The increasing complexity of critical infrastructure necessitates precise threat modeling, yet creating Domain-Specific Languages (DSLs) using the Meta Attack Language (MAL) framework remains a labor-intensive bottleneck requiring dual expertise in domain security and formal grammar. This paper introduces and showcases MAL-LLM, a web-based application designed to operationalize automated threat modeling by transforming unstructured incident reports into syntactically accurate, compilable MAL languages. Leveraging a scalable architecture, the system utilizes Google’s Gemini Pro 3.0 combined with a Retrieval-Augmented Generation (RAG) pipeline to ground generation in standardized security knowledge (CAPEC). A key innovation is the enforcement of structural constraints via Pydantic schemas and a ’compiler-in-the-loop’ validation process, which checks for syntax errors common in traditional Large Language Model outputs.
Thomas Ricardo Pathe (Thu,) studied this question.