{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,19]],"date-time":"2026-05-19T12:35:52Z","timestamp":1779194152415,"version":"3.51.4"},"reference-count":28,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T00:00:00Z","timestamp":1643673600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T00:00:00Z","timestamp":1643673600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"publisher","award":["No.61802404"],"award-info":[{"award-number":["No.61802404"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"publisher"}]},{"name":"National Key Research and Development Program of China","award":["2019QY1302"],"award-info":[{"award-number":["2019QY1302"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>TTPs (Tactics, Techniques, and Procedures), which represent an attacker\u2019s goals and methods, are the long period and essential feature of the attacker. Defenders can use TTP intelligence to perform the penetration test and compensate for defense deficiency. However, most TTP intelligence is described in unstructured threat data, such as APT analysis reports. Manually converting natural language TTPs descriptions to standard TTP names, such as ATT&amp;CK TTP names and IDs, is time-consuming and requires deep expertise. In this paper, we define the TTP classification task as a sentence classification task. We annotate a new sentence-level TTP dataset with 6 categories and 6061 TTP descriptions from 10761 security analysis reports. We construct a threat context-enhanced TTP intelligence mining (TIM) framework to mine TTP intelligence from unstructured threat data. The TIM framework uses TCENet (Threat Context Enhanced Network) to find and classify TTP descriptions, which we define as three continuous sentences, from textual data. Meanwhile, we use the element features of TTP in the descriptions to enhance the TTPs classification accuracy of TCENet. The evaluation result shows that the average classification accuracy of our proposed method on the 6 TTP categories reaches <jats:bold>0.941<\/jats:bold>. The evaluation results also show that adding TTP element features can improve our classification accuracy compared to using only text features. TCENet also achieved the best results compared to the previous document-level TTP classification works and other popular text classification methods, even in the case of few-shot training samples. Finally, the TIM framework organizes TTP descriptions and TTP elements into STIX 2.1 format as final TTP intelligence for sharing the long-period and essential attack behavior characteristics of attackers. In addition, we transform TTP intelligence into sigma detection rules for attack behavior detection. Such TTP intelligence and rules can help defenders deploy long-term effective threat detection and perform more realistic attack simulations to strengthen defense.<\/jats:p>","DOI":"10.1186\/s42400-021-00106-5","type":"journal-article","created":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T05:06:24Z","timestamp":1643691984000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":48,"title":["TIM: threat context-enhanced TTP intelligence mining on unstructured threat data"],"prefix":"10.1186","volume":"5","author":[{"given":"Yizhe","family":"You","sequence":"first","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Jun","family":"Jiang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0843-4482","authenticated-orcid":false,"given":"Zhengwei","family":"Jiang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Peian","family":"Yang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Baoxu","family":"Liu","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Huamin","family":"Feng","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Xuren","family":"Wang","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Ning","family":"Li","sequence":"additional","affiliation":[],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"297","published-online":{"date-parts":[[2022,2,1]]},"reference":[{"key":"106_CR1","doi-asserted-by":"crossref","unstructured":"Ayoade G, Chandra S, Khan L, Hamlen K, Thuraisingha, B (2018) Automated threat report classification over multi-source data. In: 2018 IEEE 4th international conference on collaboration and internet computing (CIC). IEEE, pp 236\u2013245","DOI":"10.1109\/CIC.2018.00040"},{"key":"106_CR2","unstructured":"cmu-sei (2021) Cyobstract github repository. [EB\/OL]. https:\/\/github.com\/cmu-sei\/cyobstract Accessed August 24, 2021"},{"key":"106_CR3","unstructured":"DavidJBianco (2021) The Pyramid of Pain. [EB\/OL]. https:\/\/detect-respond.blogspot.com\/2013\/03\/the-pyramid-of-pain.html Accessed August 24, 2021"},{"key":"106_CR4","unstructured":"Devlin J, Chang M-W, Lee K, Toutanova K (2018) Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805"},{"key":"106_CR5","unstructured":"ESET (2021) Welivesecurity website. [EB\/OL]. https:\/\/www.welivesecurity.com\/category\/malware\/ Accessed August 24, 2021"},{"key":"106_CR6","doi-asserted-by":"crossref","unstructured":"Husari G, Al-Shaer E, Ahmed M, Chu B, Niu X (2017) Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd annual computer security applications conference, pp 103\u2013115","DOI":"10.1145\/3134600.3134646"},{"key":"106_CR7","doi-asserted-by":"crossref","unstructured":"Husari G, Niu X, Chu B, Al-Shaer E (2018) Using entropy and mutual information to extract threat actions from cyber threat intelligence. In: 2018 IEEE international conference on intelligence and security informatics (ISI). IEEE, pp 1\u20136","DOI":"10.1109\/ISI.2018.8587343"},{"key":"106_CR8","unstructured":"Joulin A, Grave E, Bojanowski P, Douze M, J\u00e9gou H, Mikolov T (2016) Fasttext. zip: Compressing text classification models. arXiv preprint arXiv:1612.03651"},{"key":"106_CR9","unstructured":"Le QV, Mikolov T (2014) Distributed representations of sentences and documents. arXiv:1405.4053"},{"key":"106_CR10","unstructured":"Legoy VSM (2019) Retrieving att&ck tactics and techniques in cyber threat reports. Master\u2019s thesis, University of Twente"},{"key":"106_CR11","doi-asserted-by":"crossref","unstructured":"Li M, Zheng R, Liu L, Yang P (2019) Extraction of threat actions from threat-related articles using multi-label machine learning classification method. In: 2019 2nd international conference on safety produce informatization (IICSPI). IEEE, pp 428\u2013431","DOI":"10.1109\/IICSPI48186.2019.9095885"},{"key":"106_CR12","unstructured":"Malwarebytes (2021) Malwarebytes website. [EB\/OL]. https:\/\/resources.malwarebytes.com\/#analyst-reports Accessed August 24, 2021"},{"key":"106_CR13","unstructured":"MITRE (2021) MITRE ATT&CK. [EB\/OL]. https:\/\/attack.mitre.or Accessed August 24, 2021"},{"key":"106_CR14","unstructured":"MSigmaHQ (2021) Generic Signature Format for SIEM Systems. [EB\/OL] https:\/\/github.com\/SigmaHQ\/sigma Accessed August 24, 2021"},{"key":"106_CR15","doi-asserted-by":"crossref","unstructured":"Nataraj L, Karthikeyan S, Jacob G, Manjunath BS (2011) Malware images: visualization and automatic classification. In: Proceedings of the 8th international symposium on visualization for cyber security, pp 1\u20137","DOI":"10.1145\/2016904.2016908"},{"key":"106_CR16","doi-asserted-by":"crossref","unstructured":"Niakanlahiji A, Wei J, Chu B-T (2018) A natural language processing based trend analysis of advanced persistent threat techniques. In: 2018 IEEE international conference on big data (Big Data). IEEE, pp 2995\u20133000","DOI":"10.1109\/BigData.2018.8622255"},{"key":"106_CR17","unstructured":"OASIS (2021) Introduction to STIX. [EB\/OL] https:\/\/oasis-open.github.io\/cti-documentation\/stix\/intro Accessed August 24, 2021"},{"key":"106_CR18","doi-asserted-by":"crossref","unstructured":"Pennington J, Socher R, Manning CD (2014) Glove: Global vectors for word representation. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp 1532\u20131543","DOI":"10.3115\/v1\/D14-1162"},{"key":"106_CR19","unstructured":"Rakhlin A (2016) Convolutional neural networks for sentence classification. GitHub"},{"key":"106_CR20","doi-asserted-by":"crossref","unstructured":"Reimers N, Gurevych I (2019) Sentence-bert: Sentence embeddings using siamese bert-networks. arXiv preprint arXiv:1908.10084","DOI":"10.18653\/v1\/D19-1410"},{"key":"106_CR21","unstructured":"Richardson L (2021) BeautifulSoup. [EB\/OL]. https:\/\/www.crummy.com\/software\/BeautifulSoup Accessed August 24, 2021"},{"key":"106_CR22","unstructured":"Securelist (2021) Securelist website. [EB\/OL]. https:\/\/securelist.com\/category\/apt-reports\/ Accessed August 24, 2021"},{"key":"106_CR23","doi-asserted-by":"crossref","unstructured":"Shen S-s, Lee H-y (2016) Neural attention models for sequence classification: Analysis and application to key term extraction and dialogue act detection. arXiv preprint arXiv:1604.00077","DOI":"10.21437\/Interspeech.2016-1359"},{"key":"106_CR24","unstructured":"Tartare M (2021) Operation StealthyTrident: corporate software under attack. [EB\/OL]. https:\/\/www.welivesecurity.com\/2020\/12\/10\/luckymouse-ta428-compromise-able-desktop\/ Accessed August 24, 2021"},{"key":"106_CR25","unstructured":"TCENet (2021) TCENet Repository. [EB\/OL]. https:\/\/github.com\/TCENet\/TCENet Accessed August 24, 2021"},{"key":"106_CR26","unstructured":"Threatpost (2021) Trendmicro website. [EB\/OL]. https:\/\/threatpost.com\/category\/malware-2\/ Accessed August 24, 2021"},{"key":"106_CR27","unstructured":"Trendmicro (2021) Trendmicro website. [EB\/OL]. https:\/\/blog.trendmicro.com\/trendlabs-security-intelligence\/category\/malware Accessed August 24, 2021"},{"key":"106_CR28","doi-asserted-by":"crossref","unstructured":"Zhu Z, Dumitras T (2018) Chainsmith: automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: 2018 IEEE European symposium on security and privacy (EuroS&P). IEEE, pp 458\u2013472","DOI":"10.1109\/EuroSP.2018.00039"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00106-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-021-00106-5\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-021-00106-5.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2022,2,1]],"date-time":"2022-02-01T05:09:01Z","timestamp":1643692141000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-021-00106-5"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,2,1]]},"references-count":28,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["106"],"URL":"https:\/\/doi.org\/10.1186\/s42400-021-00106-5","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,2,1]]},"assertion":[{"value":"30 August 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"13 December 2021","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 February 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"3"}}