Scalable object-relational modeling for synthesizing multi-format visual analytics of STIX-based cyber threat intelligence data

Authors

DOI:

https://doi.org/10.4108/eetinis.132.12774

Keywords:

STIX, Cyber Threat Intelligence, Graph Visualisation, Threat Graph, Scalability

Abstract

The observed increase in cyber threat intelligence data, the diversity of sources, and relational complexity make it difficult for analysts to directly assess and interpret threat profiles from raw Structured Threat Information Expression (STIX) packages. This study utilises an object-relational model to transform all object and relationship types into a single unified representation and reconstruct the same graph model across three different visualisation software packages (plotly, matplotlib, pyvis). The proposed analytical framework generates extended threat models by combining multiple STIX datasets through entity extraction, creating observable entities from each dataset, and completing relationships among them; thus mapping relationship types to the operational meanings of attacks and enabling more comprehensive risk prioritisation. The case study is based on a public OASIS STIX example package. The enriched graph is dominated by relationship types such as uses, indicates, pattern-refers-to, and attributed-to, and the highest risk scores are assigned to the nodes labelled “Privilege Escalation” and “Ugly Gorilla”. Scalability tests performed on 1000-node synthetic directed graphs revealed a processing time of 8.08 seconds, memory consumption of 124.3 MB, and a frame rate of 215.05 fps during interactive preview. These findings demonstrate that the proposed framework offers a unified and viable foundation for visual analysis, risk prioritisation, and scalable analytical reporting of STIX-based cyber threat intelligence.

Downloads

Download data is not yet available.

Author Biography

  • Resul Das, Fırat University, Edinburgh Napier University

    Resul Daş is a full professor in the Software Engineering Department of the Faculty of Technology at Fırat University. He received his BS and MS degrees in Computer Science from Fırat University in 1999 and 2002, respectively, and his PhD degree in Electrical and Electronics Engineering in 2008. Between 2000 and 2011, he worked as a lecturer in the Informatics Department and as a network and system administrator in the Information Processing Center. He has been a CCNA and CCNP instructor in the Cisco Networking Academy Program since 2002. He conducted research as a visiting professor at the University of Alberta, Edmonton, Canada, between September 2017 and June 2018 with the "TÜBİTAK-BIDEB 2219 Postdoctoral Research Fellowship". He served as the Head of the Software Engineering Department between March 2020 and April 2023. He served as an Associate Editor for IEEE Access Journal and the Turkish Electrical Engineering and Computer Science Journal. He currently serves as an Associate Editor for the academic journals Elsevier, Internet of Things (IoT), Elsevier, Alexandria Engineering Journal, Elsevier, Telematics and Informatics Reports, IEEE Open Journal of the Communications Society (OJ-COMS), Inderscience and International Journal of Grid and Utility Computing. He is globally recognized and was included in the top 2% of "World's Most Influential Scientists" list compiled by Stanford University researchers in 2019, 2020, 2021, 2022, and 2023. His research interests and topics include computer networks, cybersecurity, IoT and systems engineering, data science and visualization, software quality assurance, and testing.

References

[1] M. Rabzelj, C. Bohak, L. Š. Južnič, A. Kos, and U. Sedlar, “Cyberattack graph modeling for visual analytics,” IEEE Access, vol. 11, pp. 86 910–86 944, 2023.

[2] N. Sun, M. Ding, J. Jiang, W. Xu, X. Mo, Y. Tai, and J. Zhang, “Cyber threat intelligence mining for proactive cybersecurity defense: A survey and new perspectives,” IEEE Communications Surveys & Tutorials, vol. 25, no. 3, pp. 1748–1774, 2023.

[3] S. Saeed, S. A. Suayyid, M. S. Al-Ghamdi, H. Al- Muhaisen, and A. M. Almuhaideb, “A systematic literature review on cyber threat intelligence for organizational cybersecurity resilience,” Sensors, vol. 23, no. 16, p. 7273, 2023.

[4] R. M. Czekster, R. Metere, and C. Morisset, “Incorporating cyber threat intelligence into complex cyber-physical systems: A stix model for active buildings,” Applied Sciences, vol. 12, no. 10, p. 5005, 2022.

[5] A. Ramsdale, S. Shiaeles, and N. Kolokotronis, “A comparative analysis of cyber-threat intelligence sources, formats and languages,” Electronics, vol. 9, no. 5, 2020.

[6] J. Hamza, S. Felix, V. Kunčak, I. Nussbaumer, and F. Schramka, “From verified scala to stix file system embedded code using stainless,” in NASA Formal Methods Symposium. Springer, 2022, pp. 393–410.

[7] L. J. Borges Amaro, B.W. Percilio Azevedo, F. L. Lopes de Mendonca, W. F. Giozza, R. d. O. Albuquerque, and L. J. Garcia Villalba, “Methodological framework to collect, process, analyze and visualize cyber threat intelligence data,” Applied Sciences, vol. 12, no. 3, 2022.

[8] M. O. Kaya, M. Ozdem, and R. Das, “A novel approach for graph-based real-time anomaly detection from dynamic network data listened by Wireshark,” EAI Endorsed Transactions on Industrial Networks and Intelligent Systems, vol. 12, no. 2, 2025.

[9] A. H. Sial, S. Y. S. Rashdi, and A. H. Khan, “Comparative analysis of data visualization libraries matplotlib and seaborn in python,” International Journal, vol. 10, no. 1, pp. 277–281, 2021.

[10] F. Bohm, F. Menges, and G. Pernul, “Graph-based visual analytics for cyber threat intelligence,” Cybersecurity, vol. 1, no. 1, p. 16, 2018.

[11] M. Sulu and R. Daş, “Graph visualization of cyber threat intelligence data for analysis of cyber attacks,” Balkan Journal of Electrical and Computer Engineering, vol. 10, no. 3, pp. 300–306, 2022.

[12] K. Liu, F. Wang, Z. Ding, S. Liang, Z. Yu, and Y. Zhou, “Recent progress of using knowledge graph for cybersecurity,” Electronics, vol. 11, no. 15, p. 2287, 2022.

[13] L. F. Sikos, “Cybersecurity knowledge graphs,” Knowledge and Information Systems, vol. 65, pp. 3511–3531, 2023.

[14] X. Zhao, R. Jiang, Y. Han, A. Li, and Z. Peng, “A survey on cybersecurity knowledge graph construction,” Computers & Security, vol. 136, p. 103523, 2024.

[15] C. Bratsas, E. K. Anastasiadis, A. K. Angelidis, L. Ioannidis, R. Kotsakis, and S. Ougiaroglou, “Knowledge graphs and semantic web tools in cyber threat intelligence: A systematic literature review,” Journal of Cybersecurity and Privacy, vol. 4, no. 3, pp. 518–545, 2024.

[16] M. Soylu and R. Das, “Prediction and graph visualization of cyber attacks using graph attention networks,” Computers & Security, vol. 157, p. 104534, 2025.

[17] J. Jia, L. Yang, Y. Wang, and A. Sang, “Hyper attack graph: Constructing a hypergraph for cyber threat intelligence analysis,” Computers & Security, vol. 149, p. 104194, 2025.

[18] I. Mouiche and S. Saad, “Entity and relation extractions for threat intelligence knowledge graphs,” Computers & Security, vol. 148, p. 104120, 2025.

[19] MISP Project, “MISP – threat intelligence and sharing platform,” https://www.misp-project.org/, 2024, accessed: 2026-04-19.

[20] Filigran, “OpenCTI – open cyber threat intelligence platform,” https://www.opencti.io/, 2024, accessed: 2026-04-19.

[21] M. O. Kaya, M. Ozdem, and R. Das, “A new hybrid approach combining GCN and LSTM for real-time anomaly detection from dynamic computer network data,” Computer Networks, vol. 268, p. 111372, 2025.

[22] OASIS Cyber Threat Intelligence (CTI) TC, “OASIS TC Open Repository: Non-normative Schemas and Examples for STIX 2,” https://github.com/oasis-open/ cti-stix2-json-schemas, 2023, threat-report examples located at examples/threat-reports/apt1.json. License: BSD-3-Clause. Accessed: Apr. 2025.

[23] L. Yan, Y. Mei, H. Ma, and M. Zhang, “Evolutionary web service composition: A graph-based memetic algorithm,” in 2016 IEEE congress on evolutionary computation (CEC). IEEE, 2016, pp. 201–208.

[24] C. Chen, J. Li, H.-Y. Zhou, X. Han, Y. Huang, X. Ding, and Y. Yu, “Relation matters: Foreground-aware graphbased relational reasoning for domain adaptive object detection,” IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 45, no. 3, pp. 3677–3694, 2023.

[25] R. Das and M. Soylu, “A key review on graph data science: The power of graphs in scientific studies,” Chemometrics and Intelligent Laboratory Systems, vol. 240, p. 104896, 2023.

[26] M. Z. Al-Taie and S. Kadry, Python for graph and network analysis. Springer, 2017.

[27] G. Hutson and M. Jackson, Graph Data Modeling in Python: A practical guide to curating, analyzing, and modeling data with graphs. Packt Publishing Ltd, 2023.

[28] S. S. Qudratovich, “Data visualization in python,” Eurasian Journal of Mathematical Theory and Computer Sciences, vol. 4, no. 10, pp. 15–22, 2024.

[29] X. Zhu, Z. Li, X. Wang, X. Jiang, P. Sun, X. Wang, Y. Xiao, and N. J. Yuan, “Multi-modal knowledge graph construction and application: A survey,” IEEE Transactions on Knowledge and Data Engineering, vol. 36, no. 2, pp. 715–735, 2022.

Downloads

Published

18-06-2026

Issue

Vol. 13 No. 2 (2026): EAI Endorsed Transactions on Industrial Networks and Intelligent Systems

Section

Research articles

License

Copyright (c) 2026 Muhammed Onur Kaya, Resul Das

Creative Commons License

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

This is an open-access article distributed under the terms of the Creative Commons Attribution CC BY 3.0 license, which permits unlimited use, distribution, and reproduction in any medium so long as the original work is properly cited.

How to Cite

1.
Kaya MO, Das R. Scalable object-relational modeling for synthesizing multi-format visual analytics of STIX-based cyber threat intelligence data. EAI Endorsed Trans Ind Net Intel Syst [Internet]. 2026 Jun. 18 [cited 2026 Jun. 19];13(2). Available from: https://publications.eai.eu/index.php/inis/article/view/12774

Most read articles by the same author(s)