Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

ALERT: A Framework for Efficient Extraction of Attack Techniques from Cyber Threat Intelligence Reports Using Active Learning

Published

Author(s)

Fariha Rahman, Sadaf Halim, Anoop Singhal, Latifur Khan

Abstract

In the dynamic landscape of cybersecurity, curated knowledge plays a pivotal role in empowering security analysts to respond effectively to cyber threats. Cyber Threat Intelligence (CTI) reports offer valuable insights into adversary behavior, but their length, complexity, and inconsistent structure pose challenges for extracting actionable information. To address this, our research focuses on automating the extraction of attack techniques from CTI reports and mapping them to the standardized MITRE ATT&CK framework. For this task, fine-tuning Large Language Models (LLMs) for downstream sequence classification shows promise due to their ability to comprehend complex natural language. However, fine-tuning LLMs requires vast amounts of annotated domain-specific data, which is costly and time-intensive, relying on the expertise of security professionals. To meet these challenges, we propose ALERT, a novel cybersecurity framework which leverages active learning strategies in conjunction with an LLM. This approach dynamically selects the most informative instances for annotation, thereby achieving comparable performance with a significantly smaller dataset. By prioritizing the annotation of samples that contribute the most to the model's learning, our methodology optimizes the allocation of resources, leading to a more efficient framework for extracting and mapping attack techniques from CTI reports to the ATT&CK framework.
Proceedings Title
Data and Applications Security and Privacy XXXVIII (DBSec 2024)
Volume
14901
Conference Dates
July 15-17, 2024
Conference Location
San Jose, CA, US
Conference Title
38th International IFIP Conference on Data and Application Security and Privacy (DBSEC 2024)

Keywords

Active Learning, LLM, ATT&CK, CTI

Citation

Rahman, F. , Halim, S. , Singhal, A. and Khan, L. (2024), ALERT: A Framework for Efficient Extraction of Attack Techniques from Cyber Threat Intelligence Reports Using Active Learning, Data and Applications Security and Privacy XXXVIII (DBSec 2024), San Jose, CA, US, [online], https://doi.org/10.1007/978-3-031-65172-4_13, https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=958028 (Accessed December 26, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created July 13, 2024, Updated July 16, 2024