What question did this study set out to answer?

The study aims to develop CTI-Thinker, a system to create a robust CTI knowledge graph and enhance threat reasoning capabilities.

January 18, 2026Open Access

CTI-Thinker: an LLM-driven system for CTI knowledge graph construction and attack reasoning

Key Points

The study aims to develop CTI-Thinker, a system to create a robust CTI knowledge graph and enhance threat reasoning capabilities.
Integrated large language models with semantic alignment to the ATT&CK framework.
Utilized in-context learning and LoRA-based fine-tuning for extracting structured threat data.
Employed vector-based alignment strategies to normalize entities and fuse knowledge.
Constructed a GraphRAG-based reasoning engine for tactical-level inference.
CTI-Thinker effectively extracts threat entities and relations, constructing a reliable CTI knowledge graph.
The system shows accuracy in inferring attack intent and supports intelligent reasoning.
CTI-Thinker outperformed existing methods in precision, robustness, and generalizability.

Abstract

Abstract With the increasing frequency of APT attacks, cyber defense urgently demands high-quality threat intelligence support. Cyber threat intelligence (CTI) knowledge graphs have demonstrated significant potential in aiding threat detection and behavioral reasoning. However, existing CTI data often suffer from unstructured formats, fragmented knowledge, a reliance on manual annotation, and limited semantic mapping to attack techniques. These limitations hinder the robustness and accuracy of downstream reasoning tasks (e.g., attack attribution and intent inference). Moreover, traditional information extraction methods struggle to generalize in scenarios involving cross-paragraph dependencies, emerging threats, and low-resource samples, exhibiting weaknesses in context awareness and sensitivity to prompt variations. To this end, we propose CTI-Thinker, a novel system that integrates large language models with semantic alignment to the ATT&CK framework for CTI knowledge graph construction and threat reasoning. First, CTI-Thinker leverages in-context learning and LoRA-based fine-tuning to extract structured threat entities and relations. Then, it adopts vector-based alignment strategies to unify heterogeneous expressions, enabling entity normalization and knowledge fusion for constructing a high-quality CTI knowledge graph. Finally, a GraphRAG-based reasoning engine is built by incorporating the structured knowledge graph and external ATT&CK resources into a retrieval-augmented generation (RAG) framework, enabling tactical-level inference and CTI-driven question answering. Experimental results demonstrate that CTI-Thinker accurately extracts threat entities and relations and constructs a reliable CTI knowledge graph. It also effectively infers attack intent and supports intelligent reasoning. The system outperforms state-of-the-art methods in precision, robustness, and generalizability, offering a scalable and semantically enriched solution for cyber threat analysis and defense. Graphical abstract

Connected Papers

Building similarity graph...

Analyzing shared references across papers

Discussion

Authors

Xiuzhang Yang

Ruijie Zhong

Yuling Chen

Journals

Cybersecurity

Actions

Institutions

Wuhan University

Guizhou University

Guizhou Academy of Sciences

References and Citations

Connected Papers

Building similarity graph...

Analyzing shared references across papers

CTI-Thinker: an LLM-driven system for CTI knowledge graph construction and attack reasoning

Key Points

Abstract

Citation Network

Connected Papers

Discussion

Authors

Journals

Actions

Institutions

References and Citations

Citation Network

Connected Papers

Discussion

Cite this study