Discovering attacker profiles using process mining and the MITRE ATT&CK taxonomy

  • Marcelo Rodríguez Universidad de la República
  • Gustavo Betarte Universidad de la República
  • Daniel Galegari Universidad de la República


Understanding attackers’ behavior is crucial to respond to cyberattacks effectively. Process Mining (PM) is a valuable tool that analyzes runtime events from information systems to discover coordinated tasks to achieve an objective. Our previous research explored using PM to profile attackers, specifically in analyzing low-level system processes’ event logs to uncover automated attackers’ behavior. In this article, we propose a method that combines PM with the malicious actor behavior taxonomies of the MITRE ATT&CK Framework to discover process models of observed attack strategies. These taxonomies raise the level of abstraction for attacker profiling. We demonstrate this method using a real dataset focused on human behavior, which provides valuable guidelines for future work and enables the development of more effective and adaptable security strategies to combat current cyber threats.

Palavras-chave: threat intelligence, process mining, attacker behavior, Cybersecurity, MITRE ATT&CK Framework
RODRÍGUEZ, Marcelo; BETARTE, Gustavo; GALEGARI, Daniel. Discovering attacker profiles using process mining and the MITRE ATT&CK taxonomy. In: LATIN-AMERICAN SYMPOSIUM ON DEPENDABLE COMPUTING (LADC), 12. , 2023, La Paz/Bolívia. Anais [...]. Porto Alegre: Sociedade Brasileira de Computação, 2023 . p. 146–155.