The proliferation of sophisticated cyber attacks has driven Security Operations Centers (SOC) to collect massive volumes of telemetry logs. However, the sheer density of ambient environmental noise makes automated attack traceback increasingly intractable. In this paper, we design and implement a Knowledge-Graph-Based Attack Traceback System that automatically ingests, correlates, and extracts high-confidence attack sequences from unstructured alerts. The core contribution of our system is a novel pipeline optimization approach. We integrate a Cyber Kill Chain Finite State Automaton (FSA) with a Multi-Dimensional Heuristic Pruning module to mitigate the combinatorial explosion of graph traversal paths inherent in property graph databases. By scoring paths through cross-referencing global token overlap, event severity, and temporal compactness, the system efficiently filters out tens of thousands of deceptive background logs before they exhaust the context windows of downstream Large Language Models (LLMs). Extensive system stress-testing demonstrates that under extreme conditions, where ambient noise outnumbers legitimate signals by 50 to 1 and malicious agents leverage Low-and-Slow latency evasion, our optimized pipeline isolates the true threat sequence with an impressive 79.0% to 89.8% retention accuracy, securing rapid execution latencies that significantly outperform traditional graph traversal baselines. This scalable architecture reliably delivers highly curated attack intelligence, making the deployment of LLM-empowered agents in enterprise security highly feasible and cost-effective.

Wansheng Wu. Design and Implementation of a Knowledge-Graph-Based Attack Traceback System with Heuristic Pipeline Optimization. Academic Journal of Computing & Information Science (2026), Vol. 9, Issue 4: 70-76. https://doi.org/10.25236/AJCIS.2026.090409.

[1] Microsoft Threat Intelligence. 2023 Microsoft Digital Defense Report[R]. Microsoft Corporation, 2023.

[2] Milajerdi S M, Ghasemi R, Ghorbani A A, et al. Holmes: Real-time APT detection through correlation of benign and malicious events[C]//2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019: 113-132.

[3] Hassan W U, Guo S, Li D, et al. NoDoze: Combatting threat alert fatigue with automated provenance triage[C]//NDSS. 2019.

[4] Wang Q, Hassan W U, Li D, et al. You are what you do: Hunting stealthy malware via data provenance analysis[C]//NDSS. 2020.

[5] Fang Y, et al. Large language models for cybersecurity: A systematic literature review[J]. arXiv preprint arXiv:2405.04760, 2024.

[6] Han X, Pasquier T, Bates A, et al. Unicorn: Runtime provenance-based detector for advanced persistent threats[C]//NDSS. 2020.

[7] Alshamrani A, Myneni S, Chowdhary A, et al. A survey on advanced persistent threats: Techniques, solutions, challenges, and research opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2): 1851-1877.

[8] Hossain S N, Milajerdi S M, Wang J, et al. SLEUTH: Real-time attack scenario reconstruction from COTS audit data[C]//USENIX Security Symposium. 2017: 487-504.

[9] Pasquier T, Han X, Goldstein M, et al. Practical whole-system provenance capture[C]//SoCC. 2017: 258-272.

[10] Li Z, Chen Q A, Yang R, et al. Threat detection and investigation with system-level provenance graphs: A survey[J]. Computers & Security, 2021, 106: 102282.

[11] Elastic NV. Elastic Common Schema (ECS) Reference and Data Modeling Guidelines[R]. Technical Report, 2023. [Online]. Available: https://www.elastic.co/guide/en/ecs

[12] Noel S, Purdy S, et al. Graph analytics and visualization for cyber situational understanding[J]. Journal of Defense Modeling and Simulation, 2021.

[13] Husari G, Al-Shaer E, Mohaisen A, et al. TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI sources[C]//Proceedings of the 33rd Annual Computer Security Applications Conference (ACSAC). 2017: 103-115.

[14] Ji Y, Lee S, Chung E, et al. Rain: Refinable attack investigation with on-demand inter-process information flow tracking[C]//CCS. 2017: 377-390.

[15] Barr-Smith C, Ugarte-Pedrero X, Graziano M, et al. Survivalism: Systematic analysis of Windows malware living-off-the-land[C]//2021 IEEE Symposium on Security and Privacy (SP). IEEE, 2021: 1557-1574.