This paper demonstrates how semantic knowledge graph integration can bridge organizational threat modeling and adversarial frameworks for responsible AI security assessment. We applied ThreatFinder.ai to an AI-based facial anonymization system, identifying 12 assets, 33 instantiated threats (7 unique), and 157 instantiated controls (28 unique). These outputs were transformed into knowledge graphs and semantically linked to MITRE ATLAS using Sentence-BERT embeddings, creating explicit, auditable mappings between organizational threats and adversarial techniques. The linking produced 123 threat \(\rightarrow \) technique, 72 threat \(\rightarrow \) SubTechnique, and 21 control \(\rightarrow \) mitigation alignments (covering 55 unique threats and 15 unique controls), enabling asset-centric reasoning and transparent security decision-making. The methodology satisfies multiple stakeholder needs: organizational usability through familiar workflows, governance compliance through auditable relations, and ethical transparency through accessible visualizations. These results show that interdisciplinary requirements can drive approaches to AI security that are both technically rigorous and practically usable.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Linking Architectural Threat Modeling of AI Systems to MITRE ATLAS via Semantic Knowledge Graphs

  • Joakim Rosell,
  • Maria Ulan,
  • Max Fransson

摘要

This paper demonstrates how semantic knowledge graph integration can bridge organizational threat modeling and adversarial frameworks for responsible AI security assessment. We applied ThreatFinder.ai to an AI-based facial anonymization system, identifying 12 assets, 33 instantiated threats (7 unique), and 157 instantiated controls (28 unique). These outputs were transformed into knowledge graphs and semantically linked to MITRE ATLAS using Sentence-BERT embeddings, creating explicit, auditable mappings between organizational threats and adversarial techniques. The linking produced 123 threat \(\rightarrow \) technique, 72 threat \(\rightarrow \) SubTechnique, and 21 control \(\rightarrow \) mitigation alignments (covering 55 unique threats and 15 unique controls), enabling asset-centric reasoning and transparent security decision-making. The methodology satisfies multiple stakeholder needs: organizational usability through familiar workflows, governance compliance through auditable relations, and ethical transparency through accessible visualizations. These results show that interdisciplinary requirements can drive approaches to AI security that are both technically rigorous and practically usable.