{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,4,13]],"date-time":"2026-04-13T15:54:47Z","timestamp":1776095687262,"version":"3.50.1"},"reference-count":71,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T00:00:00Z","timestamp":1768521600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T00:00:00Z","timestamp":1768521600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"name":"the National Science Foundation of China","award":["62562012"],"award-info":[{"award-number":["62562012"]}]},{"name":"the National Science Foundation of China","award":["62172308"],"award-info":[{"award-number":["62172308"]}]},{"name":"the National Science Foundation of China","award":["62202118"],"award-info":[{"award-number":["62202118"]}]},{"name":"the National Science Foundation of China","award":["72261004"],"award-info":[{"award-number":["72261004"]}]},{"name":"the Guizhou Provincial Basic Research Program","award":["QKHJC-MS[2025]686"],"award-info":[{"award-number":["QKHJC-MS[2025]686"]}]},{"name":"the Major Scientific and Technological Special Project of Guizhou Province","award":["[2024]014"],"award-info":[{"award-number":["[2024]014"]}]},{"DOI":"10.13039\/501100013141","name":"Jilin Provincial Key Research and Development Plan Project","doi-asserted-by":"publisher","award":["PA[2025]004"],"award-info":[{"award-number":["PA[2025]004"]}],"id":[{"id":"10.13039\/501100013141","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title>\n                  <jats:p>With the increasing frequency of APT attacks, cyber defense urgently demands high-quality threat intelligence support. Cyber threat intelligence (CTI) knowledge graphs have demonstrated significant potential in aiding threat detection and behavioral reasoning. However, existing CTI data often suffer from unstructured formats, fragmented knowledge, a reliance on manual annotation, and limited semantic mapping to attack techniques. These limitations hinder the robustness and accuracy of downstream reasoning tasks (e.g., attack attribution and intent inference). Moreover, traditional information extraction methods struggle to generalize in scenarios involving cross-paragraph dependencies, emerging threats, and low-resource samples, exhibiting weaknesses in context awareness and sensitivity to prompt variations. To this end, we propose CTI-Thinker, a novel system that integrates large language models with semantic alignment to the ATT&amp;CK framework for CTI knowledge graph construction and threat reasoning. First, CTI-Thinker leverages in-context learning and LoRA-based fine-tuning to extract structured threat entities and relations. Then, it adopts vector-based alignment strategies to unify heterogeneous expressions, enabling entity normalization and knowledge fusion for constructing a high-quality CTI knowledge graph. Finally, a GraphRAG-based reasoning engine is built by incorporating the structured knowledge graph and external ATT&amp;CK resources into a retrieval-augmented generation (RAG) framework, enabling tactical-level inference and CTI-driven question answering. Experimental results demonstrate that CTI-Thinker accurately extracts threat entities and relations and constructs a reliable CTI knowledge graph. It also effectively infers attack intent and supports intelligent reasoning. The system outperforms state-of-the-art methods in precision, robustness, and generalizability, offering a scalable and semantically enriched solution for cyber threat analysis and defense.<\/jats:p>\n                  <jats:p>\n                    <jats:bold>Graphical abstract<\/jats:bold>\n                  <\/jats:p>","DOI":"10.1186\/s42400-025-00505-y","type":"journal-article","created":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T07:13:27Z","timestamp":1768547607000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":3,"title":["CTI-Thinker: an LLM-driven system for CTI knowledge graph construction and attack reasoning"],"prefix":"10.1186","volume":"9","author":[{"ORCID":"https:\/\/orcid.org\/0000-0001-7945-7203","authenticated-orcid":false,"given":"Xiuzhang","family":"Yang","sequence":"first","affiliation":[]},{"given":"Ruijie","family":"Zhong","sequence":"additional","affiliation":[]},{"given":"Yuling","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Guojun","family":"Peng","sequence":"additional","affiliation":[]},{"given":"Di","family":"Yao","sequence":"additional","affiliation":[]},{"given":"Chaofan","family":"Chen","sequence":"additional","affiliation":[]},{"given":"Chenyang","family":"Wang","sequence":"additional","affiliation":[]},{"given":"Dongni","family":"Zhang","sequence":"additional","affiliation":[]},{"given":"Yilin","family":"Zhou","sequence":"additional","affiliation":[]},{"given":"Zixuan","family":"Yang","sequence":"additional","affiliation":[]}],"member":"297","published-online":{"date-parts":[[2026,1,16]]},"reference":[{"key":"505_CR1","doi-asserted-by":"publisher","first-page":"1497","DOI":"10.1007\/s10618-021-00760-w","volume":"35","author":"B Abu-Salih","year":"2021","unstructured":"Abu-Salih B, Al-Tawil M, Aljarah I, Faris H, Wongthongtham P, Chan KY, Beheshti A (2021) Relational learning analysis of social politics using knowledge graph embedding. Data Min Knowl Disc 35:1497\u20131536","journal-title":"Data Min Knowl Disc"},{"key":"505_CR2","unstructured":"Achiam J, Adler S, Agarwal S, Ahmad L, Akkaya I, Aleman FL, Almeida D, Altenschmidt J, Altman S, Anadkat S et\u00a0al (2023) Gpt-4 technical report. arXiv preprint arXiv:2303.08774"},{"key":"505_CR3","doi-asserted-by":"crossref","unstructured":"Aghaei E, Niu X, Shadid W, Al-Shaer E (2022) Securebert: a domain-specific language model for cybersecurity. In: Proceedings of the 2022 international conference on security and privacy in communication systems. Springer, pp 39\u201356","DOI":"10.1007\/978-3-031-25538-0_3"},{"key":"505_CR4","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103352","volume":"132","author":"S Ainslie","year":"2023","unstructured":"Ainslie S, Thompson D, Maynard S, Ahmad A (2023) Cyber-threat intelligence for security decision-making: a review and research agenda for practice. Comput Secur 132:103352","journal-title":"Comput Secur"},{"key":"505_CR5","doi-asserted-by":"crossref","unstructured":"Alam MT, Bhusal D, Park Y, Rastogi N (2023) Looking beyond iocs: automatically extracting attack patterns from external cti. In: Proceedings of the 26th international symposium on research in attacks, intrusions and defenses, pp 92\u2013108","DOI":"10.1145\/3607199.3607208"},{"key":"505_CR6","doi-asserted-by":"crossref","unstructured":"Alam MT, Bhusal D, Nguyen L, Rastogi N (2024) Ctibench: a benchmark for evaluating llms in cyber threat intelligence. In: Proceedings of the 38th conference on neural information processing systems (NeurIPS)","DOI":"10.52202\/079017-1607"},{"key":"505_CR7","doi-asserted-by":"crossref","unstructured":"Arikkat DR, Abhinav M, Binu N, Parvathi M, Biju N, Arunima K, Vinod P, KA, RR, Conti M (2024) Intellbot: retrieval augmented llm chatbot for cyber threat knowledge delivery. In: Proceedings of the 16th IEEE international conference on computational intelligence and communication networks (CICN). IEEE, pp 644\u2013651","DOI":"10.1109\/CICN63059.2024.10847404"},{"key":"505_CR8","doi-asserted-by":"crossref","unstructured":"Arikkat DR, Nicolazzo S, Arazzi M, Nocera A, Conti M et\u00a0al (2025) Droidttp: mapping android applications with ttp for cyber threat intelligence. arXiv preprint arXiv:2503.15866","DOI":"10.1016\/j.jisa.2025.104162"},{"key":"505_CR9","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3641289","volume":"15","author":"Y Chang","year":"2024","unstructured":"Chang Y, Wang X, Wang J, Wu Y, Yang L, Zhu K, Chen H, Yi X, Wang C, Wang Y et al (2024) A survey on evaluation of large language models. ACM Trans Intell Syst Technol 15:1\u201345","journal-title":"ACM Trans Intell Syst Technol"},{"key":"505_CR10","doi-asserted-by":"crossref","unstructured":"Chen Y, Ding J, Li D, Chen Z (2021) Joint bert model based cybersecurity named entity recognition. In: Proceedings of the 2021 4th International conference on software engineering and information management, pp 236\u2013242","DOI":"10.1145\/3451471.3451508"},{"key":"505_CR11","doi-asserted-by":"crossref","unstructured":"Chen H, Shen X, Lv Q, Wang J, Ni X, Ye J (2024a) Sac-kg: exploiting large language models as skilled automatic constructors for domain knowledge graphs. arXiv preprint arXiv:2410.02811","DOI":"10.18653\/v1\/2024.acl-long.238"},{"key":"505_CR12","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104016","volume":"145","author":"Y Chen","year":"2024","unstructured":"Chen Y, Cui M, Wang D, Cao Y, Yang P, Jiang B, Lu Z, Liu B (2024b) A survey of large language models for cyber threat detection. Comput Secur 145:104016","journal-title":"Comput Secur"},{"key":"505_CR13","doi-asserted-by":"publisher","DOI":"10.1016\/j.knosys.2024.112777","volume":"309","author":"G Chen","year":"2025","unstructured":"Chen G, Chen P, Wang Q, Li H, Zhou X, Wang X, Yu A, Deng X (2025a) Emge: entities and mentions gradual enhancement with semantics and connection modelling for document-level relation extraction. Knowl Based Syst 309:112777","journal-title":"Knowl Based Syst"},{"key":"505_CR14","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104213","volume":"150","author":"M Chen","year":"2025","unstructured":"Chen M, Zhu K, Lu B, Li D, Yuan Q, Zhu Y (2025b) Aecr: automatic attack technique intelligence extraction based on fine-tuned large language model. Comput Secur 150:104213","journal-title":"Comput Secur"},{"key":"505_CR15","unstructured":"Cheng Y, Bajaber O, Tsegai SA, Song D, Gao P (2025) Ctinexus: leveraging optimized llm in-context learning for constructing cybersecurity knowledge graphs under data scarcity. In: Proceedings of the 2025 IEEE European symposium on security and privacy"},{"key":"505_CR16","doi-asserted-by":"crossref","unstructured":"Du D, Guan X, Liu Y, Jiang B, Liu S, Feng H, Liu J (2024) Mad-llm: a novel approach for alert-based multi-stage attack detection via llm. In: Proceedings of the 2024 IEEE international symposium on parallel and distributed processing with applications (ISPA). IEEE, pp 2046\u20132053","DOI":"10.1109\/ISPA63168.2024.00279"},{"key":"505_CR17","unstructured":"Edge D, Trinh H, Cheng N, Bradley J, Chao A, Mody A, Truitt S, Metropolitansky D, Ness RO, Larson J (2024) From local to global: a graph rag approach to query-focused summarization. arXiv preprint arXiv:2404.16130"},{"key":"505_CR18","doi-asserted-by":"publisher","first-page":"1215","DOI":"10.1093\/comjnl\/bxaa141","volume":"64","author":"Y Fang","year":"2021","unstructured":"Fang Y, Zhang Y, Huang C (2021) Cybereyes: cybersecurity entity recognition model based on graph convolutional network. Comput J 64:1215\u20131225","journal-title":"Comput J"},{"key":"505_CR19","doi-asserted-by":"crossref","unstructured":"Fayyazi R, Taghdimi R, Yang SJ (2024) Advancing ttp analysis: harnessing the power of large language models with retrieval augmented generation. In: Proceedings of the 2024 annual computer security applications conference workshops (ACSAC Workshops). IEEE, pp 255\u2013261","DOI":"10.1109\/ACSACW65225.2024.00036"},{"key":"505_CR20","doi-asserted-by":"crossref","unstructured":"Fieblinger R, Alam MT, Rastogi N (2024) Actionable cyber threat intelligence using knowledge graphs and large language models. In: Proceedings of the 2024 IEEE European symposium on security and privacy workshops (EuroS &PW). IEEE, pp 100\u2013111","DOI":"10.1109\/EuroSPW61312.2024.00018"},{"key":"505_CR21","doi-asserted-by":"crossref","unstructured":"Gao P, Shao F, Liu X, Xiao X, Qin Z, Xu F, Mittal P, Kulkarni SR, Song D (2021) Enabling efficient cyber threat hunting with cyber threat intelligence. In: 2021 IEEE 37th international conference on data engineering (ICDE). IEEE, pp 193\u2013204","DOI":"10.1109\/ICDE51399.2021.00024"},{"key":"505_CR22","doi-asserted-by":"crossref","unstructured":"Guo Y, Liu Z, Huang C, Liu J, Jing W, Wang Z, Wang Y (2021) Cyberrel: joint entity and relation extraction for cybersecurity concepts. In: Proceedings of the 23rd international conference on information and communications security (ICICS). Springer, pp 447\u2013463","DOI":"10.1007\/978-3-030-86890-1_25"},{"key":"505_CR23","unstructured":"Guo D, Yang D, Zhang H, Song J, Zhang R, Xu R, Zhu Q, Ma S, Wang P, Bi X et\u00a0al (2025a) Deepseek-r1: incentivizing reasoning capability in llms via reinforcement learning. arXiv preprint arXiv:2501.12948"},{"issue":"9","key":"505_CR24","doi-asserted-by":"publisher","first-page":"1049","DOI":"10.1007\/s11227-025-07545-8","volume":"81","author":"W Guo","year":"2025","unstructured":"Guo W, Xue J, Liu Z, Han W, Hu J (2025b) Malgta: large language model-based guided malware tactical analysis. J Supercomput 81(9):1049","journal-title":"J Supercomput"},{"key":"505_CR25","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3447772","volume":"54","author":"A Hogan","year":"2021","unstructured":"Hogan A, Blomqvist E, Cochez M, d\u2019Amato C, Melo GD, Gutierrez C, Kirrane S, Gayo JEL, Navigli R, Neumaier S, Ngomo ACN, Polleres A, Rashid SM, Rula A, Schmelzeisen L, Sequeda J, Staab S, Zimmermann A (2021) Knowledge graphs. ACM Comput Surv 54:1\u201337","journal-title":"ACM Comput Surv"},{"key":"505_CR26","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103999","volume":"145","author":"Y Hu","year":"2024","unstructured":"Hu Y, Zou F, Han J, Sun X, Wang Y (2024) Llm-tikg: threat intelligence knowledge graph construction utilizing large language model. Comput Secur 145:103999","journal-title":"Comput Secur"},{"key":"505_CR27","first-page":"1","volume":"43","author":"L Huang","year":"2025","unstructured":"Huang L, Yu W, Ma W, Zhong W, Feng Z, Wang H, Chen Q, Peng W, Feng X, Qin B et al (2025) A survey on hallucination in large language models: principles, taxonomy, challenges, and open questions. ACM Trans Inf Syst 43:1\u201355","journal-title":"ACM Trans Inf Syst"},{"key":"505_CR28","doi-asserted-by":"crossref","unstructured":"Husari G, Al-Shaer E, Ahmed M, Chu B, Niu X (2017) Ttpdrill: automatic and accurate extraction of threat actions from unstructured text of cti sources. In: Proceedings of the 33rd Annual computer security applications conference, pp 103\u2013115","DOI":"10.1145\/3134600.3134646"},{"key":"505_CR29","doi-asserted-by":"crossref","unstructured":"Jeon JH, Koo J, Kim YG (2024) Rag-based cyber threat tracing graph modeling method. In: Proceedings of the 23rd IEEE international conference on trust, security and privacy in computing and communications (TrustCom). IEEE, pp 608\u2013615","DOI":"10.1109\/TrustCom63139.2024.00098"},{"key":"505_CR30","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1145\/3571730","volume":"55","author":"Z Ji","year":"2023","unstructured":"Ji Z, Lee N, Frieske R, Yu T, Su D, Xu Y, Ishii E, Bang YJ, Madotto A, Fung P (2023) Survey of hallucination in natural language generation. ACM Comput Surv 55:1\u201338","journal-title":"ACM Comput Surv"},{"key":"505_CR31","unstructured":"Ji H, Yang J, Chai L, Wei C, Yang L, Duan Y, Wang Y, Sun T, Guo H, Li T et\u00a0al (2024) Sevenllm: benchmarking, eliciting, and enhancing abilities of large language models in cyber threat intelligence. arXiv preprint arXiv:2405.03446"},{"key":"505_CR32","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2022.102763","volume":"120","author":"H Jo","year":"2022","unstructured":"Jo H, Lee Y, Shin S (2022) Vulcan: automatic extraction and analysis of cyber threat intelligence from unstructured text. Comput Secur 120:102763","journal-title":"Comput Secur"},{"key":"505_CR33","doi-asserted-by":"crossref","unstructured":"Lairgi Y, Moncla L, Cazabet R, Benabdeslem K, Cl\u00e9au P (2024) itext2kg: incremental knowledge graphs construction using large language models. In: Proceedings of the 2024 international conference on web information systems engineering. Springer, pp 214\u2013229","DOI":"10.1007\/978-981-96-0573-6_16"},{"key":"505_CR34","unstructured":"Legoy V, Caselli M, Seifert C, Peter A (2020) Automated retrieval of att &ck tactics and techniques for cyber threat reports. arXiv preprint arXiv:2004.14322"},{"key":"505_CR35","first-page":"9459","volume":"33","author":"P Lewis","year":"2020","unstructured":"Lewis P, Perez E, Piktus A, Petroni F, Karpukhin V, Goyal N, K\u00fcttler H, Lewis M, Yih WT, Rockt\u00e4schel T et al (2020) Retrieval-augmented generation for knowledge-intensive nlp tasks. Adv Neural Inf Process Syst 33:9459\u20139474","journal-title":"Adv Neural Inf Process Syst"},{"key":"505_CR36","doi-asserted-by":"crossref","unstructured":"Li Z, Zeng J, Chen Y, Liang Z (2022) Attackg: constructing technique knowledge graph from cyber threat intelligence reports. In: Proceedings of the 2022 European symposium on research in computer security. Springer, pp 589\u2013609","DOI":"10.1007\/978-3-031-17140-6_29"},{"key":"505_CR37","doi-asserted-by":"publisher","DOI":"10.1016\/j.neunet.2024.106210","volume":"173","author":"Q Li","year":"2024","unstructured":"Li Q, Wang Y, Dong J, Zhang C, Peng K (2024a) Multi-node knowledge graph assisted distributed fault detection for large-scale industrial processes based on graph attention network and bidirectional lstms. Neural Netw 173:106210","journal-title":"Neural Netw"},{"key":"505_CR38","unstructured":"Li Y, Huang C, Deng S, Lock ML, Cao T, Oo N, Lim HW, Hooi B (2024b) {KnowPhish}: large language models meet multimodal knowledge graphs for enhancing {Reference-Based} phishing detection. In: Proceedings of the 33rd USENIX security symposium (USENIX Security 24), pp 793\u2013810"},{"key":"505_CR39","doi-asserted-by":"crossref","unstructured":"Liu J, Zhan J (2023) Constructing knowledge graph from cyber threat intelligence using large language model. In: Proceedings of the 2023 IEEE international conference on big data (BigData). IEEE, pp 516\u2013521","DOI":"10.1109\/BigData59044.2023.10386611"},{"key":"505_CR40","unstructured":"Liu Y, Ott M, Goyal N, Du J, Joshi M, Chen D, Levy O, Lewis M, Zettlemoyer L, Stoyanov V (2019) Roberta: a robustly optimized bert pretraining approach. arXiv preprint arXiv:1907.11692"},{"key":"505_CR41","doi-asserted-by":"crossref","unstructured":"Liu S, Li Y, Li J, Yang S, Lan Y (2024) Unleashing the power of large language models in zero-shot relation extraction via self-prompting. arXiv preprint arXiv:2410.01154","DOI":"10.18653\/v1\/2024.findings-emnlp.769"},{"key":"505_CR42","doi-asserted-by":"publisher","DOI":"10.1016\/j.comnet.2025.111162","volume":"262","author":"J Loevenich","year":"2025","unstructured":"Loevenich J, Adler E, Huerten T, Lopes RRF (2025) Design and evaluation of an autonomous cyber defence agent using drl and an augmented llm. Comput Netw 262:111162","journal-title":"Comput Netw"},{"key":"505_CR43","doi-asserted-by":"crossref","unstructured":"Milajerdi SM, Eshete B, Gjomemo R, Venkatakrishnan V (2019) Poirot: aligning attack behavior with kernel audit records for cyber threat hunting. In: Proceedings of the 2019 ACM SIGSAC conference on computer and communications security (CCS), pp 1795\u20131812","DOI":"10.1145\/3319535.3363217"},{"key":"505_CR44","doi-asserted-by":"crossref","unstructured":"Mo Y, Liu J, Yang J, Wang Q, Zhang S, Wang J, Li Z (2024) C-icl: contrastive in-context learning for information extraction. arXiv preprint arXiv:2402.11254","DOI":"10.18653\/v1\/2024.findings-emnlp.590"},{"key":"505_CR45","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104120","volume":"148","author":"I Mouiche","year":"2025","unstructured":"Mouiche I, Saad S (2025) Entity and relation extractions for threat intelligence knowledge graphs. Comput Secur 148:104120","journal-title":"Comput Secur"},{"key":"505_CR46","doi-asserted-by":"crossref","unstructured":"Piya FL, Beheshti R (2025) Advancing feature extraction in healthcare through the integration of knowledge graphs and large language models. In: Proceedings of the AAAI conference on artificial intelligence, pp 29293\u201329294","DOI":"10.1609\/aaai.v39i28.35224"},{"key":"505_CR47","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2025.104452","volume":"154","author":"N Rahimi","year":"2025","unstructured":"Rahimi N, Schuelke-Leech BA, Mirhassani M (2025) A comprehensive review of security vulnerabilities in heavy-duty vehicles: comparative insights and current research gaps. Comput Secur 154:104452","journal-title":"Comput Secur"},{"key":"505_CR48","doi-asserted-by":"crossref","unstructured":"Rajapaksha S, Rani R, Karafili E (2024) A rag-based question-answering solution for cyber-attack investigation and attribution. In: Proceedings of the 2024 European symposium on research in computer security. Springer, pp 238\u2013256","DOI":"10.1007\/978-3-031-82362-6_15"},{"key":"505_CR49","doi-asserted-by":"crossref","unstructured":"Ranade P, Piplai A, Joshi A, Finin T (2021) Cybert: contextualized embeddings for the cybersecurity domain. In: Proceedings of the 2021 IEEE international conference on big data (big data). IEEE, pp 3334\u20133342","DOI":"10.1109\/BigData52589.2021.9671824"},{"key":"505_CR50","doi-asserted-by":"publisher","first-page":"5695","DOI":"10.1109\/TKDE.2022.3175719","volume":"35","author":"Y Ren","year":"2022","unstructured":"Ren Y, Xiao Y, Zhou Y, Zhang Z, Tian Z (2022) Cskg4apt: a cybersecurity knowledge graph for advanced persistent threat organization attribution. IEEE Trans Knowl Data Eng 35:5695\u20135709","journal-title":"IEEE Trans Knowl Data Eng"},{"key":"505_CR51","doi-asserted-by":"crossref","unstructured":"Satvat K, Gjomemo R, Venkatakrishnan V (2021) Extractor: extracting attack behavior from threat reports. In: Proceedings of the 2021 IEEE European symposium on security and privacy (EuroS &P). IEEE, pp 598\u2013615","DOI":"10.1109\/EuroSP51992.2021.00046"},{"key":"505_CR52","doi-asserted-by":"crossref","unstructured":"Schwartz Y, Ben-Shimol L, Mimran D, Elovici Y, Shabtai A (2025) Llmcloudhunter: harnessing llms for automated extraction of detection rules from cloud-based cti. In: Proceedings of the ACM on web conference 2025, pp 1922\u20131941","DOI":"10.1145\/3696410.3714798"},{"key":"505_CR53","unstructured":"Shi F, Chen X, Misra K, Scales N, Dohan D, Chi EH, Sch\u00e4rli N, Zhou D (2023) Large language models can be easily distracted by irrelevant context. In: Proceedings of the 2023 international conference on machine learning, PMLR, pp 31210\u201331227"},{"key":"505_CR54","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.103848","volume":"142","author":"Z Shi","year":"2024","unstructured":"Shi Z, Li H, Zhao D, Pan C (2024) Research on quality assessment methods for cybersecurity knowledge graphs. Comput Secur 142:103848","journal-title":"Comput Secur"},{"key":"505_CR55","unstructured":"Siracusano G, Sanvito D, Gonzalez R, Srinivasan M, Kamatchi S, Takahashi W, Kawakita M, Kakumaru T, Bifulco R (2023) Time for action: automated analysis of cyber threat intelligence in the wild. arXiv preprint arXiv:2307.10214"},{"key":"505_CR56","unstructured":"Srikanth S, Hasanuzzaman M, Meem FT (2024) Evaluating the usability of llms in threat intelligence enrichment. arXiv preprint arXiv:2409.15072"},{"key":"505_CR57","doi-asserted-by":"publisher","DOI":"10.1016\/j.nlp.2024.100074","volume":"7","author":"F Sufi","year":"2024","unstructured":"Sufi F (2024) An innovative gpt-based open-source intelligence using historical cyber incident reports. Nat Lang Process J 7:100074","journal-title":"Nat Lang Process J"},{"key":"505_CR58","unstructured":"Sun J, Qian S, Han Z, Li W, Qian Z, Yang D, Cao J, Xue G (2025) Lkd-kgc: domain-specific kg construction via llm-driven knowledge dependency parsing. arXiv preprint arXiv:2505.24163"},{"issue":"5","key":"505_CR59","doi-asserted-by":"publisher","first-page":"1758","DOI":"10.1109\/TC.2025.3541143","volume":"74","author":"D Tang","year":"2025","unstructured":"Tang D, Dai R, Zuo C, Chen J, Li K, Qin Z (2025) A low-rate dos attack mitigation scheme based on port and traffic state in sdn. IEEE Trans Comput 74(5):1758\u20131770","journal-title":"IEEE Trans Comput"},{"key":"505_CR60","unstructured":"Touvron H, Lavril T, Izacard G, Martinet X, Lachaux MA, Lacroix T, Rozi\u00e8re B, Goyal N, Hambro E, Azhar F et\u00a0al (2023) Llama: open and efficient foundation language models. arXiv preprint arXiv:2302.13971"},{"key":"505_CR61","doi-asserted-by":"crossref","unstructured":"Wan Z, Cheng F, Mao Z, Liu Q, Song H, Li J, Kurohashi S (2023) Gpt-re: in-context learning for relation extraction using large language models. arXiv preprint arXiv:2305.02105","DOI":"10.18653\/v1\/2023.emnlp-main.214"},{"key":"505_CR62","doi-asserted-by":"publisher","first-page":"2912","DOI":"10.1109\/TMM.2025.3557717","volume":"27","author":"Q Wang","year":"2025","unstructured":"Wang Q, Li C, Liu Y, Zhu Q, Song J, Shen T (2025) An adaptive framework embedded with llm for knowledge graph construction. IEEE Trans Multimed 27:2912\u20132923","journal-title":"IEEE Trans Multimed"},{"key":"505_CR63","doi-asserted-by":"crossref","unstructured":"Xiong C, Power R, Callan J (2017) Explicit semantic ranking for academic search via knowledge graph embedding. In: Proceedings of the 26th international conference on world wide web, pp 1271\u20131279","DOI":"10.1145\/3038912.3052558"},{"key":"505_CR64","unstructured":"Xu M, Wang H, Liu J, Lin Y, Liu CXY, Lim HW, Dong JS (2024) Intelex: a llm-driven attack-level threat intelligence extraction framework. arXiv preprint arXiv:2412.10872"},{"key":"505_CR65","doi-asserted-by":"crossref","unstructured":"Xu H, Si C, Wang C, Sun P, Liu Q et\u00a0al (2025) Aptsniffer: detecting apt attack traffic using retrieval-augmented large language models. In: Proceedings of the 2025 IEEE international conference on acoustics, speech and signal processing (ICASSP). IEEE, pp 1\u20135","DOI":"10.1109\/ICASSP49660.2025.10888022"},{"key":"505_CR66","first-page":"58","volume":"43","author":"X Yang","year":"2022","unstructured":"Yang X, Peng G, Li Z, Lyu Y, Liu S, Li C (2022) Research on entity recognition and alignment of apt attack based on bert and bilstm-crf. J Commun 43:58\u201370","journal-title":"J Commun"},{"key":"505_CR67","doi-asserted-by":"publisher","first-page":"202","DOI":"10.23919\/JCC.fa.2022-0509.202311","volume":"20","author":"X Yang","year":"2023","unstructured":"Yang X, Peng G, Zhang D, Gao Y, Li C (2023) Powerdetector: malicious powershell script family classification based on multi-modal semantic fusion and deep learning. China Commun 20:202\u2013224","journal-title":"China Commun"},{"key":"505_CR68","first-page":"203","volume":"36","author":"X Yang","year":"2025","unstructured":"Yang X, Peng G, Liu S, Tian Y, Li C, Fu J (2025) Survey on attribution and inference research for apt attacks. J Softw 36:203\u2013252","journal-title":"J Softw"},{"key":"505_CR69","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2024.104220","volume":"150","author":"Y Zhang","year":"2025","unstructured":"Zhang Y, Du T, Ma Y, Wang X, Xie Y, Yang G, Lu Y, Chang EC (2025) Attackg+: boosting attack graph construction with large language models. Comput Secur 150:104220","journal-title":"Comput Secur"},{"key":"505_CR70","doi-asserted-by":"publisher","DOI":"10.1016\/j.cose.2023.103524","volume":"136","author":"X Zhao","year":"2024","unstructured":"Zhao X, Jiang R, Han Y, Li A, Peng Z (2024) A survey on cybersecurity knowledge graph construction. Comput Secur 136:103524","journal-title":"Comput Secur"},{"key":"505_CR71","doi-asserted-by":"crossref","unstructured":"Zhou Y, Wang Z, Jiang Y, Ma B, Wang R, Liu Y, Zhao Y, Tian Z (2025) Aekg4apt: an ai-enhanced knowledge graph for advanced persistent threats with large language model analysis. ACM Trans Intell Syst Technol","DOI":"10.1145\/3735645"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00505-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-025-00505-y","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-025-00505-y.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,1,16]],"date-time":"2026-01-16T07:14:42Z","timestamp":1768547682000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1186\/s42400-025-00505-y"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,1,16]]},"references-count":71,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2026,12]]}},"alternative-id":["505"],"URL":"https:\/\/doi.org\/10.1186\/s42400-025-00505-y","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,1,16]]},"assertion":[{"value":"21 July 2025","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"3 November 2025","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"16 January 2026","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare that they have no known competing financial interests or personal relationships that could have appeared to influence the work reported in this paper.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"106"}}