基于零样本学习的大模型TTP抽取智能体

doi:10.19678/j.issn.1000-3428.0252621

摘要/Abstract

摘要： 网络威胁情报（CTI）在缓解网络攻防的不对称性方面具有关键作用，但现有战术、技术和程序（TTP）提取方法主要依赖人工标注的全监督语言模型，存在效率低、一致性差的问题。尽管MITRE ATT&CK框架通过标准化分类缓解了TTP描述问题，但当前基于自然语言处理（NLP）的方法仍面临泛化能力不足、版本适配滞后和可解释性差三大挑战。为此，通过融合大语言模型先验知识与外部可信知识，提出了一种基于零样本学习的大模型TTP抽取方法DetecTTive。该方法创新性地利用ATT&CK官方知识库作为外部知识源，融合向量语义知识检索和图增强关联推理，结合智能体工作流实现自动化白盒推理，在提升零样本性能的同时确保结果可追溯。实验表明，该零样本方案在基准数据集上F1达到80.02%，召回率达到83.46%，有效解决了传统模型的数据偏差和版本适配问题，为动态威胁环境下的TTP抽取提供了可解释的低成本解决方案。

Abstract: Cyber Threat Intelligence (CTI) plays a pivotal role in mitigating the asymmetry between cyber attacks and defenses. However, current extraction methods for Tactics, Techniques, and Procedures (TTPs) predominantly rely on supervised language models with manual annotation, which suffer from inefficiency and inconsistency issues. Although the MITRE ATT&CK framework has mitigated TTP description problems through standardized classification, existing NLP-based approaches still face three major challenges: insufficient generalization capabilities, delayed version adaptation, and poor interpretability. To address this, DetecTTive is proposed—a zero-shot learning-based TTP extraction method for large language models that combines the prior knowledge of large language models with external trustworthy knowledge. This framework innovatively utilizes the ATT&CK official knowledge base as an external knowledge source, combining vector-based semantic retrieval and graph-enhanced association reasoning, along with agent workflow to achieve automated white-box reasoning. This enhances zero-shot performance while ensuring result traceability. Experiments demonstrate that the proposed zero-shot approach achieves an F1 score of 80.02% and a recall of 83.46% in benchmark datasets. This method effectively addresses the data bias and version adaptation issues inherent in conventional models, providing an interpretable and cost-efficient solution for TTP extraction in dynamic threat environments.

唐尉淋, 王俊峰, 葛文翰, 张成程, 詹维璐. 基于零样本学习的大模型TTP抽取智能体[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0252621.

Tang Weilin, Wang Junfeng, Ge Wenhan, Zhang Chengcheng, Zhan Weilu. A zero-shot learning agent for TTP extraction[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0252621.

参考文献

[1]Chen X, An J, Xiong Z, et al. Covert communications: A comprehensive survey[J]. IEEE Communications Surveys & Tutorials, 2023, 25(2): 1173-1198.
[2]Alshamrani A, Myneni S, Chowdhary A, et al. A survey on advanced persistent threats: Techniques, solutions, challenges,
and research opportunities[J]. IEEE Communications Surveys & Tutorials, 2019, 21(2): 1851-1877. [3]Kaiser F K, Dardik U, Elitzur A, et al. Attack hypotheses generation based on threat intelligence knowledge graph[J]. IEEE Transactions on Dependable and Secure Computing, 2023, 20(6): 4793-4809.
[4]Kotsias J, Ahmad A, Scheepers R. Adopting and integrating cyber-threat intelligence in a commercial organisation[J]. European Journal of Information Systems, 2023, 32(1): 35-51.
[5]Bianco D. Enterprise Detection & Response[EB/OL]. (2013-03-01)[2025-06-10]. https://detect-respond.blogspo.com/2013/03/the-pyramid-of-pain.html.
[6]Ramsdale A, Shiaeles S, Kolokotronis N. A comparative analysis of cyber-threat intelligence sources, formats and languages[J]. Electronics, 2020, 9(5): 824.
[7]Alam M T, Bhusal D, Park Y, et al. Looking beyond IoCs: Automatically extracting attack patterns from external CTI[C]//Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses. 2023: 92-108.
[8]Strom B E, Applebaum A, Miller D P, et al. Mitre att&ck: Design and philosophy[M]//Technical report. The MITRE Corporation, 2018.
[9]Kim H, Kim H. Comparative experiment on TTP classification with class imbalance using oversampling from CTI dataset[J]. Security and Communication Networks, 2022, 2022(1): 5021125.
[10]Nguyen T, Šrndić N, Neth A. Noise Contrastive Estimation-based Matching Framework for Low-Resource Security Attack Pattern Recognition[J]. arXiv preprint arXiv:2401.10337, 2024.
[11]Meng C, Jiang Z W, Wang Q Y, et al. Instantiating Standards: Enabling Standard-Driven Text TTP Extraction with Evolvable Memory[J]. arXiv preprint arXiv:2505.09261, 2025.
[12]Legoy V S M. Retrieving ATT&CK tactics and techniques in cyber threat reports[D]. University of Twente, 2019.
[13]Domschot E, Ramyaa R, Smith M R. Improving Automated Labeling for ATT&CK Tactics in Malware Threat Reports[J]. Digital Threats: Research and Practice, 2024, 5(1): 1-16.
[14]Rahman M R, Hezaveh R M, Williams L. What are the attackers doing now? Automating cyberthreat intelligence extraction from text on pace with the changing threat landscape: A survey[J]. ACM Computing Surveys, 2023, 55(12): 1-36.
[15]Fayyazi R, Taghdimi R, Yang S J. Advancing TTP analysis: harnessing the power of large language models with retrieval augmented generation[C]//2024 Annual Computer Security Applications Conference Workshops (ACSAC Workshops). IEEE, 2024: 255-261.
[16]Legoy V, Caselli M, Seifert C, et al. Automated retrieval of att&ck tactics and techniques for cyber threat reports[J]. arXiv preprint arXiv:2004.14322, 2020.
[17]Yu Z, Wang J F, Tang B H, et al. Tactics and techniques classification in cyber threat intelligence[J]. The Computer Journal, 2023, 66(8): 1870-1881.
[18]Satvat K, Gjomemo R, Venkatakrishnan V N. Extractor: Extracting attack behavior from threat reports[C]//2021 IEEE European Symposium on Security and Privacy (EuroS&P). IEEE, 2021: 598-615.
[19]Ge W, Wang J, Lin T, et al. Explainable cyber threat behavior identification based on self-adversarial topic generation[J]. Computers & Security, 2023, 132: 103369.
[20]Ge W, Cui Z, Wang J, et al. MetaCluster: A Universal Interpretable Classification Framework for Cybersecurity[J]. IEEE Transactions on Information Forensics and Security, 2024.
[21]Husari G, Al-Shaer E, Ahmed M, et al. Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources[C]//Proceedings of the 33rd annual computer security applications conference. 2017: 103-115.
[22]Niakanlahiji A, Wei J, Chu B T. A natural language processing based trend analysis of advanced persistent threat techniques[C]//2018 IEEE International Conference on Big Data (Big Data). IEEE, 2018: 2995-3000.
[23]Fayyazi R, Yang S J. On the uses of large language models to interpret ambiguous cyberattack descriptions[J]. arXiv preprint arXiv:2306.14062, 2023.
[24]Mezzi E, Massacci F, Tuma K. Large Language Models are Unreliable for Cyber Threat Intelligence[J]. arXiv preprint arXiv:2503.23175, 2025.
[25]Rahman M R, Wroblewski B, Matthews Q, et al. ChronoCTI: Mining Knowledge Graph of Temporal Relations Among Cyberattack Actions[C]//2024 IEEE International Conference on Data Mining (ICDM). IEEE, 2024: 420-429.
[26]Hu Y, Zou F, Han J, et al. Llm-tikg: Threat intelligence knowledge graph construction utilizing large language model[J]. Computers & Security, 2024, 145: 103999.
[27]You Y, Jiang J, Jiang Z, et al. TIM: threat context-enhanced TTP intelligence mining on unstructured threat data[J]. Cybersecurity, 2022, 5(1): 3.
[28]Ge W, Wang J. SeqMask: Behavior extraction over cyber threat intelligence via multi-instance learning[J]. The Computer Journal, 2024, 67(1): 253-273.
[29]Liu C, Wang J, Chen X. Threat intelligence ATT&CK extraction based on the attention transformer hierarchical recurrent neural network[J]. Applied Soft Computing, 2022, 122: 108826.
[30]Wang L, Ma C, Feng X, et al. A survey on large language model based autonomous agents[J]. Frontiers of Computer Science, 2024, 18(6): 186345.
[31]Guo T, Chen X, Wang Y, et al. Large language model based multi-agents: A survey of progress and challenges[J]. arXiv preprint arXiv:2402.01680, 2024.
[32]Qu C, Dai S, Wei X, et al. Tool learning with large language models: A survey[J]. Frontiers of Computer Science, 2025, 19(8): 198343.
[33]Wei J, Zou K. Eda: Easy data augmentation techniques for boosting performance on text classification tasks[J]. arXiv preprint arXiv:1901.11196, 2019.
[34]Rahman M R, Williams L. From threat reports to continuous threat intelligence: a comparison of attack technique extraction methods from textual artifacts[J]. arXiv preprint arXiv:2210.02601, 2022.
[35]Chawla N V, Bowyer K W, Hall L O, et al. SMOTE: synthetic minority over-sampling technique[J]. Journal of artificial intelligence research, 2002, 16: 321-357.
[36]Liu J, Yan J, Jiang J, et al. TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network[J]. Cybersecurity, 2022, 5(1): 8.
[37]Wu X, Lv S, Zang L, et al. Conditional bert contextual augmentation[C]//Computational Science–ICCS 2019: 19th International Conference, Faro, Portugal, June 12–14, 2019, Proceedings, Part IV 19. Springer International Publishing, 2019: 84-95.
[38]Aghaei E, Niu X, Shadid W, et al. Securebert: A domain-specific language model for cybersecurity[C]//International Conference on Security and Privacy in Communication Systems. Cham: Springer Nature Switzerland, 2022: 39-56.
[39]Brown T, Mann B, Ryder N, et al. Language models are few-shot learners advances in neural information processing systems 33[J]. 2020.
[40]Fang L, Lee G G, Zhai X. Using gpt-4 to augment unbalanced data for automatic scoring[J]. arXiv preprint arXiv:2310.18365, 2023.
[41]Fang Y, Li X, Thomas S W, et al. Chatgpt as data augmentation for compositional generalization: A case study in open intent detection[J]. arXiv preprint arXiv:2308.13517, 2023.
[42]Dai H, Liu Z, Liao W, et al. Auggpt: Leveraging chatgpt for text data augmentation[J]. IEEE Transactions on Big Data, 2025.
[43]于丰瑞,杜彦辉.网络威胁技战术情报识别提取生成式技术研究[J].计算机科学与探索,2025,19(01):118-131. Fengrui Y, Yanhui D. Research on Generative Techniques for Identifying and Extracting Tactics, Tech niques and Procedures[J]. Journal of Frontiers of Computer Science & Technology, 2025, 19(01): 118-131.
[44]Facebook Research. fasttext: Library for efficient learning of word representations and sentence classifications[EB/OL]. [2025-06-10]. https://fasttext.cc/.
[45]于丰瑞.网络威胁技战术情报自动化识别提取研究综述[J].计算机工程与应用,2024,60(13):1-22. Fengrui Y. Survey on Automated Recognition and Extraction of TTPs. Journal of Computer Engineering and Applicatin, 2024, 60(13): 1-22.
[46]Li M, Zheng R, Liu L, et al. Extraction of threat actions from threat-related articles using multi-label machine learning classification method[C]//2019 2nd International Conference on Safety Produce Informatization (IICSPI). IEEE, 2019: 428-431.
[47]Li Z, Zeng J, Chen Y, et al. AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports[C]//European Symposium on Research in Computer Security. Cham: Springer International Publishing, 2022: 589-609.
[48]于忠坤,王俊峰,唐宾徽,等.基于注意力机制和特征融合的网络威胁情报技战术分类研究[J].四川大学学报(自然科学版),2022,59(05):96-103.DOI:10.19907/j.0490-6756.2022.053003. Yu Z, Wang J F, Tang B H, et al. Research on the classification of cyber threat intelligence techniques and tactics based on attention mechanism and feature fusion [J]. J Sichuan Univ: Nat Sci Ed. 2022. 59: 053003.
[49]Abdeen B, Al-Shaer E, Singhal A, et al. Smet: Semantic mapping of cve to att&ck and its application to cybersecurity[C]//IFIP annual conference on data and applications security and privacy. Cham: Springer Nature Switzerland, 2023: 243-260.
[50]Kumarasinghe U, Lekssays A, Sencar H T, et al. Semantic ranking for automated adversarial technique annotation in security text[C]//Proceedings of the 19th ACM Asia Conference on Computer and Communications Security. 2024: 49-62.
[51]Rani N, Saha B, Maurya V, et al. TTPHunter: Automated extraction of actionable intelligence as TTPs from narrative threat reports[M]//Proceedings of the 2023 Australasian Computer Science Week. 2023: 126-134.
[52]Orbinato V, Barbaraci M, Natella R, et al. Automatic mapping of unstructured cyber threat intelligence: an experimental study:(practical experience report)[C]//2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE). IEEE, 2022: 181-192.
[53]Rani N, Saha B, Maurya V, et al. TTPXHunter: Actionable threat intelligence extraction as TTPs from finished cyber threat reports[J]. Digital Threats: Research and Practice, 2024, 5(4): 1-19.
[54]Liu X, Tan Y, Xiao Z, et al. Not the end of story: An evaluation of ChatGPT-driven vulnerability description mappings[C]//Findings of the Association for Computational Linguistics: ACL 2023. 2023: 3724-3731.
[55]Siracusano G, Sanvito D, Gonzalez R, et al. Time for action: Automated analysis of cyber threat intelligence in the wild[J]. arXiv preprint arXiv:2307.10214, 2023.
[56]Borgeaud S, Mensch A, Hoffmann J, et al. Improving language models by retrieving from trillions of tokens[C]//International conference on machine learning. PMLR, 2022: 2206-2240.
[57]Xu M, Wang H, Liu J, et al. IntelEX: A LLM-driven Attack-level Threat Intelligence Extraction Framework[J]. arXiv preprint arXiv:2412.10872, 2024.
[58]Guru K, Moss R J, Kochenderfer M J. On Technique Identification and Threat-Actor Attribution using LLMs and Embedding Models[J]. arXiv preprint arXiv:2505.11547, 2025.
[59]Zhang Y, Du T, Ma Y, et al. AttacKG+: Boosting attack graph construction with Large Language Models[J]. Computers & Security, 2025, 150: 104220.
[60]Zhang J, Wen H, Li L, et al. UniTTP: A Unified Framework for Tactics, Techniques, and Procedures Mapping in Cyber Threats[C]//2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom). IEEE, 2024: 1580-1588.
[61]Hugging Face. Security-TTP-Mapping [EB/OL]. [2025-06-10]. https://huggingface.co/datasets/tumeteor/Security-TTP-Mapping/tree/main.
[62]Ji H, Yang J, Chai L, et al. Sevenllm: Benchmarking, eliciting, and enhancing abilities of large language models in cyber threat intelligence[J]. arXiv preprint arXiv:2405.03446, 2024.

选择文件类型/文献管理软件名称

选择包含的内容