Network threat attribution faces two key challenges: low precision and high false-positive rates in existing methods, and the fragmentation of multi-source heterogeneous threat intelligence, which hinders efficient organization and retrieval. To address these, we propose a non-parametric attack pattern mining method that automatically extracts semantically coherent and interpretable attack behavior patterns from large-scale threat intelligence texts, constructing a structured attack pattern dataset. Our approach integrates natural language processing, lightweight machine learning, and interactive visualization techniques, implemented within the Cyber-Attack Pattern Explorer (CAPE) platform. Experimental results demonstrate that our method significantly improves attribution accuracy, reduces false positives, and exhibits strong robustness and interpretability in multi-source intelligence scenarios. It provides security analysts with efficient, reliable, and explainable support for cyber threat attribution.

With the ever-changing landscape of cyber threats, identifying their origin has become paramount, surpassing the simple task of attack classification. Cyber threat attribution gives security analysts the insights they need to device effective threat mitigation strategies. Such strategies empower enterprises to proactively detect and defend against future cyber-attacks. However, existing approaches exhibit limitations in accurately identifying threat actors, leading to low precision and a significant occurrence of false positives. Machine learning offers the potential to automate certain aspects of cyber threat attribution. The distributed nature of information regarding cyber threat actors and their intricate attack methodologies has hindered substantial progress in this domain. Cybersecurity analysts deal with an ever-expanding collection of cyber threat intelligence documents. While these documents hold valuable insights, their sheer volume challenges efficient organization and retrieval of pertinent information. To assist the cybersecurity analyst activities, we propose a machine learning based approach featuring visually interactive analytics tool named the Cyber-Attack Pattern Explorer (CAPE), designed to facilitate efficient information discovery by employing interactive visualization and mining techniques. In the proposed system, a non-parametric mining technique is proposed to create a dataset for identifying the attack patterns within cyber threat intelligence documents. These attack patterns align semantically with commonly employed themes ensuring ease of interpretation. The extracted dataset is used for training of proposed machine learning algorithms that enables the attribution of cyber threats with respective to the actors.