{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,24]],"date-time":"2026-01-24T09:52:04Z","timestamp":1769248324187,"version":"3.49.0"},"reference-count":42,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2022,4,2]],"date-time":"2022-04-02T00:00:00Z","timestamp":1648857600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2022,4,2]],"date-time":"2022-04-02T00:00:00Z","timestamp":1648857600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"National Key Research and Development Program of China","award":["No.2019QY1301"],"award-info":[{"award-number":["No.2019QY1301"]}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"published-print":{"date-parts":[[2022,12]]},"abstract":"<jats:title>Abstract<\/jats:title><jats:p>The cybersecurity report provides unstructured actionable cyber threat intelligence (CTI) with detailed threat attack procedures and indicators of compromise (IOCs), e.g., malware hash or URL (uniform resource locator) of command and control server. The actionable CTI, integrated into intrusion detection systems, can not only prioritize the most urgent threats based on the campaign stages of attack vectors (i.e., IOCs) but also take appropriate mitigation measures based on contextual information of the alerts. However, the dramatic growth in the number of cybersecurity reports makes it nearly impossible for security professionals to find an efficient way to use these massive amounts of threat intelligence. In this paper, we propose a trigger-enhanced actionable CTI discovery system (TriCTI) to portray a relationship between IOCs and campaign stages and generate actionable CTI from cybersecurity reports through natural language processing (NLP) technology. Specifically, we introduce the \u201ccampaign trigger\u201d for an effective explanation of the campaign stages to improve the performance of the classification model. The campaign trigger phrases are the keywords in the sentence that imply the campaign stage. The trained final trigger vectors have similar space representations with the keywords in the unseen sentence and will help correct classification by increasing the weight of the keywords. We also meticulously devise a data augmentation specifically for cybersecurity training sets to cope with the challenge of the scarcity of annotation data sets. Compared with state-of-the-art text classification models, such as BERT, the trigger-enhanced classification model has better performance with accuracy (86.99%) and F1 score (87.02%). We run TriCTI on more than 29k cybersecurity reports, from which we automatically and efficiently collect 113,543 actionable CTI. In particular, we verify the actionability of discovered CTI by using large-scale field data from VirusTotal (VT). The results demonstrate that the threat intelligence provided by VT lacks a part of the threat context for IOCs, such as the<jats:italic>Actions on Objectives<\/jats:italic>campaign stage. As a comparison, our proposed method can completely identify the actionable CTI in all campaign stages. Accordingly, cyber threats can be identified and resisted at any campaign stage with the discovered actionable CTI.<\/jats:p>","DOI":"10.1186\/s42400-022-00110-3","type":"journal-article","created":{"date-parts":[[2022,4,2]],"date-time":"2022-04-02T02:02:49Z","timestamp":1648864969000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":33,"title":["TriCTI: an actionable cyber threat intelligence discovery system via trigger-enhanced neural network"],"prefix":"10.1186","volume":"5","author":[{"given":"Jian","family":"Liu","sequence":"first","affiliation":[]},{"given":"Junjie","family":"Yan","sequence":"additional","affiliation":[]},{"given":"Jun","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Yitong","family":"He","sequence":"additional","affiliation":[]},{"given":"Xuren","family":"Wang","sequence":"additional","affiliation":[]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0843-4482","authenticated-orcid":false,"given":"Zhengwei","family":"Jiang","sequence":"additional","affiliation":[]},{"given":"Peian","family":"Yang","sequence":"additional","affiliation":[]},{"given":"Ning","family":"Li","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2022,4,2]]},"reference":[{"key":"110_CR1","unstructured":"AlienVault: Open Threat Intelligence (2021) https:\/\/otx.alienvault.com\/. Accessed 16 June 2021"},{"key":"110_CR2","unstructured":"Amazon: Alexa (2021) https:\/\/www.alexa.com\/topsites\/. Accessed 25 May 2021"},{"key":"110_CR3","unstructured":"Bouwman X, Griffioen H, Egbers J, Doerr C, Klievink B, van Eeten M (2020) A different cup of TI? the added value of commercial threat intelligence. In: 29th USENIX security symposium (USENIX security 20), pp 433\u2013450"},{"key":"110_CR4","unstructured":"CleanMX (2021) CleanMX. https:\/\/support.clean-mx.com\/clean-mx\/index.php. Accessed 25 May 2021"},{"key":"110_CR5","unstructured":"De Silva R, Nabeel M, Elvitigala C, Khalil I, Yu T, Keppitiyagama C (2021) Compromised or attacker-owned: a large scale classification and study of hosting domains of malicious urls. In: 30th USENIX security symposium (USENIX security 21)"},{"key":"110_CR6","unstructured":"Devlin J, Chang M-W, Lee K, Toutanova K (2018) Bert: pre-training of deep bidirectional transformers for language understanding. arXiv preprint arXiv:1810.04805"},{"key":"110_CR7","doi-asserted-by":"crossref","unstructured":"Dion\u00edsio N, Alves F, Ferreira PM, Bessani A (2019) Cyberthreat detection from twitter using deep neural networks. In: 2019 international joint conference on neural networks (IJCNN), pp 1\u20138. IEEE","DOI":"10.1109\/IJCNN.2019.8852475"},{"key":"110_CR8","unstructured":"Dong Y, Guo W, Chen Y, Xing X, Zhang Y, Wang G (2019) Towards the detection of inconsistencies in public security vulnerability reports. In: 28th USENIX security symposium (USENIX Security 19), pp 869\u2013885"},{"key":"110_CR9","doi-asserted-by":"crossref","unstructured":"Hadsell R, Chopra S, LeCun Y (2006) Dimensionality reduction by learning an invariant mapping. In: 2006 IEEE computer society conference on computer vision and pattern recognition (CVPR\u201906), vol 2, pp 1735\u20131742. IEEE","DOI":"10.1109\/CVPR.2006.100"},{"key":"110_CR10","doi-asserted-by":"crossref","unstructured":"Husari G, Al-Shaer E, Ahmed M, Chu B, Niu X (2017) Ttpdrill: automatic and accurate extraction of threat actions from unstructured text of CTI sources. In: Proceedings of the 33rd annual computer security applications conference, pp 103\u2013115","DOI":"10.1145\/3134600.3134646"},{"key":"110_CR11","doi-asserted-by":"crossref","unstructured":"Husari G, Niu X, Chu B, Al-Shaer E (2018) Using entropy and mutual information to extract threat actions from cyber threat intelligence. In: 2018 IEEE international conference on intelligence and security informatics (ISI), pp 1\u20136. IEEE","DOI":"10.1109\/ISI.2018.8587343"},{"issue":"1","key":"110_CR12","first-page":"80","volume":"1","author":"EM Hutchins","year":"2011","unstructured":"Hutchins EM, Cloppert MJ, Amin RM et al (2011) Intelligence-driven computer network defense informed by analysis of adversary campaigns and intrusion kill chains. Leading Issues Inf Warfare Secur Res 1(1):80","journal-title":"Leading Issues Inf Warfare Secur Res"},{"key":"110_CR13","unstructured":"Jeff M (2021) The security intelligence handbook. https:\/\/cyber-edge.com\/resources\/the-security-intelligence-handbook-third-edition\/. Accessed 16 June 2021"},{"issue":"10","key":"110_CR14","doi-asserted-by":"publisher","first-page":"2341","DOI":"10.1007\/s13042-020-01122-6","volume":"11","author":"G Kim","year":"2020","unstructured":"Kim G, Lee C, Jo J, Lim H (2020) Automatic extraction of named entities of cyber threats using a deep BI-LSYM-CRF network. Int J Mach Learn Cybern 11(10):2341\u20132355","journal-title":"Int J Mach Learn Cybern"},{"key":"110_CR15","doi-asserted-by":"crossref","unstructured":"Kim D, Kim HK (2019) Automated dataset generation system for collaborative research of cyber threat analysis. Secur Commun Netw","DOI":"10.1155\/2019\/6268476"},{"key":"110_CR16","unstructured":"Kingma DP, Ba J (2014) Adam: a method for stochastic optimization. arXiv preprint arXiv:1412.6980"},{"key":"110_CR17","doi-asserted-by":"crossref","unstructured":"Le\u00a0Pochat V, Maroofi S, Van\u00a0Goethem T, Preuveneers D, Duda A, Joosen W, Korczy\u0144ski M, et al (2020) A practical approach for taking down avalanche botnets under real-world constraints. In: Proceedings of the 27th annual network and distributed system security symposium. Internet Society","DOI":"10.14722\/ndss.2020.24161"},{"key":"110_CR18","doi-asserted-by":"crossref","unstructured":"Lever C, Walls R, Nadji Y, Dagon D, McDaniel P, Antonakakis M (2016) Domain-z: 28 registrations later measuring the exploitation of residual trust in domains. In: 2016 IEEE symposium on security and privacy (SP), pp 691\u2013706. IEEE","DOI":"10.1109\/SP.2016.47"},{"key":"110_CR19","unstructured":"Li VG, Dunn M, Pearce P, McCoy D, Voelker GM, Savage S (2019) Reading the tea leaves: a comparative analysis of threat intelligence. In: 28th USENIX security symposium (USENIX Security 19), pp 851\u2013867"},{"key":"110_CR20","doi-asserted-by":"crossref","unstructured":"Liao X, Yuan K, Wang X, Li Z, Xing L, Beyah R (2016) Acing the IOC game: toward automatic discovery and analysis of open-source cyber threat intelligence. In: Proceedings of the 2016 ACM SIGSAC conference on computer and communications security, pp 755\u2013766","DOI":"10.1145\/2976749.2978315"},{"key":"110_CR21","doi-asserted-by":"crossref","unstructured":"Lin BY, Lee D-H, Shen M, Moreno R, Huang X, Shiralkar P, Ren X (2020) Triggerner: Learning with entity triggers as explanations for named entity recognition. arXiv preprint arXiv:2004.07493","DOI":"10.18653\/v1\/2020.acl-main.752"},{"key":"110_CR22","unstructured":"Lin Z, Feng M, Santos CNd, Yu M, Xiang B, Zhou B, Bengio Y (2017) A structured self-attentive sentence embedding. arXiv preprint arXiv:1703.03130"},{"key":"110_CR23","doi-asserted-by":"crossref","unstructured":"Long Z, Tan L, Zhou S, He C, Liu X (2019) Collecting indicators of compromise from unstructured text of cybersecurity articles using neural-based sequence labelling. In: 2019 international joint conference on neural networks (IJCNN), pp 1\u20138. IEEE","DOI":"10.1109\/IJCNN.2019.8852142"},{"key":"110_CR24","unstructured":"MITRE: Common Attack Pattern Enumeration and Classification (CAPEC) (2021) https:\/\/capec.mitre.org\/index.html. Accessed 25 May 2021"},{"key":"110_CR25","unstructured":"MITRE: Malware Attribute Enumeration and Characterization (MAEC) (2021) https:\/\/maecproject.github.io\/. Accessed 25 May 2021"},{"key":"110_CR26","unstructured":"MITRE: MITRE ATT&CK (2021) https:\/\/attack.mitre.org\/. Accessed 25 May 2021"},{"key":"110_CR27","unstructured":"OASIS: STIX (2021) https:\/\/oasis-open.github.io\/cti-documentation\/stix\/intro.html. Accessed 25 May 2021"},{"key":"110_CR28","doi-asserted-by":"crossref","unstructured":"Pennington J, Socher R, Manning CD (2014) Glove: global vectors for word representation. In: Proceedings of the 2014 conference on empirical methods in natural language processing (EMNLP), pp 1532\u20131543","DOI":"10.3115\/v1\/D14-1162"},{"key":"110_CR29","doi-asserted-by":"crossref","unstructured":"Samtani S, Abate M, Benjamin V, Li W (2020) Cybersecurity as an industry: a cyber threat intelligence perspective. Palgrave Handb Int Cybercrime Cyberdev 135\u2013154","DOI":"10.1007\/978-3-319-78440-3_8"},{"key":"110_CR30","doi-asserted-by":"crossref","unstructured":"Satyapanich T, Ferraro F, Finin T (2020) CASIE: extracting cybersecurity event information from text. UMBC Faculty Collection","DOI":"10.1609\/aaai.v34i05.6401"},{"issue":"8","key":"110_CR31","doi-asserted-by":"publisher","first-page":"4543","DOI":"10.1007\/s11227-016-1850-4","volume":"75","author":"S Singh","year":"2019","unstructured":"Singh S, Sharma PK, Moon SY, Moon D, Park JH (2019) A comprehensive study on apt attacks and countermeasures for future networks and communications: challenges and solutions. J Supercomput 75(8):4543\u20134574","journal-title":"J Supercomput"},{"key":"110_CR32","unstructured":"Spacy V3.0 https:\/\/spacy.io\/. Accessed 25 May 2021"},{"key":"110_CR33","unstructured":"Tang D, Qin B, Feng X, Liu T (2015) Effective lstms for target-dependent sentiment classification. arXiv preprint arXiv:1512.01100"},{"issue":"1","key":"110_CR34","first-page":"3221","volume":"15","author":"L Van Der Maaten","year":"2014","unstructured":"Van Der Maaten L (2014) Accelerating T-SNE using tree-based algorithms. J Mach Learn Res 15(1):3221\u20133245","journal-title":"J Mach Learn Res"},{"key":"110_CR35","first-page":"5998","volume":"30","author":"A Vaswani","year":"2017","unstructured":"Vaswani A, Shazeer N, Parmar N, Uszkoreit J, Jones L, Gomez AN, Kaiser \u0141, Polosukhin I (2017) Attention is all you need. Adv Neural Inf Process Syst 30:5998\u20136008","journal-title":"Adv Neural Inf Process Syst"},{"key":"110_CR36","unstructured":"VirusTotal (2021) https:\/\/developers.virustotal.com\/v3.0. Accessed 25 May 2021"},{"key":"110_CR37","doi-asserted-by":"crossref","unstructured":"Wu X, Lv S, Zang L, Han J, Hu S (2019) Conditional bert contextual augmentation. In: International conference on computational science, pp 84\u201395. Springer","DOI":"10.1007\/978-3-030-22747-0_7"},{"key":"110_CR38","doi-asserted-by":"crossref","unstructured":"Yadav T, Rao AM (2015) Technical aspects of cyber kill chain. In: International symposium on security in computing and communication, pp 438\u2013452. Springer","DOI":"10.1007\/978-3-319-22915-7_40"},{"key":"110_CR39","unstructured":"Zane P (2021) The threat intelligence handbook. https:\/\/cyber-edge.com\/resources\/the-threat-intelligence-handbook-second-edition\/. Accessed 16 June 2021"},{"key":"110_CR40","unstructured":"Zhao J, Yan Q, Liu X, Li B, Zuo G (2020) Cyber threat intelligence modeling based on heterogeneous graph convolutional network. In: 23rd international symposium on research in attacks, intrusions and defenses (RAID 2020), pp 241\u2013256"},{"key":"110_CR41","unstructured":"Zhou S, Long Z, Tan L, Guo H (2018) Automatic identification of indicators of compromise using neural-based sequence labelling. arXiv preprint arXiv:1810.10156"},{"key":"110_CR42","doi-asserted-by":"crossref","unstructured":"Zhu Z, Dumitras T (2018) Chainsmith: automatically learning the semantics of malicious campaigns by mining threat intelligence reports. In: 2018 IEEE European symposium on security and privacy (EuroS&P), pp 458\u2013472. IEEE","DOI":"10.1109\/EuroSP.2018.00039"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00110-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-022-00110-3\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-022-00110-3.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,9,21]],"date-time":"2024-09-21T13:23:35Z","timestamp":1726925015000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-022-00110-3"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2022,4,2]]},"references-count":42,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2022,12]]}},"alternative-id":["110"],"URL":"https:\/\/doi.org\/10.1186\/s42400-022-00110-3","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2022,4,2]]},"assertion":[{"value":"29 June 2021","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"11 January 2022","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"2 April 2022","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no competing interests.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"8"}}