{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,24]],"date-time":"2026-03-24T15:20:06Z","timestamp":1774365606719,"version":"3.50.1"},"reference-count":47,"publisher":"MDPI AG","issue":"4","license":[{"start":{"date-parts":[[2025,4,11]],"date-time":"2025-04-11T00:00:00Z","timestamp":1744329600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>As today\u2019s cybersecurity environment is becoming increasingly complex, it is crucial to analyse threats quickly and effectively. A delayed response or lack of foresight can lead to data loss, reputational damage, and operational disruptions. Therefore, developing methods that can rapidly extract valuable threat intelligence is a critical need to strengthen defence strategies and minimise potential damage. This paper presents an innovative approach that integrates knowledge graphs and a fine-tuned BERT-based model to analyse cyber threat intelligence (CTI) data. The proposed system extracts cyber entities such as threat actors, malware, campaigns, and targets from unstructured threat reports and establishes their relationships using an ontology-driven framework. A named entity recognition dataset was created and a BERT-based model was trained. To address the class imbalance, oversampling and a focal loss function were applied, achieving an F1 score of 96%. The extracted entities and relationships were visualised and analysed using knowledge graphs, enabling the advanced threat analysis and prediction of potential attack targets. This approach enhances cyber-attack prediction and prevention through knowledge graphs.<\/jats:p>","DOI":"10.3390\/sym17040587","type":"journal-article","created":{"date-parts":[[2025,4,14]],"date-time":"2025-04-14T09:06:51Z","timestamp":1744621611000},"page":"587","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":8,"title":["A Novel Approach for Cyber Threat Analysis Systems Using BERT Model from Cyber Threat Intelligence Data"],"prefix":"10.3390","volume":"17","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-3272-1078","authenticated-orcid":false,"given":"Doygun","family":"Demirol","sequence":"first","affiliation":[{"name":"Department of Computer Technologies, Bing\u00f6l University, 12000 Bing\u00f6l, T\u00fcrkiye"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-6113-4649","authenticated-orcid":false,"given":"Resul","family":"Das","sequence":"additional","affiliation":[{"name":"Department of Software Engineering, Technology Faculty, F\u0131rat University, 23119 Elaz\u0131\u011f, T\u00fcrkiye"}]},{"ORCID":"https:\/\/orcid.org\/0000-0003-2271-7865","authenticated-orcid":false,"given":"Davut","family":"Hanbay","sequence":"additional","affiliation":[{"name":"Department of Computer Engineering, Engineering Faculty, \u0130n\u00f6n\u00fc University, 44000 Malatya, T\u00fcrkiye"}]}],"member":"1968","published-online":{"date-parts":[[2025,4,11]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","first-page":"1335","DOI":"10.1007\/s11760-022-02341-w","article-title":"A key review on security and privacy of big data: Issues, challenges, and future research directions","volume":"17","author":"Demirol","year":"2022","journal-title":"Signal Image Video Process."},{"key":"ref_2","unstructured":"Kong, L., Huang, T., Zhu, Y., and Yu, S. (2020). Fundamentals of big data in radio astronomy. Big Data in Astronomy, Elsevier."},{"key":"ref_3","first-page":"1","article-title":"Extracting value from chaos","volume":"1142","author":"Gantz","year":"2011","journal-title":"IDC IVIEW"},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"100615","DOI":"10.1016\/j.iot.2022.100615","article-title":"A comprehensive review on detection of cyber-attacks: Data sets, methods, challenges, and future research directions","volume":"20","author":"Ahmetoglu","year":"2022","journal-title":"Internet Things"},{"key":"ref_5","first-page":"9875199","article-title":"CTI View: APT Threat Intelligence Analysis System","volume":"2022","author":"Zhou","year":"2022","journal-title":"Secur. Commun. Netw."},{"key":"ref_6","doi-asserted-by":"crossref","first-page":"211691","DOI":"10.1109\/ACCESS.2020.3039234","article-title":"Creating Cybersecurity Knowledge Graphs From Malware After Action Reports","volume":"8","author":"Piplai","year":"2020","journal-title":"IEEE Access"},{"key":"ref_7","doi-asserted-by":"crossref","first-page":"107524","DOI":"10.1016\/j.knosys.2021.107524","article-title":"Open-CyKG: An Open Cyber Threat Intelligence Knowledge Graph","volume":"233","author":"Sarhan","year":"2021","journal-title":"Knowl.-Based Syst."},{"key":"ref_8","unstructured":"Meta (2023, December 13). ThreatExchange: A Threat Intelligence Sharing Platform. Available online: https:\/\/developers.facebook.com\/products\/threat-exchange\/."},{"key":"ref_9","unstructured":"Symantec (2023, January 25). Symantec Enterprise Blogs-Threat Intelligence. Available online: https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence."},{"key":"ref_10","unstructured":"Sean, B. (2023, January 25). Standardising Cyber Threat Intelligence Information with the Structured Threat Information eXpression. Available online: https:\/\/stixproject.github.io\/about\/STIX_Whitepaper_v1.1.pdf."},{"key":"ref_11","unstructured":"MITRE (2023, January 25). MAEC-Malware Attribute Enumeration and Characterization. Available online: https:\/\/maecproject.github.io\/."},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., and Niu, X. (2017, January 4\u20138). TTPDrill: Automatic and Accurate Extraction of Threat Actions from Unstructured Text of CTI Sources. Proceedings of the 33rd Annual Computer Security Applications Conference, Orlando, FL, USA.","DOI":"10.1145\/3134600.3134646"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Jones, C.L., Bridges, R.A., Huffer, K.M.T., and Goodall, J.R. (2015, January 7\u20139). Towards a Relation Extraction Framework for Cyber-Security Concepts. Proceedings of the 10th Annual Cyber and Information Security Research Conference, Oak Ridge, TN, USA.","DOI":"10.1145\/2746266.2746277"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"101586","DOI":"10.1016\/j.is.2020.101586","article-title":"Processing tweets for cybersecurity threat awareness","volume":"95","author":"Alves","year":"2021","journal-title":"Inf. Syst."},{"key":"ref_15","doi-asserted-by":"crossref","unstructured":"Kim, E., Kim, K., Shin, D., Jin, B., and Kim, H. (2018, January 20\u201322). CyTIME: Cyber Threat Intelligence ManagEment framework for automatically generating security rules. Proceedings of the 13th International Conference on Future Internet Technologies, Seoul, Republic of Korea.","DOI":"10.1145\/3226052.3226056"},{"key":"ref_16","first-page":"5586335:1","article-title":"EX-Action: Automatically Extracting Threat Actions from Cyber Threat Intelligence Report Based on Multimodal Learning","volume":"2021","author":"Zhang","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_17","unstructured":"Alam, M.T., Bhusal, D., Park, Y., and Rastogi, N. (2022). CyNER: A Python Library for Cybersecurity Named Entity Recognition. arXiv."},{"key":"ref_18","doi-asserted-by":"crossref","unstructured":"Zhu, Z., and Dumitras, T. (2018, January 24\u201326). ChainSmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports. Proceedings of the 2018 IEEE European Symposium on Security and Privacy (EuroS&P), London, UK.","DOI":"10.1109\/EuroSP.2018.00039"},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Ahmetoglu, H., and Das, R. (2020, January 5\u20137). Analysis of Feature Selection Approaches in Large Scale Cyber Intelligence Data with Deep Learning. Proceedings of the 2020 28th Signal Processing and Communications Applications Conference (SIU), Gaziantep, Turkey.","DOI":"10.1109\/SIU49456.2020.9302200"},{"key":"ref_20","doi-asserted-by":"crossref","first-page":"227","DOI":"10.1016\/j.future.2019.02.013","article-title":"A machine learning-based FinTech cyber threat attribution framework using high-level indicators of compromise","volume":"96","author":"Noor","year":"2019","journal-title":"Future Gener. Comput. Syst."},{"key":"ref_21","doi-asserted-by":"crossref","first-page":"872","DOI":"10.1631\/FITEE.1800520","article-title":"A network security entity recognition method based on feature template and CNN-BiLSTM-CRF","volume":"20","author":"Qin","year":"2019","journal-title":"Front. Inf. Technol. Electron. Eng."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Bose, A., Behzadan, V., Aguirre, C., and Hsu, W.H. (2019, January 27\u201330). A novel approach for detection and ranking of trendy and emerging cyber threat events in Twitter streams. Proceedings of the 2019 IEEE\/ACM International Conference on Advances in Social Networks Analysis and Mining, Vancouver, BC, Canada.","DOI":"10.1145\/3341161.3344379"},{"key":"ref_23","doi-asserted-by":"crossref","first-page":"259","DOI":"10.26599\/TST.2019.9010033","article-title":"Cybersecurity named entity recognition using bidirectional long short-term memory with conditional random fields","volume":"26","author":"Ma","year":"2021","journal-title":"Tsinghua Sci. Technol."},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"6268476","DOI":"10.1155\/2019\/6268476","article-title":"Automated Dataset Generation System for Collaborative Research of Cyber Threat Analysis","volume":"2019","author":"Kim","year":"2019","journal-title":"Secur. Commun. Netw."},{"key":"ref_25","doi-asserted-by":"crossref","first-page":"6417407","DOI":"10.1155\/2019\/6417407","article-title":"Multifeature Named Entity Recognition in Information Security Based on Adversarial Learning","volume":"2019","author":"Zhang","year":"2019","journal-title":"Secur. Commun. Netw."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Georgescu, T.M., Iancu, B., and Zurini, M. (2019). Named-Entity-Recognition-Based Automated System for Diagnosing Cybersecurity Situations in IoT Networks. Sensors, 19.","DOI":"10.3390\/s19153380"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Sun, T., Yang, P., Li, M., and Liao, S. (2021). An Automatic Generation Approach of the Cyber Threat Intelligence Records Based on Multi-Source Information Fusion. Future Internet, 13.","DOI":"10.3390\/fi13020040"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Wu, H., Li, X., and Gao, Y. (2020, January 12\u201314). An Effective Approach of Named Entity Recognition for Cyber Threat Intelligence. Proceedings of the 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), Chongqing, China.","DOI":"10.1109\/ITNEC48623.2020.9085102"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Thampi, S.M., Hegde, R.M., Krishnan, S., Mukhopadhyay, J., Chaudhary, V., Marques, O., Piramuthu, S., and Corchado, J.M. (2019, January 18\u201321). Deep Learning Approach for Intelligent Named Entity Recognition of Cyber Security. Proceedings of the Advances in Signal Processing and Intelligent Recognition Systems, Trivandrum, India.","DOI":"10.1007\/978-981-15-4828-4"},{"key":"ref_30","doi-asserted-by":"crossref","first-page":"2341","DOI":"10.1007\/s13042-020-01122-6","article-title":"Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network","volume":"11","author":"Kim","year":"2020","journal-title":"Int. J. Mach. Learn. Cybern."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"104194","DOI":"10.1016\/j.cose.2024.104194","article-title":"Hyper attack graph: Constructing a hypergraph for cyber threat intelligence analysis","volume":"149","author":"Jia","year":"2025","journal-title":"Comput. Secur."},{"key":"ref_32","doi-asserted-by":"crossref","first-page":"449","DOI":"10.1016\/j.procs.2023.01.027","article-title":"Study of Word Embeddings for Enhanced Cyber Security Named Entity Recognition","volume":"218","author":"Srivastava","year":"2023","journal-title":"Procedia Comput. Sci."},{"key":"ref_33","doi-asserted-by":"crossref","first-page":"103579","DOI":"10.1016\/j.cose.2023.103579","article-title":"CyberEntRel: Joint extraction of cyber entities and relations using deep learning","volume":"136","author":"Ahmed","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Satvat, K., Gjomemo, R., and Venkatakrishnan, V.N. (2021, January 6\u201310). Extractor: Extracting Attack Behavior from Threat Reports. Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P), Vienna, Austria.","DOI":"10.1109\/EuroSP51992.2021.00046"},{"key":"ref_35","doi-asserted-by":"crossref","first-page":"103371","DOI":"10.1016\/j.cose.2023.103371","article-title":"A framework for threat intelligence extraction and fusion","volume":"132","author":"Guo","year":"2023","journal-title":"Comput. Secur."},{"key":"ref_36","doi-asserted-by":"crossref","first-page":"102763","DOI":"10.1016\/j.cose.2022.102763","article-title":"Vulcan: Automatic extraction and analysis of cyber threat intelligence from unstructured text","volume":"120","author":"Jo","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_37","doi-asserted-by":"crossref","first-page":"103824","DOI":"10.1016\/j.cose.2024.103824","article-title":"KnowCTI: Knowledge-based cyber threat intelligence entity and relation extraction","volume":"141","author":"Wang","year":"2024","journal-title":"Comput. Secur."},{"key":"ref_38","unstructured":"Martinez, D.R., Streilein, W.W., Carter, K.M., and Sinha, A. (2016, January 12). UCO: A Unified Cybersecurity Ontology. Proceedings of the AAAI Workshop: Artificial Intelligence for Cyber Security, Phoenix, AZ, USA. AAAI Technical Report."},{"key":"ref_39","unstructured":"ESET (2024, August 09). WeLiveSecurity. Available online: https:\/\/www.welivesecurity.com."},{"key":"ref_40","unstructured":"Labs, F. (2024, August 09). FortiGuard Labs Threat Research. Available online: https:\/\/www.fortinet.com\/blog\/threat-research."},{"key":"ref_41","unstructured":"CyberMonitor (2024, August 09). APT Cyber Criminal Campaign Collections. Available online: https:\/\/github.com\/CyberMonitor\/APT_CyberCriminal_Campagin_Collections."},{"key":"ref_42","unstructured":"Fenniak, M. (2024, August 09). The PyPDF2 Library. Available online: https:\/\/pypi.org\/project\/PyPDF2\/."},{"key":"ref_43","unstructured":"MITRE Corporation (2023, December 14). MITRE ATT&CK Framework. Available online: https:\/\/attack.mitre.org."},{"key":"ref_44","unstructured":"MITRE Corporation (2024, December 14). Mitreattack-Python: Python Library for Interacting with the MITRE ATT&CK Framework. Available online: https:\/\/github.com\/mitre-attack\/mitreattack-python."},{"key":"ref_45","unstructured":"Devlin, J., Chang, M., Lee, K., and Toutanova, K. (2019). BERT: Pre-Training of Deep Bidirectional Transformers for Language Understanding, Association for Computational Linguistics."},{"key":"ref_46","doi-asserted-by":"crossref","first-page":"318","DOI":"10.1109\/TPAMI.2018.2858826","article-title":"Focal Loss for Dense Object Detection","volume":"42","author":"Lin","year":"2018","journal-title":"IEEE Trans. Pattern Anal. Mach. Intell."},{"key":"ref_47","doi-asserted-by":"crossref","first-page":"300","DOI":"10.17694\/bajece.1090145","article-title":"Graph visualization of cyber threat intelligence data for analysis of cyber attacks","volume":"10","author":"Sulu","year":"2022","journal-title":"Balk. J. Electr. Comput. Eng."}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/4\/587\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:13:11Z","timestamp":1760029991000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/4\/587"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,4,11]]},"references-count":47,"journal-issue":{"issue":"4","published-online":{"date-parts":[[2025,4]]}},"alternative-id":["sym17040587"],"URL":"https:\/\/doi.org\/10.3390\/sym17040587","relation":{},"ISSN":["2073-8994"],"issn-type":[{"value":"2073-8994","type":"electronic"}],"subject":[],"published":{"date-parts":[[2025,4,11]]}}}