Go to DBLP homepageFrom Threat Report to ATT&CK: Automated Extraction and Reasoning of TTPs Using Large Language Models
Abstract: The escalating frequency and increasing complexity of cyber attacks underscore the importance of Cyber Threat Intelligence (CTI). Tactics, Techniques, and Procedures (TTPs), as advanced CTI capable of characterizing adversarial behaviors and intentions, have garnered increased attention. However, TTPs are predominantly found embedded within unstructured natural language texts of threat reports. The accurate extraction and standardization of TTPs pose significant challenges. Existing methods exhibit limitations in terms of accuracy, generalizability, and interpretability. This paper presents a pipeline for automatically extracting TTPs from threat reports and providing rationales using large language models. To support this approach, we have developed three datasets using advanced commercial LLMs for data synthesis. These datasets are made publicly available to facilitate further research. Experimental results demonstrate the superior performance of our proposed approach, achieving an F1-score of 97.15% and accuracies of 79.22% and 92.97% in the respective tasks. These results surpass state-of-the-art methods by 15.39%, 12.87%, and 27.57%, respectively. To the best of our knowledge, this paper is the first to simultaneously extract TTPs while providing the underlying rationales for the extraction. This novel approach significantly improves the usability of the results by providing a richer context for threats.
External IDs:dblp:conf/cscwd/DongJMHYYW25
Loading