{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,13]],"date-time":"2026-03-13T15:26:52Z","timestamp":1773415612766,"version":"3.50.1"},"publisher-location":"Cham","reference-count":16,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032006325","type":"print"},{"value":"9783032006332","type":"electronic"}],"license":[{"start":{"date-parts":[[2025,1,1]],"date-time":"2025-01-01T00:00:00Z","timestamp":1735689600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2025,8,9]],"date-time":"2025-08-09T00:00:00Z","timestamp":1754697600000},"content-version":"vor","delay-in-days":220,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2025]]},"abstract":"<jats:title>Abstract<\/jats:title>\n          <jats:p>Cyber Threat Intelligence (CTI) reports provide information about emerging and current cyber threats, and their analysis is key for adopting appropriate countermeasures. Reports are typically in the form of long texts from which cybersecurity analysts extract essential elements and translate them into actionable steps. To summarise and share the findings of this analysis, sentences in the reports are often labelled with MITRE ATT&amp;CK techniques that yield a better description of the identified attack patterns. However, this task can be very time-consuming and prone to both errors and biases of analysts.\n<\/jats:p>\n          <jats:p>In the literature, there have been some attempts to automate this process. Most commonly, researchers apply different pre-processing steps on the initial reports and then apply classification techniques, including approaches based on large language models (LLMs). Considering that reports are written in natural language, in this paper, we present an approach that relies entirely on LLMs and seeks to minimise preprocessing of reports and other human intervention, if not to replace, at least to ease the task of the analysts. We evaluate our approach on a real-world CTI report and an extensive dataset of MITRE-labelled sentences and reduce the number of potentially suitable techniques by up to 33<jats:inline-formula>\n              <jats:alternatives>\n                <jats:tex-math>$$\\times $$<\/jats:tex-math>\n                <mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mo>\u00d7<\/mml:mo>\n                <\/mml:math>\n              <\/jats:alternatives>\n            <\/jats:inline-formula> while retaining ground truth labels in up to 94.29% of the sentences.<\/jats:p>","DOI":"10.1007\/978-3-032-00633-2_5","type":"book-chapter","created":{"date-parts":[[2025,8,8]],"date-time":"2025-08-08T10:15:39Z","timestamp":1754648139000},"page":"80-89","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Large Language Models for\u00a0Cyber Threat Intelligence: Extracting MITRE With LLMs"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0009-0007-4077-0826","authenticated-orcid":false,"given":"Andra\u017e","family":"Kra\u0161ovec","sequence":"first","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7698-1771","authenticated-orcid":false,"given":"Gary","family":"Steri","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0142-7503","authenticated-orcid":false,"given":"Georgios","family":"Karopoulos","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0009-0000-7257-7851","authenticated-orcid":false,"given":"Mirko","family":"Trapani","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2025,8,9]]},"reference":[{"key":"5_CR1","unstructured":"De\u00a0Longueville, B., et al.: The proof is in the eating: dessons learnt from one year of generative AI adoption in a science-for-policy organisation. SSRN 5141665"},{"key":"5_CR2","unstructured":"Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: Bert: pre-training of deep bidirectional transformers for language understanding. In: Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers), pp. 4171\u20134186 (2019)"},{"key":"5_CR3","doi-asserted-by":"crossref","unstructured":"Fayyazi, R., Taghdimi, R., Yang, S.J.: Advancing TTP analysis: harnessing the power of encoder-only and decoder-only language models with retrieval augmented generation. arXiv preprint arXiv:2401.00280 (2024)","DOI":"10.1109\/ACSACW65225.2024.00036"},{"key":"5_CR4","doi-asserted-by":"publisher","first-page":"80218","DOI":"10.1109\/ACCESS.2023.3300381","volume":"11","author":"M Gupta","year":"2023","unstructured":"Gupta, M., Akiri, C., Aryal, K., Parker, E., Praharaj, L.: From ChatGPT to threatGPT: impact of generative AI in cybersecurity and privacy. IEEE Access 11, 80218\u201380245 (2023)","journal-title":"IEEE Access"},{"key":"5_CR5","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103999","volume":"145","author":"Y Hu","year":"2024","unstructured":"Hu, Y., Zou, F., Han, J., Sun, X., Wang, Y.: LLM-TIKG: threat intelligence knowledge graph construction utilizing large language model. Comput. Secur. 145, 103999 (2024)","journal-title":"Comput. Secur."},{"key":"5_CR6","doi-asserted-by":"crossref","unstructured":"Huang, Y.T., et\u00a0al.: Mitretrieval: retrieving Mitre techniques from unstructured threat reports by fusion of deep learning and ontology. IEEE Trans. Network Serv. Manag. (2024)","DOI":"10.1109\/TNSM.2024.3401200"},{"key":"5_CR7","doi-asserted-by":"crossref","unstructured":"Liu, J., Zhan, J.: Constructing knowledge graph from cyber threat intelligence using large language model. In: 2023 IEEE International Conference on Big Data (BigData), pp. 516\u2013521. IEEE (2023)","DOI":"10.1109\/BigData59044.2023.10386611"},{"key":"5_CR8","doi-asserted-by":"crossref","unstructured":"Orbinato, V., Barbaraci, M., Natella, R., Cotroneo, D.: Automatic mapping of unstructured cyber threat intelligence: an experimental study:(practical experience report). In: 2022 IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE), pp. 181\u2013192. IEEE (2022)","DOI":"10.1109\/ISSRE55969.2022.00027"},{"key":"5_CR9","doi-asserted-by":"crossref","unstructured":"Perrina, F., Marchiori, F., Conti, M., Verde, N.V.: AGIR: automating cyber threat intelligence reporting with natural language generation. In: 2023 IEEE International Conference on Big Data (BigData), pp. 3053\u20133062. IEEE (2023)","DOI":"10.1109\/BigData59044.2023.10386116"},{"key":"5_CR10","unstructured":"Sewak, M., Emani, V., Naresh, A.: Crush: Cybersecurity research using universal LLMs and semantic hypernetworks. In: EKG-LLM@ CIKM (2023)"},{"key":"5_CR11","unstructured":"Siracusano, G., et al.: Time for action: automated analysis of cyber threat intelligence in the wild. arXiv preprint arXiv:2307.10214 (2023)"},{"key":"5_CR12","unstructured":"Wu, Z., Tang, F., Zhao, M., Li, Y.: KGV: integrating large language models with knowledge graphs for cyber threat intelligence credibility assessment. arXiv preprint arXiv:2408.08088 (2024)"},{"key":"5_CR13","doi-asserted-by":"crossref","unstructured":"Yao, Y., Duan, J., Xu, K., Cai, Y., Sun, Z., Zhang, Y.: A survey on large language model (LLM) security and privacy: the good, the bad, and the ugly. High-Confidence Computing 100211 (2024)","DOI":"10.1016\/j.hcc.2024.100211"},{"issue":"8","key":"5_CR14","doi-asserted-by":"publisher","first-page":"1870","DOI":"10.1093\/comjnl\/bxac048","volume":"66","author":"Z Yu","year":"2023","unstructured":"Yu, Z., Wang, J., Tang, B., Lu, L.: Tactics and techniques classification in cyber threat intelligence. Comput. J. 66(8), 1870\u20131881 (2023)","journal-title":"Comput. J."},{"issue":"1","key":"5_CR15","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1186\/s42400-025-00361-w","volume":"8","author":"J Zhang","year":"2025","unstructured":"Zhang, J., et al.: When LLMs meet cybersecurity: a systematic literature review. Cybersecurity 8(1), 1\u201341 (2025)","journal-title":"Cybersecurity"},{"key":"5_CR16","doi-asserted-by":"crossref","unstructured":"Zhang, T., Irsan, I.C., Thung, F., Lo, D.: Cupid: leveraging ChatGPT for more accurate duplicate bug report detection. arXiv preprint arXiv:2308.10022 (2023)","DOI":"10.1145\/3576042"}],"container-title":["Lecture Notes in Computer Science","Availability, Reliability and Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-00633-2_5","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,9,8]],"date-time":"2025-09-08T19:37:36Z","timestamp":1757360256000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-00633-2_5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025]]},"ISBN":["9783032006325","9783032006332"],"references-count":16,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-00633-2_5","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025]]},"assertion":[{"value":"9 August 2025","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"ARES","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Availability, Reliability and Security","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Ghent","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Belgium","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"11 August 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"14 August 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"20","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ares-12025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/2025.ares-conference.eu","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}