Saved in:
Bibliographic Details
Main Authors: Nguyen, Hoang Cuong, Tariq, Shahroz, Chhetri, Mohan Baruwal, Vo, Bao Quoc
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2505.03147
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915275290443776
author Nguyen, Hoang Cuong
Tariq, Shahroz
Chhetri, Mohan Baruwal
Vo, Bao Quoc
author_facet Nguyen, Hoang Cuong
Tariq, Shahroz
Chhetri, Mohan Baruwal
Vo, Bao Quoc
contents This work evaluates the performance of Cyber Threat Intelligence (CTI) extraction methods in identifying attack techniques from threat reports available on the web using the MITRE ATT&CK framework. We analyse four configurations utilising state-of-the-art tools, including the Threat Report ATT&CK Mapper (TRAM) and open-source Large Language Models (LLMs) such as Llama2. Our findings reveal significant challenges, including class imbalance, overfitting, and domain-specific complexity, which impede accurate technique extraction. To mitigate these issues, we propose a novel two-step pipeline: first, an LLM summarises the reports, and second, a retrained SciBERT model processes a rebalanced dataset augmented with LLM-generated data. This approach achieves an improvement in F1-scores compared to baseline models, with several attack techniques surpassing an F1-score of 0.90. Our contributions enhance the efficiency of web-based CTI systems and support collaborative cybersecurity operations in an interconnected digital landscape, paving the way for future research on integrating human-AI collaboration platforms.
format Preprint
id arxiv_https___arxiv_org_abs_2505_03147
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Towards Effective Identification of Attack Techniques in Cyber Threat Intelligence Reports using Large Language Models
Nguyen, Hoang Cuong
Tariq, Shahroz
Chhetri, Mohan Baruwal
Vo, Bao Quoc
Cryptography and Security
This work evaluates the performance of Cyber Threat Intelligence (CTI) extraction methods in identifying attack techniques from threat reports available on the web using the MITRE ATT&CK framework. We analyse four configurations utilising state-of-the-art tools, including the Threat Report ATT&CK Mapper (TRAM) and open-source Large Language Models (LLMs) such as Llama2. Our findings reveal significant challenges, including class imbalance, overfitting, and domain-specific complexity, which impede accurate technique extraction. To mitigate these issues, we propose a novel two-step pipeline: first, an LLM summarises the reports, and second, a retrained SciBERT model processes a rebalanced dataset augmented with LLM-generated data. This approach achieves an improvement in F1-scores compared to baseline models, with several attack techniques surpassing an F1-score of 0.90. Our contributions enhance the efficiency of web-based CTI systems and support collaborative cybersecurity operations in an interconnected digital landscape, paving the way for future research on integrating human-AI collaboration platforms.
title Towards Effective Identification of Attack Techniques in Cyber Threat Intelligence Reports using Large Language Models
topic Cryptography and Security
url https://arxiv.org/abs/2505.03147