What problem does this paper attempt to address?

The problems that this paper attempts to solve are: in the Endpoint Detection and Response (EDR) system, how to reduce false positives, improve response speed and reduce the system's attack surface by real - time prediction and interpretation of the attacker's next move after exploiting vulnerabilities. Specifically, the paper aims to solve the following four main problems: 1. **Insufficient APT attack samples**: Due to the complexity of APT attacks, it is very time - consuming to simulate different attack techniques and collect corresponding logs. 2. **Semantic gap**: There is a large semantic gap between CTI reports (natural language descriptions) and low - level system logs, making it difficult to automatically extract accurate Attack Scenario Graphs (ASG). 3. **Difficulty in real - time attack prediction**: Relying on the experience of security analysts to judge the attacker's next move is not accurate enough, and the diversity of attack techniques increases the difficulty of decision - making. 4. **Lack of technical - level explanations for attack interpretations**: The attack prediction results based on learning models usually lack technical - level explanations, making it difficult for analysts to directly use these prediction results to take countermeasures. To solve these problems, the authors propose a real - time attack prediction and interpretation system named EFI (Endpoint Forecasting and Interpreting). The main contributions of this system include: - **Realize automated real - time attack prediction and interpretation for the first time**, which can avoid false positives in existing EDR systems and significantly reduce the system's attack surface without affecting normal operations. - **Construct an ASG extraction module**, which can massively abstract ASG from CTI reports through a heuristic natural language processing (NLP) pipeline to bridge the semantic gap. - **Construct an AFG generation module**, which combines a serialized graph prediction model to achieve sub - graph prediction while capturing node attributes, edge attributes and the time sequence of edges to maximize prediction accuracy. - **Construct ATG based on atomic red team techniques** and propose an innovative graph alignment plus algorithm to provide technical - level explanations for AFG, facilitating EDR systems to strengthen defenses in advance. ### Formula presentation 1. **Similarity calculation formula**: \[ \text{Sim}(N, M)=\frac{\text{sim}(N_{\text{name}}, M_{\text{name}})-|N_{\text{index}} - M_{\text{index}}|}{W_d}-\frac{|N_{\text{type}} - M_{\text{type}}|}{W_t} \] where \( N \) and \( M \) are two entities, and \( W_d \) and \( W_t \) are preset weights. 2. **Probability distribution of the graph prediction model**: \[ p(S_\pi, C_\pi)=\prod_{i = 1}^{n + 1}p(C_\pi^i|S_\pi^{<i}, C_\pi^{<i})p(S_\pi^i|C_\pi^i, S_\pi^{<i}, C_\pi^{<i}) \] where \( S_\pi \) and \( C_\pi \) represent the adjacency vectors and types of nodes respectively, and \( \pi \) represents the permutation order of nodes. Through these methods and techniques, the EFI system can predict the attacker's next move before the attack occurs and provide detailed technical explanations, thus helping enterprises and security analysts respond more effectively to APT attacks.