KnowHow: Automatically Applying High-Level CTI Knowledge for Interpretable and Accurate Provenance Analysis
Yuhan Meng
Network and Distributed System Security (NDSS) Symposium 2026 · Day 2 · Malware & RE
Advanced Persistent Threat (APT) attacks remain one of the most critical challenges facing governments and enterprises, distinguished by their advanced, stealthy, and persistent characteristics. While provenance-based detection systems that construct directed attributed graphs of system entities have shown promise, existing knowledge-driven approaches are limited by their reliance on manually crafted, instance-level rules. This talk introduces **KnowHow**, a system that bridges the fundamental semantic gap between high-level Cyber Threat Intelligence (CTI) reports and low-level system provenance data by automatically mapping abstract threat descriptions to concrete system events.
AI review
A well-engineered system for automating CTI-to-detection-rule translation using structured semantic triples (GIOCs) and embedding-based matching. The approach addresses a real operational pain point -- manually writing detection rules from CTI reports -- and the 90% false positive reduction is meaningful. However, the work is primarily a detection engineering improvement rather than novel offensive or reversing research, and the embedding-based fuzzy matching introduces a trust-the-model element that warrants skepticism.