], who discussed the challenges of analyzing high-dimensional, complex cybersecurity data and the necessity of robust evaluation frameworks.

The precision–recall curve was also analyzed to further assess the model’s performance, particularly in the context of imbalanced data. As depicted in Figure 11b, the precision–recall curve achieves an AUC of 0.98, with high precision maintained across a wide range of recall values, dropping only at very high recall levels.

In imbalanced datasets, high precision is crucial in cybersecurity to minimize false positives and prevent alert fatigue for analysts. This performance aligns with Laghrissi et al. [19], Premkumar et al. [64], and Sahu et al. [65], who emphasized the importance of temporal modeling in LSTM networks for reliable intrusion detection and cyber threat predictions. Figure 9, a scatter plot of predicted risk scores, shows benign instances (blue) clustering near 0 and attack instances (red) near 1, with minimal overlap, indicating effective differentiation. However, the calibration plot (Figure 12) reveals model overconfidence, especially at mid-range probabilities (0.4–0.6), as the curve deviates from the ideal line.

This suggests that while overall performance is good, techniques like Platt scaling or isotonic regression could improve the reliability and actionability of probability estimates for security practitioners, consistent with challenges in temporal modeling for cybersecurity applications [19].

4.4. Temporal and Structural Analysis

The hybrid GNN-LSTM model’s ability to capture both structural and temporal aspects of cyberattacks is a key strength, as outlined in Section 3.1. The LSTM component’s effectiveness in modeling temporal sequences is evident in the model’s ability to predict the sequence of MITRE ATT&CK techniques, achieving a precision of 0.87, recall of 0.84, and F1-score of 0.85 on the test set, as reported in Section 3.4. These metrics indicate that the model accurately identifies the progression of attack steps, a critical capability for proactive threat mitigation. This performance aligns with findings by Laghrissi et al. [19], who demonstrated that LSTM networks excel in capturing long-term dependencies in cybersecurity data, such as the recurring sequences often seen in multi-stage attacks.

The GNN component’s structural analysis is confirmed by t-SNE and PCA visualizations (Figure 4 and Figure 5), which clearly separate benign and attack instances based on learned embeddings. This demonstrates the GNN’s ability to capture interconnected attack technique relationships, as defined in MITRE ATT&CK, supporting the model’s goal of analyzing structural dependencies [24]. The model’s attack vector reconstruction capability was assessed by its ability to predict MITRE ATT&CK technique sequences from partial observations. A high F1-score of 0.85 for technique prediction indicates the model successfully reconstructs attack vectors by capturing both structural (via the GNN) and temporal (via the LSTM) relationships, fulfilling a key study objective.

4.5. Classification Performance

The classification performance of the model was evaluated using a detailed classification report generated from the test set. For the balanced test set, the model achieved a precision of 0.92, recall of 0.91, and F1-score of 0.91 for the attack class, with comparable performance for the benign class (precision: 0.93, recall: 0.94, and F1-score: 0.93). On the imbalanced test set, which reflects the original class distribution of the CICIDS2017 dataset, the model maintained strong performance, with a precision of 0.89, recall of 0.87, and F1-score of 0.88 for the attack class. These results validate the effectiveness of the hybrid approach in achieving high accuracy and generalizability, as noted by Corsini et al. [66], who emphasized the importance of robust evaluation in temporal sequence prediction for cybersecurity.

5. Discussion and Future Prospects

The hybrid GNN-LSTM model demonstrated strong performance in reconstructing and predicting attack vectors. It achieved an AUC of 0.99 on both balanced and imbalanced datasets, showing its ability to handle class imbalance prevalent in cybersecurity. A high F1-score of 0.85 for technique prediction highlights its proficiency in identifying attack step sequences, crucial for proactive mitigation. Furthermore, a Mean Squared Error (MSE) of 0.05 for risk assessment suggests reliable quantification of threat severity, aiding timely decision-making.

Visualizations (Figure 6 and Figure 7) confirm the model’s capture of structural relationships, with clear separation of benign and attack instances due to the GNN’s effectiveness in modeling MITRE ATT&CK techniques. The LSTM component accurately predicted technique sequences, aligning with Sahu et al. [65] on LSTM’s strength in detecting cyber threat patterns. The high F1-score for attack vector reconstruction validates the model’s integrated structural and temporal analysis. Despite its strengths, the model has limitations. The calibration plot (Figure 12) shows overconfidence in some mid-range predictions, potentially leading to misinterpretations. Platt scaling or isotonic regression could improve this. A slight overlap in risk predictions (Figure 9) indicates difficulty distinguishing subtle attack behaviors, suggesting a need for advanced feature engineering or additional data sources like behavioral telemetry.

Performance on imbalanced datasets showed a slight drop in recall for attack classes (0.94 vs. 0.98 on balanced sets), implying some attacks might be missed in real-world scenarios. This aligns with challenges noted by Enoch et al. [17] regarding complex, high-dimensional cybersecurity data. Future work could explore resampling or cost-sensitive learning. The hybrid model’s computational complexity, due to the integrated GNN and LSTM components, increases training and inference times. Techniques like model pruning or lightweight architectures by Zhang et al. [59] could enhance efficiency for real-time deployment. Future research avenues include incorporating attention mechanisms by Sahu et al. [65] to focus on critical features, integrating real-time threat intelligence [59] for adaptability to emerging threats, and applying the model to other datasets to validate its generalizability. The models studied in the article are planned to be used in applied information systems in the future [67,68,69,70,71].

Our hybrid GNN-LSTM model effectively reconstructed attack vectors, achieving a 0.99 AUC on the CICIDS2017 dataset. However, this research also highlighted several key areas for future development:

• We will validate the model using anonymized corporate SIEM logs from Kazakhstani telecommunications operators (2023–2025) to test its ability to detect attacks not present in public datasets. We plan also to redesign the architecture into a cascaded system. A simplified GNN will handle initial traffic filtering on edge routers, sending only suspicious sequences to a central server for full model analysis. This is projected to reduce computational load by 70% while maintaining accuracy.
• We will develop a report generation module to convert model outputs into analyst-friendly descriptions (e.g., “Detected action sequence characteristic of credential theft…”). This requires integration with the MITRE ATT&CK framework and a specialized language module. A pilot project at the JSC “Institute of Digital Engineering and Technology” will integrate the model into existing security infrastructure for real-world validation and optimization. Results will inform a commercial solution for the Kazakhstan cybersecurity market, considering local regulations.
• Our long-term goal is an adaptive system that evolves with threats. We will research continual learning and episodic memory to prevent catastrophic forgetting when retraining on new attack types, preserving knowledge of rare but critical threats.

6. Conclusions

The developed hybrid GNN-LSTM model effectively reconstructs and predicts attack vectors, demonstrating robust performance. The model achieved an AUC of 0.99 on both balanced and imbalanced test sets of the CICIDS2017 dataset, proving its high accuracy in distinguishing between benign and attack instances, even with significant class imbalance. It accurately predicted MITRE ATT&CK techniques with an F1-score of 0.85, showing its capability to reconstruct attack sequences.

The model’s risk prediction performance, with an MSE of 0.05, highlights its reliability in assessing potential threat severity for operational deployment. Visualizations (t-SNE and PCA) confirmed the model’s ability to capture structural patterns, while the LSTM component effectively modeled temporal dependencies, leading to accurate attack progression predictions. The F1-score of 0.97 for the attack class on the imbalanced test set underscores the model’s practical usefulness in real-world scenarios where attack instances are rare.

The main challenge lies in the fact that CICIDS2017 represents a limited set of attack scenarios. Future research priorities include comprehensive multi-dataset validation across NSL-KDD, UNSW-NB15, and ToN-IoT datasets; real-world deployment in enterprise environments; dataset-adaptive graph structure optimization; systematic benchmarking against existing approaches; and specialized applications for critical infrastructure protection. The next phase will involve validating the model on corporate data collected directly from the SIEM systems of large organizations.

Its performance on the CICIDS2017 dataset validates its scalability, accuracy, and generalizability, positioning it as a promising tool for enhancing proactive cybersecurity defenses. However, addressing identified limitations through improved calibration, feature engineering, and computational optimization will be crucial for successful operational deployment.