In recent years, cyberattacks have been on the rise globally, causing substantial economic losses and severe social risks to governments, enterprises, and other organizations. Against this backdrop, Cyber Threat Intelligence (CTI) has emerged as a crucial resource for combating cyberattacks, with its importance increasingly highlighted. However, the unstructured nature of CTI data poses challenges for manual extraction of valuable information. Therefore, Named Entity Recognition (NER) based on CTI has become a key technology for the prevention and response to cyberattacks. Although deep learning-based NER models have achieved remarkable success in many fields, their application in the cybersecurity domain has been relatively slow due to the high specialization of CTI and the scarcity of labeled data. To address this, this paper proposes a CTI Named Entity Recognition framework for low-resource scenarios—CyberNER-LLM. This framework effectively integrates LLMs with NER through a redesigned output format and achieves efficient and accurate extraction of cybersecurity entities through two stages: initial entity recognition and model self-validation. Experimental results show that, supported by a 3B-scale LLM, CyberNER-LLM significantly outperforms traditional NER models.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

CyberNER-LLM: Cyber Threat Intelligence Named Entity Recognition With Large Language Model

  • Xinzheng Liu,
  • Wangqun Lin,
  • Zhaoyun Ding

摘要

In recent years, cyberattacks have been on the rise globally, causing substantial economic losses and severe social risks to governments, enterprises, and other organizations. Against this backdrop, Cyber Threat Intelligence (CTI) has emerged as a crucial resource for combating cyberattacks, with its importance increasingly highlighted. However, the unstructured nature of CTI data poses challenges for manual extraction of valuable information. Therefore, Named Entity Recognition (NER) based on CTI has become a key technology for the prevention and response to cyberattacks. Although deep learning-based NER models have achieved remarkable success in many fields, their application in the cybersecurity domain has been relatively slow due to the high specialization of CTI and the scarcity of labeled data. To address this, this paper proposes a CTI Named Entity Recognition framework for low-resource scenarios—CyberNER-LLM. This framework effectively integrates LLMs with NER through a redesigned output format and achieves efficient and accurate extraction of cybersecurity entities through two stages: initial entity recognition and model self-validation. Experimental results show that, supported by a 3B-scale LLM, CyberNER-LLM significantly outperforms traditional NER models.