基于预训练模型和中英文威胁情报的TTP识别方法研究

Research on TTP Extraction Method Based on Pre-Trained Language Model and Chinese-English Threat Intelligence

TTP情报主要存在于非结构化的威胁报告中,是一种具有重要价值的网络威胁情报。然而,目前开源的TTP分类标签数据集主要集中在英文领域,涵盖的语料来源与TTP种类较为有限,特别是缺乏中文领域的相关数据。针对该情况,文章构建了一个中英文TTP情报数据集BTICD,该数据集包含17700条样本数据与236种对应的TTP。BTICD首次利用了公开的中文威胁报告语料进行TTP标注,且标注了一部分无法映射到任何一种TTP的白样本数据。文章基于预训练模型构建,并在该双语数据集上微调得到双语TTP识别模型SecBiBERT。实验结果表明,SecBiBERT在50种常见TTP分类任务上的Micro F1分数达到86.49%,在全量236类TTP分类任务上Micro F1分数达到73.09%,识别性能表现良好。

The tactics,techniques,and procedures (TTP) intelligence primarily resides in unstructured threat reports and serves as a valuable source of cyber threat intelligence.However,the existing open-source TTP classification label datasets are predominantly focused on the English domain,with limited coverage of source materials and TTP types,particularly lacking relevant data in the Chinese domain.To address this issue,this paper constructed a bilingual TTP intelligence dataset,bilingual threat intelligence classifying dataset (BTICD),which included 17700 samples and 236 corresponding TTPs.BTICD was the first to utilize publicly available Chinese threat report as corpora for TTP annotation and also annotated a portion of white-box samples that cannot be mapped to any TTP.This paper introduced and fine-tuned pre-trained models on the bilingual dataset to obtain a bilingual TTP identification model SecBiBERT.Experimental results show that SecBiBERT achieves a Micro F1 score of 86.49% on the 50 common TTP classification tasks and a Micro F1 score of 73.09% on the full set of 236 TTP classification tasks,which outperforms existing similar models.