ABSTRACT With the increasing complexity and stealthiness of cyber‐attacks, conventional threat intelligence analysis methods face challenges such as low processing efficiency, limited semantic comprehension, and difficulties in adapting to dynamic, multi‐source, and heterogeneous data. To enhance threat intelligence awareness, this study introduces an automated method for constructing a threat intelligence knowledge graph using large language models, named ACTIC. This approach utilises a locally deployed DeepSeek‐32B model, combined with prompt engineering and Low‐Rank Adaptation (LoRA) fine‐tuning, to extract entities, relationships, and attack steps from unstructured threat intelligence reports. The process produces a dual‐layer knowledge graph, comprising a Threat Intelligence Knowledge Graph and an Attack Knowledge Graph. Additionally, ACTIC incorporates the ATT&CK framework for classifying tactics, techniques, and procedures (TTPs), while enabling threat search and protective recommendation generation based on the knowledge graph. Experimental results demonstrate that ACTIC improves F1‐scores by 10.4% and 10.6% for entity recognition and relation extraction, and by 13.3% and 10.9% for TTP classification, respectively, significantly outperforming the baseline model. The findings demonstrate the applicability of large language models in local cybersecurity environments and provide an effective approach for developing proactive, intelligent threat detection and response systems.
Liu et al. (Thu,) studied this question.
Synapse has enriched 5 closely related papers on similar clinical questions. Consider them for comparative context: