AI-Driven Cyber Threat Intelligence: Automation, Attribution, and Adaptive 

Speaker: Prof. Dr. Changhoon Lee

Affiliation: Department of Computer Science and Engineering, Seoul National University of Science and Technology, Seoul, South Korea

Chair: Young-Ae Jung

The cybersecurity threat landscape in 2024-2025 has evolved with alarming velocity and sophistication, driven by adversaries who increasingly leverage artificial intelligence, automation, and advanced persistent attack techniques to compromise critical infrastructure, steal intellectual property, and destabilize organizations. Cyber Threat Intelligence (CTI) has emerged as the strategic cornerstone of modern cybersecurity programs, transforming reactive incident response into proactive threat anticipation and adaptive defense. This presentation surveys recent advances in AI-driven CTI systems that automate threat detection, enable accurate adversary attribution, and facilitate dynamic security posture adaptation in response to evolving attack landscapes.

Traditional cybersecurity approaches centered on perimeter defense and signature-based detection have proven inadequate against contemporary threat actors who employ sophisticated techniques to evade conventional controls. Nation-state advanced persistent threat (APT) groups demonstrate multi-year patience in reconnaissance and lateral movement, carefully avoiding detection while establishing persistent footholds. Cybercriminal syndicates operate ransomware-as-a-service platforms with professional customer support and guaranteed service level agreements. Hacktivists coordinate distributed denial-of-service campaigns leveraging botnets spanning millions of compromised IoT devices. The sheer volume and velocity of attack traffic overwhelm manual analysis—security operations centers receive tens of thousands of daily alerts, the vast majority representing false positives that distract analysts from genuine threats.

Cyber Threat Intelligence addresses these challenges through systematic collection, analysis, and dissemination of actionable information about threat actors, their tactics, techniques, and procedures (TTPs), infrastructure, and targeting patterns. Strategic CTI informs long-term security investments and risk prioritization based on threat landscape evolution and adversary capabilities. Operational CTI supports security operations through indicators of compromise (IOCs) that enable automated detection and response. Tactical CTI provides detailed technical analysis of specific malware samples, exploit techniques, and attack infrastructure supporting incident investigation and threat hunting.

Recent advances in AI and machine learning have revolutionized CTI capabilities across the intelligence lifecycle. Automated data collection systems continuously ingest information from diverse sources: open-source intelligence (OSINT) including security blogs, vulnerability databases, and dark web forums; commercial threat intelligence feeds providing curated IOCs and adversary profiles; internal telemetry from security sensors deployed across enterprise networks; and collaborative sharing platforms enabling information exchange within industry consortia and government partnerships. Natural language processing techniques extract structured intelligence from unstructured text sources, identifying mentioned threat actors, malware families, targeted industries, and attack methodologies with accuracy exceeding ninety-five percent.

Machine learning-driven threat detection employs supervised classification to identify malicious network traffic, user behavior analytics to detect insider threats and account compromise, and unsupervised anomaly detection to discover novel attack patterns absent from training data. Deep learning architectures analyze complex data modalities including network packet captures, system logs, and executable binaries to detect sophisticated evasion techniques. Graph neural networks model relationships between entities—domains, IP addresses, file hashes, malware families, threat actors—enabling link prediction that identifies previously unknown infrastructure belonging to known adversary groups and community detection that clusters related attack campaigns. Recent evaluation demonstrates these AI-powered systems achieve detection rates exceeding traditional signature-based approaches by thirty to forty percentage points while reducing false positive rates by factors of three to five.

Adversary attribution—determining which threat actor or threat group conducted a specific attack—constitutes one of CTI's most challenging problems. Sophisticated adversaries deliberately obfuscate their activities through false flag operations that plant misleading artifacts, infrastructure sharing that comingles distinct groups' operations, and toolset proliferation where malware developed by one group is adopted by others. Recent machine learning approaches to attribution analyze behavioral fingerprints derived from code similarity metrics, operational patterns including targeting preferences and time-of-day activity, and infrastructure reuse detectable through historical domain registration and hosting patterns. Ensemble methods combining multiple attribution signals achieve accuracy rates of seventy to eighty percent for known threat actors, though novel groups remain challenging to attribute with confidence.

Automated threat hunting employs CTI to proactively search enterprise environments for evidence of compromise that evaded initial detection. Hypothesis-driven hunting begins with threat intelligence about specific adversary TTPs and searches for corresponding artifacts. Baseline-driven hunting compares current system state against historical norms to identify anomalies indicating attacker presence. Model-driven hunting applies machine learning classifiers trained on previous incidents to new data. Recent platforms integrate these approaches into unified workflows where AI systems generate hunting hypotheses, execute automated searches across distributed data sources, and prioritize findings for expert analyst investigation. Deployment case studies demonstrate discovery of persistent compromises that eluded detection for months, enabling remediation before data exfiltration or destructive actions.

Security orchestration, automation, and response (SOAR) platforms integrate CTI with security operations workflows to enable rapid, coordinated response. When threat intelligence indicates a specific IP address belongs to command-and-control infrastructure, SOAR systems automatically configure firewall rules blocking that address, generate tickets for security operations center investigation, and enrich alerts with contextual intelligence about the associated threat actor and typical objectives. Machine learning-based playbook recommendation suggests appropriate response actions based on threat type, asset criticality, and organizational risk tolerance. Recent platforms employ reinforcement learning to optimize response strategies over time, balancing security efficacy against operational impact.

The presentation examines open-source intelligence validation methodologies critical for maintaining CTI quality. OSINT sources vary dramatically in reliability—authoritative vendor reports contrasted with anonymous forum posts require different trust levels. Recent research develops automated reliability assessment frameworks that evaluate source reputation based on historical accuracy, cross-reference claims against corroborating sources, and flag potential misinformation or deliberate deception. These systems compute confidence scores that guide analysts' trust calibration and prevent propagation of unreliable intelligence.

Emerging attack vectors driven by AI adoption by adversaries present novel challenges requiring CTI evolution. AI-generated phishing content achieves unprecedented sophistication, crafting contextually relevant lures tailored to specific targets based on automated reconnaissance. Deepfake audio and video enable impersonation attacks bypassing traditional verification mechanisms. Adversarial machine learning attacks poison training data for AI security systems or craft evasive malware that exploits classifier blind spots. Autonomous malware employs reinforcement learning to adapt infection and persistence strategies in response to defensive measures. CTI systems must evolve to detect these AI-enabled threats through behavioral analysis, provenance tracking, and adversarial robustness testing.

Cloud and mobile security contexts introduce additional complexity as attack surfaces expand beyond traditional enterprise networks. Container orchestration platforms, serverless computing, and microservice architectures present novel attack paths. Mobile devices serve dual roles as corporate endpoints and personal devices with commingled data. CTI for cloud environments requires visibility into vendor-managed infrastructure, understanding of cloud-specific attack techniques, and integration with cloud-native security services. Recent CTI frameworks specialize in cloud threat detection, identifying compromised credentials, misconfigured permissions, and lateral movement within cloud environments.

The presentation addresses practical implementation strategies for organizations establishing or enhancing CTI capabilities. Threat modeling identifies assets, threat actors, and attack scenarios most relevant to specific organizational contexts. Technology selection balances commercial platforms offering integrated capabilities against open-source tools providing customization flexibility. Analyst skill development ensures teams can effectively leverage automation while applying domain expertise for complex investigations. Metrics frameworks measure CTI program effectiveness through mean-time-to-detection, false positive rates, and quantified risk reduction.

International cooperation and information sharing amplify CTI effectiveness through collective defense. Sector-specific information sharing and analysis centers (ISACs) facilitate collaboration within industries facing common threats. Government-private partnerships like CISA's Automated Indicator Sharing enable bidirectional threat information exchange. The MITRE ATT&CK framework provides standardized vocabulary for describing adversary behavior, facilitating shared understanding and tool interoperability. Traffic Light Protocol (TLP) markings govern information sharing constraints, balancing openness against operational security.

Looking forward, quantum computing poses both threats and opportunities for CTI. Cryptographically relevant quantum computers would break current public-key encryption protecting sensitive intelligence, necessitating migration to post-quantum cryptographic algorithms. Conversely, quantum machine learning may enable more powerful threat detection and intelligence analysis. CTI systems must prepare for this transition through cryptographic agility and exploration of quantum-enhanced capabilities.

This comprehensive survey of AI-driven cyber threat intelligence provides security professionals with actionable insights for deploying automated threat detection, implementing effective attribution methodologies, and establishing adaptive defense postures that evolve in response to sophisticated adversaries. As cyber threats grow increasingly complex and automated, the CTI capabilities examined in this presentation represent essential foundations for organizational resilience in an hostile digital landscape.