{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,2]],"date-time":"2026-01-02T07:50:05Z","timestamp":1767340205510,"version":"3.44.0"},"publisher-location":"Cham","reference-count":25,"publisher":"Springer Nature Switzerland","isbn-type":[{"type":"print","value":"9783032006325"},{"type":"electronic","value":"9783032006332"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T00:00:00Z","timestamp":1754697600000},"content-version":"vor","delay-in-days":220,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Cyber Situational Awareness (CSA) is crucial for understanding and anticipating developments across diverse domains. This paper introduces a novel approach employing advanced Artificial Intelligence (AI) and Natural Language Processing (NLP) techniques to effectively analyze and enrich Cyber Threat Intelligence (CTI) and Open Source Intelligence (OSINT) data. The paper designs an unified CTI and OSINT processing pipeline that integrates named entity recognition (NER), relationship extraction, classification, and summarization, addressing current limitations in CTI analysis. Notably, our evaluation of existing language models revealed significant shortcomings, with general-purpose tokenizers recognizing only 1.62% of specialized MITRE ATT&amp;CK terms. In contrast, our pipeline achieves superior performance, notably surpassing state-of-the-art models in some important aspects. Practical military and civilian scenarios further demonstrate the pipeline\u2019s value in generating actionable intelligence, enabling complex reasoning by combining symbolic knowledge graphs and semantic vector search methods. Future developments focus on refining model scalability and enhancing analytical capabilities to increase the effectiveness, efficiency, and applicability of our approach.<\/jats:p>","DOI":"10.1007\/978-3-032-00633-2_3","type":"book-chapter","created":{"date-parts":[[2025,8,8]],"date-time":"2025-08-08T10:15:12Z","timestamp":1754648112000},"page":"44-62","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Enhancing Cyber Situational Awareness with\u00a0AI: A Novel Pipeline Approach for\u00a0Threat Intelligence Analysis and\u00a0Enrichment"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0008-4698-5534","authenticated-orcid":false,"given":"Dzenan","family":"Hamzic","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-1922-7892","authenticated-orcid":false,"given":"Florian","family":"Skopik","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3813-3151","authenticated-orcid":false,"given":"Max","family":"Landauer","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0003-3259-6972","authenticated-orcid":false,"given":"Markus","family":"Wurzenberger","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9272-6225","authenticated-orcid":false,"given":"Andreas","family":"Rauber","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,9]]},"reference":[{"key":"3_CR1","doi-asserted-by":"publisher","unstructured":"Alam, M.T., Bhusal, D., Park, Y., Rastogi, N.: Looking beyond IoCs: automatically extracting attack patterns from external CTI. In: Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses (RAID \u201923). ACM (2023). https:\/\/doi.org\/10.1145\/3607199.3607208","DOI":"10.1145\/3607199.3607208"},{"issue":"11","key":"3_CR2","doi-asserted-by":"publisher","first-page":"2021","DOI":"10.3390\/electronics13112021","volume":"13","author":"L Alevizos","year":"2024","unstructured":"Alevizos, L., Dekker, M.: Towards an AI-enhanced cyber threat intelligence processing pipeline. Electronics 13(11), 2021 (2024). https:\/\/doi.org\/10.3390\/electronics13112021","journal-title":"Electronics"},{"key":"3_CR3","unstructured":"Arazzi, M., et al.: NLP-Based Techniques for Cyber Threat Intelligence. arXiv preprint arXiv:2311.08807 (2023). https:\/\/arxiv.org\/abs\/2311.08807"},{"key":"3_CR4","unstructured":"Chang, C.H.: Cyber Threat Intelligence: A Pipeline to Classify Cyber Threats from Disparate Data Sources. Honours thesis, AiLECS Lab, Monash University (March 2022)"},{"key":"3_CR5","first-page":"12792","volume":"33","author":"M Ding","year":"2020","unstructured":"Ding, M., Zhou, C., Yang, H., Tang, J.: Cogltx: applying bert to long texts. Adv. Neural. Inf. Process. Syst. 33, 12792\u201312804 (2020)","journal-title":"Adv. Neural. Inf. Process. Syst."},{"key":"3_CR6","doi-asserted-by":"crossref","unstructured":"Endsley, M.R.: Theoretical underpinnings of situation awareness: a critical review. In: Endsley, M.R., Garland, D.J. (eds.) Situation Awareness Analysis and Measurement. Lawrence Erlbaum Associates, Mahwah, NJ (2000). https:\/\/www.researchgate.net\/publication\/292771806_Situation_awareness_analysis_and_measurement_chapter_theoretical_underpinnings_of_situation_awareness, accessed: 2025-04-07","DOI":"10.1201\/b12461"},{"key":"3_CR7","doi-asserted-by":"publisher","unstructured":"Endsley, M.R.: Situation awareness. In: Salvendy, G., Karwowski, W. (eds.) Handbook of Human Factors and Ergonomics, chap.\u00a017. Wiley (2021). https:\/\/doi.org\/10.1002\/9781119636113.ch17, https:\/\/doi.org\/10.1002\/9781119636113.ch17","DOI":"10.1002\/9781119636113.ch17"},{"key":"3_CR8","doi-asserted-by":"publisher","first-page":"23733","DOI":"10.1109\/ACCESS.2024.3363469","volume":"12","author":"MA Ferrag","year":"2024","unstructured":"Ferrag, M.A., Ndhlovu, M., Tihanyi, N., Cordeiro, L.C., Debbah, M., Lestable, T., Thandi, N.S.: Revolutionizing cyber threat detection with large language models: a privacy-preserving bert-based lightweight model for iot\/iiot devices. IEEe Access 12, 23733\u201323750 (2024)","journal-title":"IEEe Access"},{"key":"3_CR9","doi-asserted-by":"crossref","unstructured":"Hamzic, D., Skopik, F., Landauer, M., Wurzenberger, M., Rauber, A.: Ttp classification with minimal labeled data: A retrieval-based few-shot learning approach (2025), to appear at the 20th International Conference on Availability, Reliability and Security (ARES 2025), August 11-14, 2025, Ghent, Belgium. Springer (2025)","DOI":"10.1007\/978-3-032-00627-1_19"},{"key":"3_CR10","unstructured":"Lange, L., M\u00fcller, M., Torbati, G.H., Milchevski, D., Grau, P., Pujari, S., Friedrich, A.: Annoctr: a dataset for detecting and linking entities, tactics, and techniques in cyber threat reports (2024). https:\/\/arxiv.org\/abs\/2404.07765"},{"key":"3_CR11","doi-asserted-by":"crossref","unstructured":"Li, Z., Zeng, J., Chen, Y., Liang, Z.: AttacKG: constructing technique knowledge graph from cyber threat intelligence reports. arXiv preprint arXiv:2111.07093 (2022). https:\/\/arxiv.org\/abs\/2111.07093","DOI":"10.1007\/978-3-031-17140-6_29"},{"key":"3_CR12","unstructured":"Liberato, M.: Secbert : analyzing reports using bert-like models, December 2022. http:\/\/essay.utwente.nl\/93906\/"},{"key":"3_CR13","doi-asserted-by":"publisher","unstructured":"Munir, A., Aved, A., Blasch, E.: Situational awareness: Techniques, challenges, and prospects. AI 3(1), 55\u201377 (2022). https:\/\/doi.org\/10.3390\/ai3010005","DOI":"10.3390\/ai3010005"},{"key":"3_CR14","doi-asserted-by":"crossref","unstructured":"Nayak, A., Timmapathini, H., Ponnalagu, K., Venkoparao, V.G.: Domain adaptation challenges of bert in tokenization and sub-word representations of out-of-vocabulary words. In: Proceedings of the first workshop on insights from negative results in NLP, pp.\u00a01\u20135 (2020)","DOI":"10.18653\/v1\/2020.insights-1.1"},{"key":"3_CR15","doi-asserted-by":"crossref","unstructured":"Pieterse, H., Van\u2019t\u00a0Wout, C., Khan, Z., Serfontein, C.: Specialised media monitoring tool to observe situational awareness. In: Proceedings of the 17th International Conference on Information Warfare and Security, p.\u00a0244 (2022)","DOI":"10.34190\/iccws.17.1.16"},{"key":"3_CR16","unstructured":"Rahman, M.R., Mahdavi-Hezaveh, R., Williams, L.: What are the attackers doing now? Automating cyber threat intelligence extraction from text on pace with the changing threat landscape: A survey. arXiv preprint arXiv:2109.06808 (2021), https:\/\/arxiv.org\/abs\/2109.06808"},{"key":"3_CR17","doi-asserted-by":"crossref","unstructured":"Rani, N., Saha, B., Maurya, V., Shukla, S.K.: Ttpxhunter: Actionable threat intelligence extraction as ttps from finished cyber threat reports. arXiv (2024). https:\/\/arxiv.org\/abs\/2403.03267","DOI":"10.1145\/3696427"},{"key":"3_CR18","doi-asserted-by":"crossref","unstructured":"Rani, N., Saha, B., Maurya, V., Shukla, S.K.: Ttphunter: Automated extraction of actionable intelligence as ttps from narrative threat reports. In: Proceedings of the 2023 Australasian Computer Science Week, pp. 126\u2013134 (2023)","DOI":"10.1145\/3579375.3579391"},{"key":"3_CR19","unstructured":"Rani, N., Saha, B., Maurya, V., Shukla, S.K.: Chasing the Shadows: TTPs in Action to Attribute Advanced Persistent Threats. arXiv preprint arXiv:2409.16400 (2024). https:\/\/arxiv.org\/abs\/2409.16400"},{"issue":"4","key":"3_CR20","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3696427","volume":"5","author":"N Rani","year":"2024","unstructured":"Rani, N., Saha, B., Maurya, V., Shukla, S.K.: Ttpxhunter: Actionable threat intelligence extraction as ttps from finished cyber threat reports. Digital Threats: Resand Practice 5(4), 1\u201319 (2024)","journal-title":"Digital Threats: Resand Practice"},{"key":"3_CR21","doi-asserted-by":"publisher","unstructured":"Samtani, S., Li, W., Benjamin, V., Chen, H.: Informing cyber threat intelligence through dark web situational awareness: The azsecure hacker assets portal. Digital Threats 2(4) (Oct 2021). https:\/\/doi.org\/10.1145\/3450972. https:\/\/doi.org\/10.1145\/3450972","DOI":"10.1145\/3450972"},{"key":"3_CR22","first-page":"16857","volume":"33","author":"K Song","year":"2020","unstructured":"Song, K., Tan, X., Qin, T., Lu, J., Liu, T.Y.: Mpnet: Masked and permuted pre-training for language understanding. Adv. Neural. Inf. Process. Syst. 33, 16857\u201316867 (2020)","journal-title":"Adv. Neural. Inf. Process. Syst."},{"key":"3_CR23","doi-asserted-by":"publisher","unstructured":"Wurzenberger, M., et\u00a0al.: NEWSROOM: Towards automating cyber situational awareness processes and tools for cyber defence. In: Proceedings of the 19th International Conference on Availability, Reliability and Security (ARES 2024). Association for Computing Machinery, New York, NY, USA (2024). https:\/\/doi.org\/10.1145\/3664476.3670914, https:\/\/dl.acm.org\/doi\/10.1145\/3664476.3670914","DOI":"10.1145\/3664476.3670914"},{"key":"3_CR24","doi-asserted-by":"crossref","unstructured":"Zaratiana, U., Tomeh, N., Holat, P., Charnois, T.: Gliner: Generalist model for named entity recognition using bidirectional transformer (2023). https:\/\/arxiv.org\/abs\/2311.08526","DOI":"10.18653\/v1\/2022.umios-1.2"},{"key":"3_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1155\/2022\/9875199","volume":"2022","author":"Y Zhou","year":"2022","unstructured":"Zhou, Y., Tang, Y., Yi, M., Xi, C., Lu, H.: CTI view: APT threat intelligence analysis system. Secur. Commun. Networks 2022, 1\u201315 (2022). https:\/\/doi.org\/10.1155\/2022\/9875199","journal-title":"Secur. Commun. Networks"}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00633-2_3","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T19:24:04Z","timestamp":1757359444000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00633-2_3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006325","9783032006332"],"references-count":25,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00633-2_3","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"type":"print","value":"0302-9743"},{"type":"electronic","value":"1611-3349"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"9 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}