{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,25]],"date-time":"2026-01-25T06:45:37Z","timestamp":1769323537380,"version":"3.49.0"},"reference-count":34,"publisher":"MDPI AG","issue":"3","license":[{"start":{"date-parts":[[2025,9,3]],"date-time":"2025-09-03T00:00:00Z","timestamp":1756857600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["JCP"],"abstract":"The increasing complexity and scale of cyber threats demand advanced, automated methodologies for extracting actionable cyber threat intelligence (CTI). The automated extraction of Tactics, Techniques, and Procedures (TTPs) from unstructured threat reports remains a challenging task, constrained by the scarcity of labeled data, severe class imbalance, semantic variability, and the complexity of multi-class, multi-label learning for fine-grained classification. To address these challenges, this work proposes the Threat Intelligence Extraction Framework (TIEF) designed to autonomously extract Indicators of Compromise (IOCs) from heterogeneous textual threat reports and represent them by the STIX 2.1 standard for standardized sharing. TIEF employs the DistilBERT Base-Uncased model as its backbone, achieving an F1 score of 0.933 for multi-label TTP classification, while operating with 40% fewer parameters than traditional BERT-base models and preserving 97% of their predictive performance. Distinguishing itself from existing methodologies such as TTPDrill, TTPHunter, and TCENet, TIEF incorporates a multi-label classification scheme capable of covering 560 MITRE ATT&CK classes comprising techniques and sub-techniques, thus facilitating a more granular and semantically precise characterization of adversarial behaviors. BERTopic modeling integration enabled the clustering of semantically similar textual segments and captured the variations in threat report narratives. By operationalizing sub-technique-level discrimination, TIEF contributes to context-aware automated threat detection.<\/jats:p>","DOI":"10.3390\/jcp5030063","type":"journal-article","created":{"date-parts":[[2025,9,3]],"date-time":"2025-09-03T15:15:57Z","timestamp":1756912557000},"page":"63","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":1,"title":["Threat Intelligence Extraction Framework (TIEF) for TTP Extraction"],"prefix":"10.3390","volume":"5","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-2456-2847","authenticated-orcid":false,"given":"Anooja","family":"Joy","sequence":"first","affiliation":[{"name":"Department of Computer Engineering and Information Technology, Veermata Jijabai Technological Institute, Mumbai 400019, Maharashtra, India"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2872-4647","authenticated-orcid":false,"given":"Madhav","family":"Chandane","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering and Information Technology, Veermata Jijabai Technological Institute, Mumbai 400019, Maharashtra, India"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-1266-3709","authenticated-orcid":false,"given":"Yash","family":"Nagare","sequence":"additional","affiliation":[{"name":"Department of Cyber Security, Shah and Anchor Kutchhi Engineering College, Mahavir Education Trust Chowk, Mumbai 400088, Maharashtra, India"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6551-3021","authenticated-orcid":false,"given":"Faruk","family":"Kazi","sequence":"additional","affiliation":[{"name":"Department of Electrical Engineering, Veermata Jijabai Technological Institute, Mumbai 400019, Maharashtra, India"}]}],"member":"1968","published-online":{"date-parts":[[2025,9,3]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Abdullahi, M., Baashar, Y., Alhussian, H., Alwadain, A., Aziz, N., Capretz, L.F., and Abdulkadir, S.J. (2022). Detecting cybersecurity attacks in internet of things using artificial intelligence methods: A systematic literature review. Electronics, 11.","DOI":"10.3390\/electronics11020198"},{"key":"ref_2","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1007\/978-3-031-12419-8_1","article-title":"Artificial intelligence for cybersecurity: Threats, attacks and mitigation","volume":"231","author":"Chakraborty","year":"2023","journal-title":"Artif. Intell. Societal Issues"},{"key":"ref_3","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3696790","article-title":"Flora+: Energy-efficient, reliable, beamforming-assisted, and secure over-the-air firmware update in lora networks","volume":"20","author":"Sun","year":"2024","journal-title":"ACM Trans. Sens. Netw."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Li, J., Wu, S., Zhou, H., Luo, X., Wang, T., Liu, Y., and Ma, X. (2022, January 24\u201328). Packet-level open-world app fingerprinting on wireless traffic. Proceedings of the The 2022 Network and Distributed System Security Symposium (NDSS\u201922), San Diego, CA, USA.","DOI":"10.14722\/ndss.2022.24210"},{"key":"ref_5","unstructured":"Ni, T., Lan, G., Wang, J., Zhao, Q., and Xu, W. (2023, January 9\u201311). Eavesdropping mobile app activity via {Radio-Frequency} energy harvesting. Proceedings of the 32nd USENIX Security Symposium (USENIX Security 23), Anaheim, CA, USA."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"1321","DOI":"10.1109\/TNSM.2021.3056999","article-title":"From TTP to IoC: Advanced persistent graphs for threat hunting","volume":"18","author":"Berady","year":"2021","journal-title":"IEEE Trans. Netw. Serv. Manage."},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"3","DOI":"10.1186\/s42400-021-00106-5","article-title":"TIM: Threat context-enhanced TTP intelligence mining on unstructured threat data","volume":"5","author":"You","year":"2022","journal-title":"Cybersecurity"},{"key":"ref_8","unstructured":"(2025, April 15). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Available online: https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor."},{"key":"ref_9","doi-asserted-by":"crossref","first-page":"6371","DOI":"10.1109\/JIOT.2025.3528744","article-title":"Advanced Persistent Threats Based on Supply Chain Vulnerabilities: Challenges, Solutions, and Future Directions","volume":"12","author":"Tan","year":"2025","journal-title":"IEEE Internet Things J."},{"key":"ref_10","unstructured":"Froudakis, E., Avgetidis, A., Frankum, S.T., Perdisci, R., Antonakakis, M., and Keromytis, A. (2025). Uncovering Reliable Indicators: Improving IoC Extraction from Threat Reports. arXiv."},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Badger, L., Johnson, C., Waltermire, D., Snyder, J., and Skorupka, C. (2016). Guide to Cyber Threat Information Sharing. National Institute of Standards and Technology (NIST), National Institute of Standards and Technology (NIST).","DOI":"10.6028\/NIST.SP.800-150"},{"key":"ref_12","unstructured":"(2024, November 15). MITRE ATT&CK Framework. Available online: https:\/\/attack.mitre.org."},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., and Niu, X. (2017, January 4\u20138). Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources. Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/3134600.3134646"},{"key":"ref_14","unstructured":"Legoy, V., Caselli, M., Seifert, C., and Peter, A. (2020). Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports. arXiv."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Aghaei, E., Niu, X., Shadid, W., and Al-Shaer, E. (2022, January 17\u201319). Securebert: A domain-specific language model for cybersecurity. Proceedings of the International Conference on Security and Privacy in Communication Systems, Kansas City, MO, USA.","DOI":"10.1007\/978-3-031-25538-0_3"},{"key":"ref_16","doi-asserted-by":"crossref","unstructured":"Park, Y., and You, W. (2023, January 6\u201310). A Pretrained Language Model for Cyber Threat Intelligence. Proceedings of the 2023 Conference on Empirical Methods in Natural Language Processing: Industry Track, Resorts World Convention Centre, Singapore.","DOI":"10.18653\/v1\/2023.emnlp-industry.12"},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Alves, P.M., Geraldo Filho, P., and Gon\u00e7alves, V.P. (2022, January 17\u201318). Leveraging BERT\u2019s Power to Classify TTP from Unstructured Text. Proceedings of the 2022 Workshop on Communication Networks and Power Systems (WCNPS), Fortaleza, Brazil.","DOI":"10.1109\/WCNPS56355.2022.9969697"},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Chen, S.S., Hwang, R.H., Sun, C.Y., Lin, Y.D., and Pai, T.W. (2023, January 4\u20138). Enhancing cyber threat intelligence with named entity recognition using bert-crf. Proceedings of the GLOBECOM 2023-2023 IEEE Global Communications Conference, Kuala Lumpur, Malaysia.","DOI":"10.1109\/GLOBECOM54140.2023.10436853"},{"key":"ref_19","doi-asserted-by":"crossref","first-page":"5021125","DOI":"10.1155\/2022\/5021125","article-title":"Comparative experiment on TTP classification with class imbalance using oversampling from CTI dataset","volume":"2022","author":"Kim","year":"2022","journal-title":"Secur. Commun. Netw."},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Rani, N., Saha, B., Maurya, V., and Shukla, S.K. (February, January 31). TTPHunter: Automated Extraction of Actionable Intelligence as TTPs from Narrative Threat Reports. Proceedings of the 2023 Australasian Computer Science Week, Melbourne, Australia.","DOI":"10.1145\/3579375.3579391"},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/3696427","article-title":"TTPXHunter: Actionable Threat Intelligence Extraction as TTPs from Finished Cyber Threat Reports","volume":"5","author":"Rani","year":"2024","journal-title":"Dig. Threats Res. Pract."},{"key":"ref_22","unstructured":"Casta\u00f1o, F., Gil Lerchundi, A., Orduna Urrutia, R., Fernandez, E.F., and Alaiz-Rodr\u0131guez, R. (2024, January 27\u201329). Automating Cybersecurity TTP Classification Based on Unstructured Attack Descriptions. Proceedings of the IX Jornadas Nacionales de Investigaci\u00f3n En Ciberseguridad, Sevilla, Spain."},{"key":"ref_23","unstructured":"Albarrak, M., Pergola, G., and Jhumka, A. (2024, January 29\u201330). U-BERTopic: An urgency-aware BERT-Topic modeling approach for detecting cyberSecurity issues via social media. Proceedings of the First International Conference on Natural Language Processing and Artificial Intelligence for Cyber Security, Lancaster, UK."},{"key":"ref_24","doi-asserted-by":"crossref","unstructured":"Zhong, X., Zhang, Y., and Liu, J. (2025). PenQA: A Comprehensive Instructional Dataset for Enhancing Penetration Testing Capabilities in Language Models. Appl. Sci., 15.","DOI":"10.3390\/app15042117"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Demirol, D., Das, R., and Hanbay, D. (2025). A Novel Approach for Cyber Threat Analysis Systems Using BERT Model from Cyber Threat Intelligence Data. Symmetry, 17.","DOI":"10.3390\/sym17040587"},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Li, Z.X., Li, Y.J., Liu, Y.W., Liu, C., and Zhou, N.X. (2023). K-CTIAA: Automatic Analysis of Cyber Threat Intelligence Based on a Knowledge Graph. Symmetry, 15.","DOI":"10.3390\/sym15020337"},{"key":"ref_27","first-page":"50805","article-title":"Ctibench: A benchmark for evaluating llms in cyber threat intelligence","volume":"37","author":"Alam","year":"2024","journal-title":"Adv. Neural Inf. Process. Syst."},{"key":"ref_28","unstructured":"Yong, J., Ma, H., Ma, Y., Yusof, A., Liang, Z., and Chang, E.C. (2025). AttackSeqBench: Benchmarking Large Language Models\u2019 Understanding of Sequential Patterns in Cyber Attacks. arXiv."},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Zhang, J., Wen, H., Li, L., and Zhu, H. (2024, January 17\u201321). UniTTP: A Unified Framework for Tactics, Techniques, and Procedures Mapping in Cyber Threats. Proceedings of the 2024 IEEE 23rd International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), Sanya, China.","DOI":"10.1109\/TrustCom63139.2024.00218"},{"key":"ref_30","unstructured":"Meng, C., Jiang, Z., Wang, Q., Li, X., Ma, C., Dong, F., Ren, F., and Liu, B. (2025). Instantiating Standards: Enabling Standard-Driven Text TTP Extraction with Evolvable Memory. arXiv."},{"key":"ref_31","unstructured":"(2025, July 31). MITRE ATT&CK\u2014Techniques. Available online: https:\/\/attack.mitre.org\/techniques."},{"key":"ref_32","unstructured":"(2025, July 31). APT_REPORT: Collection of APT Campaign Reports. Available online: https:\/\/github.com\/blackorbird\/APT_REPORT.git."},{"key":"ref_33","unstructured":"(2025, July 31). CTI-HAL: Cyber Threat Intelligence\u2014Hierarchical Attention Learning. Available online: https:\/\/github.com\/dessertlab\/CTI-HAL."},{"key":"ref_34","unstructured":"(2025, July 31). CTI-Bench: A Benchmark Dataset for Cyber Threat Intelligence Evaluation. Available online: https:\/\/github.com\/xashru\/cti-bench."}],"container-title":["Journal of Cybersecurity and Privacy"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2624-800X\/5\/3\/63\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T18:38:30Z","timestamp":1760035110000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2624-800X\/5\/3\/63"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,9,3]]},"references-count":34,"journal-issue":{"issue":"3","published-online":{"date-parts":[[2025,9]]}},"alternative-id":["jcp5030063"],"URL":"https:\/\/doi.org\/10.3390\/jcp5030063","relation":{},"ISSN":["2624-800X"],"issn-type":[{"value":"2624-800X","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,9,3]]}}}