Linking Architectural Threat Modeling of AI Systems to MITRE ATLAS via Semantic Knowledge Graphs
摘要
This paper demonstrates how semantic knowledge graph integration can bridge organizational threat modeling and adversarial frameworks for responsible AI security assessment. We applied ThreatFinder.ai to an AI-based facial anonymization system, identifying 12 assets, 33 instantiated threats (7 unique), and 157 instantiated controls (28 unique). These outputs were transformed into knowledge graphs and semantically linked to MITRE ATLAS using Sentence-BERT embeddings, creating explicit, auditable mappings between organizational threats and adversarial techniques. The linking produced 123 threat \(\rightarrow \) technique, 72 threat \(\rightarrow \) SubTechnique, and 21 control \(\rightarrow \) mitigation alignments (covering 55 unique threats and 15 unique controls), enabling asset-centric reasoning and transparent security decision-making. The methodology satisfies multiple stakeholder needs: organizational usability through familiar workflows, governance compliance through auditable relations, and ethical transparency through accessible visualizations. These results show that interdisciplinary requirements can drive approaches to AI security that are both technically rigorous and practically usable.