{"metadata":{"code_id":179109,"site_ownership_code":"INL","open_source":false,"landing_contact":"agradmin@inl.gov","project_type":"CS","software_type":"S","official_use_only":{},"developers":[{"email":"","orcid":"","first_name":"Tony","last_name":"Paul","middle_name":"","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Scott","last_name":"Bowman","middle_name":"T","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Adam","last_name":"Pluth","middle_name":"J","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"0009-0006-0011-1116","first_name":"Anna","last_name":"Quach","middle_name":"T","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Bradley","last_name":"Marx","middle_name":"E","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Edward","last_name":"Ramos","middle_name":"A","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Shaw","last_name":"Wen","middle_name":"X","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]},{"email":"","orcid":"","first_name":"Brandon","last_name":"Biggs","middle_name":"S","affiliations":["Idaho National Laboratory (INL), Idaho Falls, ID (United States)"]}],"contributors":[],"sponsoring_organizations":[{"organization_name":"USDOE Office of Nuclear Energy (NE)","funding_identifiers":[],"primary_award":"AC07-05ID14517","DOE":true}],"contributing_organizations":[],"research_organizations":[{"organization_name":"Idaho National Laboratory (INL), Idaho Falls, ID (United States)","DOE":true}],"related_identifiers":[],"award_dois":[],"release_date":"2026-02-12","software_title":"Cyote-attack Chain Estimator","acronym":"CyOTE:-ACE","doi":"https://doi.org/10.11578/dc.20260413.3","description":"Attack Chain Estimator (ACE) Application\nOverview\nThe Attack Chain Estimator (ACE) Application is a sophisticated tool designed for the ingestion, classification, sequencing, and enrichment of cybersecurity threat reports. This application leverages advanced machine learning models and extensive historical data to provide comprehensive insights into cyber threats, specifically targeting Industrial Control Systems (ICS).\n\nPurpose\nThe primary functions of the ACE Application include:\n\nIngestion of Cybersecurity Threat Reporting:\n\nCapable of ingesting text-based threat reports in markdown or text file format.\nSupports ingestion of structured data from other sources in STIX/JSON format.\nClassification of Report’s Text-Based Events:\n\nUtilizes a DeBERTa classifier, specifically trained on cybersecurity data, to map the events to MITRE ATT&CK for ICS Tactics and Techniques.\nClassification is performed using multiple Jupyter notebooks and machine learning workflows hosted as FastAPI microservices:\nregex_data\ndeberta_base_35_train_hft_classifier_mlflow.ipynb\nhft_regex_classifier_mlflow.ipynb\nparam_train_hft_classifier_mlflow.ipynb\nregex_tactic_tech.ipynb\n\nOrdering of Tactics, Techniques, and Observable Events:\n\nSequences the identified tactics, techniques, and events to form a coherent attack chain.\nEnrichment with Historical Attack Chain Details:\n\nEnhances the attack chain with details from historical attacks using a Markov model developed from CyOTE Precursor Analysis Report data.\nThe Markov model is available as a FastAPI endpoint for seamless integration.\nEnrichment with Adversary Emulation Capabilities Data:\n\nIntegrates adversary emulation capabilities data using MITRE Caldera for OT adversary abilities UUIDs.\nExport of Output Files:\n\nProvides options to export the enriched attack chain in JSON or CSV formats.\nRouting of Output to Other Applications:\n\nFacilitates routing of output to various platforms and applications, including:\nThreat Intelligence Platforms\nCOREII Scout for Threat Intelligence Analysis\nCOREII Modeling and Simulation for Adversary Emulation\nTechnical Description\nThe ACE Application is an advanced cybersecurity tool designed to provide detailed threat analysis and sequence generation. It is built on a robust architecture that integrates natural language processing, machine learning, and historical data modeling.\n\nKey Components:\n\nData Ingestion Module: Handles the input of threat reports and data from various formats, ensuring flexibility in data sources.\nClassification Engine: Employs DeBERTa-based classifiers hosted as FastAPI microservices to analyze and classify threat report events in accordance with the MITRE ATT&CK framework for ICS.\nSequence Generator: Orders the classified events into a logical attack chain, providing clear insight into the sequence of tactics and techniques used in the threat.\nEnrichment Engine: Integrates historical data and adversary emulation capabilities to enhance the attack chain with valuable context and additional details. The historical data enrichment is powered by a Markov model, which is available as a FastAPI endpoint.\nExport and Routing Module: Facilitates the export of the enriched attack chain in multiple formats and routes the output to designated applications for further analysis or emulation.","programming_languages":["q React, Typescript, Vite, TailwindCSS, and DaisyUI"],"country_of_origin":"United States","project_keywords":[],"licenses":[],"recipient_org":"INL","file_name":"Attack-Chain-Estimator-ACE--release.zip","date_record_added":"2026-04-13","date_record_updated":"2026-04-13","is_file_certified":true,"last_editor":"zurisaday.bravo@inl.gov","is_limited":false,"links":[{"rel":"citation","href":"https://www.osti.gov/doecode/biblio/179109"}]}}