As cyber offense and defense grows increasingly sophisticated, understanding adversary behaviors is essential for proactive defense. Based on the MITRE ATT&CK framework, we systematically define the paradigm of "Technique Association Analysis," which aims to transform discrete behavioral observations into continuous intent reasoning. Using the core modeling depth of contextual and temporal dependencies as a classification criterion, we categorize current technique association mining methods into three progressive levels: static pattern mining based on statistical co-occurrence and association rules, dynamic evolution analysis using probabilistic graphs and time-series models, and high-level semantic mining that integrates graph computing with large language models. Furthermore, we provide a systematic horizontal comparison and analyze the applicability of these methods in key downstream tasks, including attack chain completion, intent prediction, and defense and detection optimization. Finally, we discuss the limitations of existing methods in dynamic context awareness and cross-modal data alignment, and outline future directions. In particular, we highlight the in-depth integration between large language models and knowledge graphs as a promising avenue, aiming to provide a comprehensive reference for research in automated threat hunting and network security operations.

With the rapid advancement of generative artificial intelligence (GAI), deepfake speech technology has achieved remarkable progress. The synthesized speech now closely mimics authentic human voices in terms of timbre, prosody, and naturalness, exhibiting strong deceptive capabilities and thus posing significant challenges to detection systems. This survey systematically reviews the evolution, technical approaches, current challenges, and future directions of deepfake speech detection. First, we elaborate on the fundamental principles and methodologies of deepfake speech generation, covering speech synthesis and voice conversion (VC). Second, we comprehensively examine detection techniques, classifying them into three paradigms: traditional machine learning–based methods, deep learning–based approaches, and end-to-end detection frameworks. For each paradigm, we provide detailed analysis of its working mechanisms, inherent characteristics, and performance on typical benchmarks. Third, we introduce widely used benchmark datasets and evaluation metrics in this field. Finally, we discuss key challenges—such as poor generalization across unseen forgery types and constraints in real-time deployment—and outline promising future research directions.

Edge intelligence devices are widely deployed in the Internet of Things (IoT) and security scenarios, but their deep learning models are vulnerable to electromagnetic side-channel attacks. To quantitatively assess the information leakage of such models under these attacks, a hierarchical risk evaluation framework is proposed, which is analyzed from three dimensions: model family, layer structure, and core parameters. Model family identification is achieved by combining time-frequency features with a random forest algorithm, while the automatic inference of layer structure and core parameters is realized by using the temporal patterns of power traces and a Long Short-Term Memory (LSTM) network. Quantitative indicators are established to measure the information leakage degree. Experiments are conducted on real edge intelligence devices with nine typical deep learning models. The results show that the average F1-score for model family classification reaches 95.7%, the reconstruction accuracy of layer structure is about 93.8%, and the identification accuracy of core parameters exceeds 90%. This study confirms that electromagnetic side channels can leak multi-level model information with high accuracy, and such information is sufficient to support model cloning and subsequent attacks. It provides a quantitative basis for understanding side-channel risks and designing protection schemes for edge intelligence devices.

With the increasing sophistication of cyber-attacks, Breach and Attack Simulation (BAS) has emerged as a pivotal approach for cybersecurity assessment. Within the BAS framework, the Planner serves as a core module, where decision algorithms directly dictate the coverage and effectiveness of the simulation. However, existing decision algorithms face significant limitations in handling the uncertainty of behavioral outcomes and assessing out-of-sample attack behaviors, thereby constraining their practical utility. To address these challenges, this paper proposes Feature Similarity adaptive KNN (FSK), a comprehensive attack behavior evaluation method. FSK integrates structured modeling, dynamic neighborhood adjustment, and temporal decay mechanisms with an adaptive K-Nearest Neighbors (KNN) algorithm. The method enhances adaptability to execution changes through execution result feedback, and achieves a comprehensive evaluation of attack behaviors utilizing multi-objective balanced decision-making. Experimental results demonstrate that FSK achieves superior performance in terms of attack surface coverage and prediction accuracy for out-of-sample behaviors. The average performance metrics reach 90%, representing a 20% improvement over existing baselines. These findings provide new insights for advancing the design of BAS planners.

To address the challenge of evaluating the security of information systems under complex attacks, such as Advanced Persistent Threat (APT), a cybersecurity knowledge graph embedding method integrating logical rule reasoning with adversarial learning is proposed. Specifically, logical rules are mined from the complex attack knowledge graph by leveraging the AnyBURL tool, and semantically consistent positive samples are inferred accordingly, thereby mitigating the problem of positive sample sparsity. In parallel, an adversarial example generation mechanism is introduced to dynamically construct hard negative samples near the decision boundary, so that more discriminative gradient signals can be received by the model during training. To further ensure the sample’s reliability, a similarity-based sample filtering strategy is designed to comprehensively evaluate candidate samples. Experimental results demonstrate that the proposed method significantly outperforms existing baseline models in complex attack behavior prediction, with a Mean Reciprocal Rank (MRR) of 0.571 and Hits@10 of 0.663 achieved, corresponding to improvements of 39.6% and 21.9%, respectively. These results indicate that the representation and reasoning ability of complex attack paths can be effectively enhanced by the proposed method. Moreover, reliable support is provided for the security evaluation of information systems under complex attack scenarios.

Against the backdrop of an increasingly complex and dynamically evolving cyber threat landscape, traditional static and periodic cybersecurity assessment methods are no longer sufficient to address emerging challenges. An AI-driven adaptive cybersecurity assessment framework is proposed to realize the intellectualization, automation and continuity of the assessment process. The framework is constructed as a closed-loop system consisting of four layers: data perception, intelligent analysis, dynamic decision-making and feedback optimization. Its core innovation resides in the in-depth integration of artificial intelligence technologies, which involves applying Graph Neural Networks (GNN) for anomaly detection and threat hunting, adopting Deep Reinforcement Learning (DRL) to enable automated penetration testing and attack path planning, and incorporating Large Language Models (LLM) to achieve automated generation of analysis reports. Simulation experiments verify that the proposed framework exhibits remarkable advantages over traditional methods in the depth of vulnerability discovery, the speed of threat response and the accuracy of risk assessment. It can effectively improve the capability of proactive defense, and thus provide a feasible technical approach and practical reference for constructing a dynamic and adaptive next-generation cybersecurity system.

As power systems become deeply integrated with cyber-physical infrastructures, their security mechanisms encounter increasingly dynamic and complex threats. A digital twin–based architecture for power cyber-physical systems is proposed, where a digital twin is constructed to achieve real-time system-wide mirroring and multi-source heterogeneous data fusion. By continuously monitoring system operations and incorporating an AI-driven dynamic defense mechanism, the proposed framework enables effective anomaly detection in power system operations.To enhance detection efficiency and accuracy, a two-stage anomaly detection algorithm is introduced. In the first stage, threshold-based rules are employed for rapid identification of obvious anomalies, while in the second stage, an LSTM-AE（Long Short-Term Memory-Autoencoder）model combined with spatiotemporal association rules is applied to improve detection precision and adaptability. The proposed method is validated on a Simulink-based power system simulation platform under false data injection attacks. Experimental results demonstrate that the proposed algorithm achieves an anomaly detection accuracy of 97.82%, outperforming existing methods by 2%~4.5%. This approach significantly enhances the accuracy and robustness of anomaly detection, providing a strong safeguard for the secure and reliable operation of power systems.

Cyber threat intelligence has been proven to be a mainstream method for executing efficient threat detection, and how to systematically generate and operate threat intelligence has become a core issue. To address this, a solution is proposed that utilizes the processing and integration of threat intelligence data to construct a proactive security correlation analysis and operation framework, which aims to achieve comprehensive, adaptive, and real-time cybersecurity defense. The solution encompasses technical modules such as data collection, model establishment, analysis engine, intelligence production, and intelligence application and sharing. Among these, the proactive security correlation framework based on threat intelligence and the full-process correlation analysis system of the knowledge graph integrate technologies such as machine learning, data fusion, and large language models. This integration realizes the automated operation of the entire process from data collection to threat detection, applies threat intelligence throughout the entire lifecycle operation, and enhances the proactivity and intelligence of cybersecurity defense. Experiments have proven that constructing a proactive security correlation framework through in-depth analysis and utilization of threat intelligence is an effective way to enhance the capability of cybersecurities defense.