Lin Xiaoxin, Zhou Yinghai, Lu Hui, Liu Yuan, Song Jing, Du Jing, Tian Zhihong
Accepted: 2026-06-09
Against the backdrop of great power strategic competition and digital sovereignty contests, cyber attack attribution has evolved from purely technical tracing into a composite decision problem that integrates forensic analysis, intelligence assessment, strategic-intent judgment, and the allocation of state responsibility under international law. In current Advanced Persistent Threat (APT) attribution paradigms, the micro-level technical paradigm faces challenges such as the failure of feature exclusivity, while the macro-level political paradigm struggles with insufficient evidence transparency. Meanwhile, intelligent paradigms like Knowledge Graphs and Large Language Models (LLMs) encounter bottlenecks in cross-domain integration. A critical review of five major research paradigms was conducted, encompassing technical tracing, political attribution, knowledge graphs, LLMs and agents, and uncertainty quantification. The analysis reveals that the core dilemma in existing attribution research lies in a persistent triple fracture—representational, temporal, and causal—between micro-level technical evidence and macro-level strategic context. Based on this, a Techno-Political Fusion attribution framework is proposed. It advocates for entity extraction and semantic alignment through knowledge learning and analytical algorithms tailored for multi-source heterogeneous data, to populate and validate cross-domain techno-political knowledge graphs, and integrates Dempster-Shafer evidence theory with Bayesian networks for conflict resolution and causal inference, ultimately generating confidence-scored attribution rankings and counterfactual explanations. Future research should construct a cross-domain ontology anchored by four dimensions—technology, organization, politics and events—and to establish a "spatiotemporal-causal" alignment mechanism between micro-level technical indicators and macro-level political contexts. Furthermore, refining the serial reasoning pipeline of "probabilistic inference followed by counterfactual validation" will help transition cyberattack attribution from mere correlation matching toward a causal reasoning system that is auditable, interpretable, and capable of uncertainty quantification.