Enregistré dans:
Détails bibliographiques
Auteurs principaux: Meng, Cheng, Jiang, ZhengWei, Wang, QiuYun, Li, XinYi, Ma, ChunYan, Dong, FangMing, Ren, FangLi, Liu, BaoXu
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2505.09261
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866915287171858432
author Meng, Cheng
Jiang, ZhengWei
Wang, QiuYun
Li, XinYi
Ma, ChunYan
Dong, FangMing
Ren, FangLi
Liu, BaoXu
author_facet Meng, Cheng
Jiang, ZhengWei
Wang, QiuYun
Li, XinYi
Ma, ChunYan
Dong, FangMing
Ren, FangLi
Liu, BaoXu
contents Extracting MITRE ATT\&CK Tactics, Techniques, and Procedures (TTPs) from natural language threat reports is crucial yet challenging. Existing methods primarily focus on performance metrics using data-driven approaches, often neglecting mechanisms to ensure faithful adherence to the official standard. This deficiency compromises reliability and consistency of TTP assignments, creating intelligence silos and contradictory threat assessments across organizations. To address this, we introduce a novel framework that converts abstract standard definitions into actionable, contextualized knowledge. Our method utilizes Large Language Model (LLM) to generate, update, and apply this knowledge. This framework populates an evolvable memory with dual-layer situational knowledge instances derived from labeled examples and official definitions. The first layer identifies situational contexts (e.g., "Communication with C2 using encoded subdomains"), while the second layer captures distinctive features that differentiate similar techniques (e.g., distinguishing T1132 "Data Encoding" from T1071 "Application Layer Protocol" based on whether the focus is on encoding methods or protocol usage). This structured approach provides a transparent basis for explainable TTP assignments and enhanced human oversight, while also helping to standardize other TTP extraction systems. Experiments show our framework (using Qwen2.5-32B) boosts Technique F1 scores by 11\% over GPT-4o. Qualitative analysis confirms superior standardization, enhanced transparency, and improved explainability in real-world threat intelligence scenarios. To the best of our knowledge, this is the first work that uses the LLM to generate, update, and apply the a new knowledge for TTP extraction.
format Preprint
id arxiv_https___arxiv_org_abs_2505_09261
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Instantiating Standards: Enabling Standard-Driven Text TTP Extraction with Evolvable Memory
Meng, Cheng
Jiang, ZhengWei
Wang, QiuYun
Li, XinYi
Ma, ChunYan
Dong, FangMing
Ren, FangLi
Liu, BaoXu
Cryptography and Security
Extracting MITRE ATT\&CK Tactics, Techniques, and Procedures (TTPs) from natural language threat reports is crucial yet challenging. Existing methods primarily focus on performance metrics using data-driven approaches, often neglecting mechanisms to ensure faithful adherence to the official standard. This deficiency compromises reliability and consistency of TTP assignments, creating intelligence silos and contradictory threat assessments across organizations. To address this, we introduce a novel framework that converts abstract standard definitions into actionable, contextualized knowledge. Our method utilizes Large Language Model (LLM) to generate, update, and apply this knowledge. This framework populates an evolvable memory with dual-layer situational knowledge instances derived from labeled examples and official definitions. The first layer identifies situational contexts (e.g., "Communication with C2 using encoded subdomains"), while the second layer captures distinctive features that differentiate similar techniques (e.g., distinguishing T1132 "Data Encoding" from T1071 "Application Layer Protocol" based on whether the focus is on encoding methods or protocol usage). This structured approach provides a transparent basis for explainable TTP assignments and enhanced human oversight, while also helping to standardize other TTP extraction systems. Experiments show our framework (using Qwen2.5-32B) boosts Technique F1 scores by 11\% over GPT-4o. Qualitative analysis confirms superior standardization, enhanced transparency, and improved explainability in real-world threat intelligence scenarios. To the best of our knowledge, this is the first work that uses the LLM to generate, update, and apply the a new knowledge for TTP extraction.
title Instantiating Standards: Enabling Standard-Driven Text TTP Extraction with Evolvable Memory
topic Cryptography and Security
url https://arxiv.org/abs/2505.09261