Yonghyeon Park, Changhee Choi, Journal of Internet Computing and Services, Vol. 26, No. 4, pp. 9-18, Aug. 2025
10.7472/jksii.2025.26.4.9, Full Text:  HTML
Keywords: LLM, finetuning, MITRE ATT&CK, cyber attack technique

Abstract

With the rise in cyber attacks, the number of cyber threat intelligence reports analyzing these incidents has increased significantly. However, mapping the attack techniques described in these reports to MITRE ATT&CK techniques requires significant time and effort from cybersecurity experts. To automate this process, we propose the method that leverages a Large Language Model (LLM) to automatically extract MITRE ATT&CK techniques from cyber threat intelligence reports. We crawled the official MITRE ATT&CK website and manually labeled attack techniques from cyber threat intelligence reports to construct a dataset. Additionally, we conducted prompt engineering and fine-tuning on widely used LLMs, including LLaMA, Gemma, and DeepSeek, and compared their performance in TTP extraction. Experimental results showed that the proposed method extracted attack techniques from individual sentences with an accuracy of up to 61.1%. Furthermore, even after fine-tuning the model for the specific task of technique extraction, it preserved the original conversational capabilities of the LLM.

Statistics
Cite this article