Attack Classification and Response Framework (ACR) Based on Machine Learning and CAPEC Ontology

The rapid evolution of cyber threats has created significant challenges for maintaining the security and resilience of enterprise systems. Existing approaches have relied heavily on manual analysis and rule-based mechanisms, resulting in delayed, inconsistent, and error-prone attack classification and response. To overcome these limitations, this study aimed to design and evaluate an automated Attack Classification and Response (ACR) framework capable of reducing manual intervention, improving classification accuracy, and providing timely and intelligent responses to cyberattacks. To achieve this objective, the proposed framework integrates three core components: 1) a novel Attack Footprint (AFP) data structure that that encodes real-time behavioral metrics, enabling ontology-driven response automation—an approach not previously explored in CAPEC/ATT&CK-based systems; 2) an ensemble of machine learning models that has been trained to classify attacks accurately based on AFP features; and 3) a CAPEC-based ontology capable of define attack characteristics, relationships, and appropriate response actions for each attack type. The methodology combined supervised ML classification with ontology-driven reasoning to automate both the identification and mitigation of attacks in near real time. Experimental results demonstrated that the ACR framework achieved a 99.13% F1-score in attack classification and an average response latency of 4 seconds, significantly outperforming conventional manual or rule-based systems. Overall, the findings confirmed that the ACR framework effectively enhanced the accuracy, speed, and autonomy of cybersecurity operations while reducing human error and analysis time.