KnowCTI: Knowledge-based cyber threat intelligence entity and relation extraction

Abstract

Structured cyber threat intelligence enables security researchers to know the occurrence of cyber threats in time, thereby improving the efficiency of security defense and analysis. Previous works usually use general deep learning and NLP techniques to extract intelligence. Such methods suffer from insufficient semantic understanding in the field of security. To address these issues, we propose a novel method called Knowledge-based Cyber Threat Intelligence Entity and Relation Extraction (KnowCTI), which incorporates cybersecurity knowledge into the model to enhance the understanding of the realm of cybersecurity and has a full picture of threats with the threat intelligence graph generation. Specifically, we first build a cybersecurity knowledge base and train cybersecurity-aware knowledge embeddings based on the base. Secondly, we refine the most related knowledge triples by attention mechanism and gate mechanism, and then construct a sentence tree through these triples. Next, we employ graph attention networks to incorporate knowledge information into the sentence by considering the sentence tree as a graph. Finally, we consider entity extraction as a sequence labeling problem and relation extraction as a classification problem to decode the entities and relation triples according to the threat intelligence ontology we designed. Experimental results demonstrate the superior performance with the F1 score exceeding 90.16 and 81.83 on entity and relation extraction separately.