Large Language Models for Cyber Threat Intelligence: Extracting MITRE With LLMs

Large Language Models for Cyber Threat Intelligence: Extracting MITRE With LLMs

연구 분야: Safety

학회: International Conference on Availability, Reliability and Security

Cyber Threat Intelligence (CTI) reports provide information about emerging and current cyber threats, and their analysis is key for adopting appropriate countermeasures. Reports are typically in the form of long texts from which cybersecurity analysts extract essential elements and translate them into actionable steps. To summarise and share the findings of this analysis, sentences in the reports are often labelled with MITRE ATT&CK techniques that yield a better description of the identified attack patterns. However, this task can be very time-consuming and prone to both errors and biases of analysts. In the literature, there have been some attempts to automate this process. Most commonly, researchers apply different pre-processing steps on the initial reports and then apply classification techniques, including approaches based on large language models (LLMs). Considering that reports are written in natural language, in this paper, we present an approach that relies entirely on LLMs and seeks to minimise preprocessing of reports and other human intervention, if not to replace, at least to ease the task of the analysts. We evaluate our approach on a real-world CTI report and an extensive dataset of MITRE-labelled sentences and reduce the number of potentially suitable techniques by up to 33 while retaining ground truth labels in up to 94.29% of the sentences.