Zhaoli Liu,Kun Jiang,Zheng Liu,Tao Qin

DOI: https://doi.org/10.1109/ccdc62350.2024.10587887

2024-01-01

Abstract:With the rapid development of Internet, there are more and more cybersecurity reports which contain valuable knowledge about the security events, but these data are difficult to utilize due to their unstructured characteristics. Named Entity Recognition (NER) from these unstructured texts is a critical and fundamental task for data utilization. Recently deep neural network-based models have achieved high performance in NER, however these models heavily rely on large amounts of labeled data. Since the labeled data is scarce in most professional domains, such as cybersecurity, and structure of the entities is very complex. To address these issues, we propose a semi-supervised entity recognition method based on active learning and selflearning, which mainly consists of two phases: entity recognition model construction and intelligent new training sample selection. In the first phase, an entity recognition model that integrates the pre-trained language model ALBERT is proposed, we employ a word-by-word processing way to solve the problems caused by word segmentation errors and polysemous words. In the second phase, we employ the active learning and self-learning strategies to select the most valuable data from unlabeled dataset, and then insert these data into the labeled dataset for iterative training, thus improving the performance of the NER model. To evaluate the performance of the proposed method, we collect data from several famous platforms, including CNNVD, FreeBuf Security Forum and SangFor Security Response Center, and the experimental results show that the proposed method not only improves the accuracy of entity recognition, but also effectively alleviates the problem caused by the scarcity of labeled data.

Houssem Gasmi,Jannik Laval,Abdelaziz Bouras

2024-08-30

Abstract:The automated and timely conversion of cybersecurity information from unstructured online sources, such as blogs and articles to more formal representations has become a necessity for many applications in the domain nowadays. Named Entity Recognition (NER) is one of the early phases towards this goal. It involves the detection of the relevant domain entities, such as product, version, attack name, etc. in technical documents. Although generally considered a simple task in the information extraction field, it is quite challenging in some domains like cybersecurity because of the complex structure of its entities. The state of the art methods require time-consuming and labor intensive feature engineering that describes the properties of the entities, their context, domain knowledge, and linguistic characteristics. The model demonstrated in this paper is domain independent and does not rely on any features specific to the entities in the cybersecurity domain, hence does not require expert knowledge to perform feature engineering. The method used relies on a type of recurrent neural networks called Long Short-Term Memory (LSTM) and the Conditional Random Fields (CRFs) method. The results we obtained showed that this method outperforms the state of the art methods given an annotated corpus of a decent size.

Information Retrieval,Artificial Intelligence,Cryptography and Security,Machine Learning

Bo Xie,Guowei Shen,Chun Guo,Yunhe Cui

DOI: https://doi.org/10.1155/2021/6629591

2021-04-21

Wireless Communications and Mobile Computing

Abstract:In data-driven big data security analysis, knowledge graph-based multisource heterogeneous threat data organization, association mining, and inference analysis attach increasinginterest in the field of cybersecurity. Although the construction of knowledge graph based on deep learning has achieved great success, the construction of a largescale, high-quality, and domain-specific knowledge graph needs a manual annotation of large corpora, which means it is very difficult. To tackle this problem, we present a straightforward active learning strategy for cybersecurity entity recognition utilizing deep learning technology. BERT pre-trained model and residual dilation convolutional neural networks (RDCNN) are introduced to learn entity context features, and the conditional random field (CRF) layer is employed as a tag decoder. Then, taking advantages of the output results and distribution of cybersecurity entities, we propose an active learning strategy named TPCL that considers the uncertainty, confidence, and diversity. We evaluated TPCL on the general domain datasets and cybersecurity datasets, respectively. The experimental results show that TPCL performs better than the traditional strategies in terms of accuracy and F1. Moreover, compared with the general field, it has better performance in the cybersecurity field and is more suitable for the Chinese entity recognition task in this field.

computer science, information systems,telecommunications,engineering, electrical & electronic

Tao Li,Yuanbo Guo,Ankang Ju

DOI: https://doi.org/10.1109/cis.2019.00039

2019-01-01

Abstract:With cybersecurity situation more and more complex, data-driven security has become indispensable. Numerous cybersecurity data exists in textual sources and data analysis is difficult for both security analyst and the machine. To convert the textual information into structured data for further automatic analysis, we extract cybersecurity-related entities and propose a self-attention-based neural network model for the named entity recognition in cybersecurity. Considering the single word feature not enough for identifying the entity, we introduce CNN to extract character feature which is then concatenated into the word feature. Then we add the self-attention mechanism based on the existing BiLSTM-CRF model. Finally, we evaluate the proposed model on the labelled dataset and obtain a better performance than the previous entity extraction model.

Jiuniu Wang,Wenjia Xu,Xingyu Fu,Guangluan Xu,Yirong Wu

DOI: https://doi.org/10.1016/j.knosys.2020.105842

2020-09-02

Abstract:Named Entity Recognition (NER) is a challenging task that extracts named entities from unstructured text data, including news, articles, social comments, etc. The NER system has been studied for decades. Recently, the development of Deep Neural Networks and the progress of pre-trained word embedding have become a driving force for NER. Under such circumstances, how to make full use of the information extracted by word embedding requires more in-depth research. In this paper, we propose an Adversarial Trained LSTM-CNN (ASTRAL) system to improve the current NER method from both the model structure and the training process. In order to make use of the spatial information between adjacent words, Gated-CNN is introduced to fuse the information of adjacent words. Besides, a specific Adversarial training method is proposed to deal with the overfitting problem in NER. We add perturbation to variables in the network during the training process, making the variables more diverse, improving the generalization and robustness of the model. Our model is evaluated on three benchmarks, CoNLL-03, OntoNotes 5.0, and WNUT-17, achieving state-of-the-art results. Ablation study and case study also show that our system can converge faster and is less prone to overfitting.

Computation and Language,Machine Learning

Xiaodi Wang,Jiayong Liu

DOI: https://doi.org/10.1016/j.knosys.2022.110114

IF: 8.139

2022-01-01

Knowledge-Based Systems

Abstract:Owing to continuous cyberattacks, a large amount of threat intelligence is generated online every day. However, threat intelligence is mostly unstructured and multisource heterogeneous text. It is difficult for security analysts to understand the implicit threat in time. Knowledge Graph (KG) is an important research topic in recent years, which can perform automated and real-time analysis of threat intelligence in cybersecurity. As one of the critical technologies of KG, named entity recognition (NER) can identify cyberattack-related entities. It has been proved that long-distance structured information captured by dependency trees provides a rich semantic expression for the neural network. However, existing research works are more focused on the simple linear stack of neural networks when utilizing structured features. The interaction between different types of neural networks is vague. In addition, the existing models are insensitive to the boundaries of complex entity terms in cybersecurity. In this study, we propose a new f eature i ntegration and e ntity b oundary d etection (FIEBD) model. In our model, a new pretrained language model, PERT, is applied to obtain word embedding of cyber texts. Moreover, a novel neural network cell, namely GARU, is developed to incorporate different types of features extracted from graph neural networks and recurrent neural networks. It combines the graph encoder with the gate mechanism, aiming to obtain better hidden representation by explicit interaction. Furthermore, considering a large number of complex entities in cybersecurity, we contribute an entity boundary detection module to perform entity head and tail prediction as an augmentation task. We conduct extensive experiments on cybersecurity datasets. The results demonstrate that the proposed model achieves better performance than existing baseline methods.

Chenxi Hu,Tao Wu,Chunsheng Liu,Chao Chang

DOI: https://doi.org/10.1186/s42400-024-00206-y

2024-01-01

Abstract:Named Entity Recognition (NER) in cybersecurity is crucial for mining information during cybersecurity incidents. Current methods rely on pre-trained models for rich semantic text embeddings, but the challenge of anisotropy may affect subsequent encoding quality. Additionally, existing models may struggle with noise detection. To address these issues, we propose JCLB, a novel model that Joins Contrastive Learning and Belief rule base for NER in cybersecurity. JCLB utilizes contrastive learning to enhance similarity in the vector space between token sequence representations of entities in the same category. A Belief Rule Base (BRB) is developed using regexes to ensure accurate entity identification, particularly for fixed-format phrases lacking semantics. Moreover, a Distributed Constraint Covariance Matrix Adaptation Evolution Strategy (D-CMA-ES) algorithm is introduced for BRB parameter optimization. Experimental results demonstrate that JCLB, with the D-CMA-ES algorithm, significantly improves NER accuracy in cybersecurity.

Han Zhang,Yuanbo Guo,Tao Li

DOI: https://doi.org/10.1155/2019/6417407

IF: 1.968

2019-01-01

Security and Communication Networks

Abstract:In order to obtain high quality and large-scale labelled data for information security research, we propose a new approach that combines a generative adversarial network with the BiLSTM-Attention-CRF model to obtain labelled data from crowd annotations. We use the generative adversarial network to find common features in crowd annotations and then consider them in conjunction with the domain dictionary feature and sentence dependency feature as additional features to be introduced into the BiLSTM-Attention-CRF model, which is then used to carry out named entity recognition in crowdsourcing. Finally, we create a dataset to evaluate our models using information security data. The experimental results show that our model has better performance than the other baseline models.

Chen Gao,Xuan Zhang,Hui Liu

DOI: https://doi.org/10.1186/s42400-021-00072-y

2021-05-03

Abstract:Abstract Named Entity Recognition (NER) for cyber security aims to identify and classify cyber security terms from a large number of heterogeneous multisource cyber security texts. In the field of machine learning, deep neural networks automatically learn text features from a large number of datasets, but this data-driven method usually lacks the ability to deal with rare entities. Gasmi et al. proposed a deep learning method for named entity recognition in the field of cyber security, and achieved good results, reaching an F1 value of 82.8%. But it is difficult to accurately identify rare entities and complex words in the text.To cope with this challenge, this paper proposes a new model that combines data-driven deep learning methods with knowledge-driven dictionary methods to build dictionary features to assist in rare entity recognition. In addition, based on the data-driven deep learning model, an attention mechanism is adopted to enrich the local features of the text, better models the context, and improves the recognition effect of complex entities. Experimental results show that our method is better than the baseline model. Our model is more effective in identifying cyber security entities. The Precision, Recall and F1 value reached 90.19%, 86.60% and 88.36% respectively.

computer science, information systems, interdisciplinary applications, software engineering

Ke Zhang,Yunpeng Wang,Ou Li,Sirui Hao,Junjiang He,Xiaolong Lan,Jinneng Yang,Yang Ye

DOI: https://doi.org/10.1371/journal.pone.0315479

IF: 3.7

2024-12-18

PLoS ONE

Abstract:The task of named entity recognition (NER) plays a crucial role in extracting cybersecurity-related information. Existing approaches for cybersecurity entity extraction predominantly rely on manual labelling data, resulting in labour-intensive processes due to the lack of a cybersecurity-specific corpus. In this paper, we propose an improved self-training-based distant label denoising method for cybersecurity entity extraction. Firstly, we create two domain dictionaries of cybersecurity. Then, an algorithm that combines reverse maximum matching and part-of-speech tagging restrictions is proposed, for generating distant labels for the cybersecurity domain corpus. Lastly, we propose a high-confidence text selection method and an improved self-training algorithm that incorporates a teacher-student model and weight update constraints, for exploring the true labels of low-confidence text using a model trained on high-confidence text, thereby reducing the noise in the distant annotation data. Experimental results demonstrate that the cybersecurity distantly-labelled data we obtained is of high quality. Additionally, the proposed constrained self-training algorithm effectively improves the F1 score of several state-of-the-art NER models on this dataset, yielding a 3.5% improvement for the Vendor class and a 3.35% improvement for the Product class.

multidisciplinary sciences

Pritam Deka,Sampath Rajapaksha,Ruby Rani,Amirah Almutairi,Erisa Karafili

2024-08-10

Abstract:Cyber-attack attribution is an important process that allows experts to put in place attacker-oriented countermeasures and legal actions. The analysts mainly perform attribution manually, given the complex nature of this task. AI and, more specifically, Natural Language Processing (NLP) techniques can be leveraged to support cybersecurity analysts during the attribution process. However powerful these techniques are, they need to deal with the lack of datasets in the attack attribution domain. In this work, we will fill this gap and will provide, to the best of our knowledge, the first dataset on cyber-attack attribution. We designed our dataset with the primary goal of extracting attack attribution information from cybersecurity texts, utilizing named entity recognition (NER) methodologies from the field of NLP. Unlike other cybersecurity NER datasets, ours offers a rich set of annotations with contextual details, including some that span phrases and sentences. We conducted extensive experiments and applied NLP techniques to demonstrate the dataset's effectiveness for attack attribution. These experiments highlight the potential of Large Language Models (LLMs) capabilities to improve the NER tasks in cybersecurity datasets for cyber-attack attribution.

Cryptography and Security,Artificial Intelligence

Changmeng Zheng,Zhiwei Wu,Tao Wang,Yi Cai,Qing Li

DOI: https://doi.org/10.1109/tmm.2020.3013398

IF: 7.3

2021-01-01

IEEE Transactions on Multimedia

Abstract:Named Entity Recognition (NER) in social media posts is challenging since texts are usually short and contexts are lacking. Most recent works show that visual information can boost the NER performance since images can provide complementary contextual information for texts. However, the image-level features ignore the mapping relations between fine-grained visual objects and textual entities, which results in error detection in entities with different types. To better exploit visual and textual information in NER, we propose an adversarial gated bilinear attention neural network (AGBAN). The model jointly extracts entity-related features from both visual objects and texts, and leverages an adversarial training to map two different representations into a shared representation. As a result, domain information contained in an image can be transferred and applied for extracting named entities in the text associated with the image. Experimental results on Tweets dataset demonstrate that our model outperforms the state-of-the-art methods. Moreover, we systematically evaluate the effectiveness of the proposed gated bilinear attention network in capturing the interactions of mutimodal features visual objects and textual words. Our results indicate that the adversarial training can effectively exploit commonalities across heterogeneous data sources, which leads to improved performance in NER when compared to models purely exploiting text data or combining the image-level visual features.

computer science, information systems,telecommunications, software engineering

Gang Yu,Yiwen Yang,Xuying Wang,Huachun Zhen,Guoping He,Zheming Li,Yonggen Zhao,Qiang Shu,Liqi Shu

DOI: https://doi.org/10.1016/j.jbi.2020.103481

IF: 8

2020-01-01

Journal of Biomedical Informatics

Abstract:Objective: Named entity recognition (NER) is a principal task in the biomedical field and deep learning-based algorithms have been widely applied to biomedical NER. However, all of these methods that are applied to biomedical corpora use only annotated samples to maximize their performances. Thus, (1) large numbers of unannotated samples are relinquished and their values are overlooked. (2) Compared with other types of active learning (AL) algorithms, generative adversarial learning (GAN)-based AL methods have developed slowly. Furthermore, current diversity-based AL methods only compute similarities between a pair of sentences and cannot evaluate distribution similarities between groups of sentences. Annotation inconsistency is one of the significant challenges in the biomedical annotation field. Most existing methods for addressing this challenge are statistics-based or rule-based methods. (3) They require sufficient expert knowledge and complex designs. To address challenges (1), (2), and (3) simultaneously, we propose innovative algorithms. Methods: GAN is introduced in this paper, and we propose the GAN-bidirectional long short-term memoryconditional random field (GAN-BiLSTM-CRF) and the GAN-bidirectional encoder representations from transformers-conditional random field (GAN-BERT-CRF) models, which can be considered an NER model, an AL model, and a model identifying error labels. BiLSTM-CRF or BERT-CRF is defined as the generator and a convolutional neural network (CNN)-based network is considered the discriminator. (1) The generator employs unannotated samples in addition to annotated samples to maximize NER performance. (2) The outputs of the CRF layer and the discriminator are used to select unlabeled samples for the AL task. (3) The discriminator discriminates the distribution of error labels from that of correct labels, identify error labels, and address the annotation inconsistency challenge. Results: The corpus from the 2010 i2b2/VA NLP challenge and the Chinese CCKS-2017 Task 2 dataset are adopted for experiments. Compared to the baseline BiLSTM-CRF and BERT-CRF, the GAN-BiLSTM-CRF and GAN-BERT-CRF models achieved significant improvements on the precision, recall, and Fl scores in terms of NER performance. Learning curves in AL experiments show the comparative results of the proposed models. Furthermore, the trained discriminator can identify samples with incorrect medical labels in both simulation and real-word experimental environments. Conclusion: The idea of introducing GAN contributes significant results in terms of NER, active learning, and the ability to identify incorrect annotated samples. The benefits of GAN will be further studied.

Yiqi Su,Yuxin Ding

DOI: https://doi.org/10.1109/iaecst60924.2023.10503315

2023-01-01

Abstract:To meet the demand for improving the construction and analysis efficiency of knowledge graphs in the field of cybersecurity, this paper introduces an innovative system—SECURENET. SECURENET successfully addresses the issue of a lack of annotated text datasets in the field of cybersecurity and effectively tackles the challenges of flat, overlapping, and discontinuous entity recognition in cybersecurity texts. The SECURENET system consists of three core modules: First, the Multifeature Security Averaged Perceptron (MSAP) module combines two types of multi-feature perceptron technologies to deeply analyze and understand complex features in cybersecurity texts, such as semantic and structural properties, and perform corresponding label annotations. Secondly, the entity extraction module uses the annotated dataset to train the Named Entity Recognition (NER) model. We employ the SecBERT pre-trained model combined with the W2NER framework, a unified NER neural network framework. Furthermore, SECURENET introduces an innovative Multi-Level Adversarial Training (MLAT) strategy to enhance the accuracy and robustness in the entity extraction process. Finally, the relationship extraction module defines a security ontology to extract relationships between entities, thereby forming the VulKG knowledge graph. In experiments, each module of the SECURENET system demonstrated excellent performance.

Peng Wang,Jingju Liu

DOI: https://doi.org/10.1145/3633637.3633677

2024-01-01

Abstract:With the development of Internet, cybersecurity attracts people's attention. In order to better protect cybersecurity, we can comprehensively analyze the security events based on cyber threat intelligence. We aim to identify correlations between security events to proactively address potential threats. However, there are still many challenges when people use cyber threat intelligence. Cyber threat intelligence mainly exists in unstructured form. It is necessary to extract the important elements from it. We design a cyber threat entity recognition method to help the analysis of cyber threat intelligence. The formation of accurate and robust feature representation is the key to realize the task of cyber threat entity recognition, but the feature representation of text is susceptible to noise interference. In order to form an accurate representation of the text, we design a robust feature representation method which extracts features based on multiple perspectives and adopts a mutual learning mechanism to promote feature interaction. It adopts iterative fusion to form the final feature representation. And we use an adversarial training framework that can learn attack strategies to alleviate the problem of noise interference. We conduct relevant experiments on the cyber threat intelligence dataset DNRTI. The experimental results show that our method can be used in cyber threat intelligence analysis.

Buqing Cai,Shengwei Tian,Long Yu,Jun Long,Tiejun Zhou,Bo Wang

DOI: https://doi.org/10.3233/jifs-232385

2023-12-28

Journal of Intelligent & Fuzzy Systems

Abstract:With the rapid growth of Internet penetration, identifying emergency information from network news has become increasingly significant for emergency monitoring and early warning. Although deep learning models have been commonly used in Chinese Named Entity Recognition (NER), they require a significant amount of well-labeled training data, which is difficult to obtain for emergencies. In this paper, we propose an NER model that combines bidirectional encoder representations from Transformers (BERT), bidirectional long-short-term memory (BILSTM), and conditional random field (CRF) based on adversarial training (ATBBC) to address this issue. Firstly, we constructed an emergency dataset (ED) based on the classification and coding specifications of the national emergency platform system. Secondly, we utilized the BERT pre-training model with adversarial training to extract text features. Finally, BILSTM and CRF were used to predict the probability distribution of entity labels and decode the probability distribution into corresponding entity labels.Experiments on the ED show that our model achieves an F1-score of 85.39% on the test dataset, which proves the effectiveness of our model.

Peipei Liu,Hong Li,Zuoguang Wang,Jie Liu,Yimo Ren,Hongsong Zhu

DOI: https://doi.org/10.48550/arXiv.2207.00232

2022-07-01

Cryptography and Security

Abstract:Extracting cybersecurity entities such as attackers and vulnerabilities from unstructured network texts is an important part of security analysis. However, the sparsity of intelligence data resulted from the higher frequency variations and the randomness of cybersecurity entity names makes it difficult for current methods to perform well in extracting security-related concepts and entities. To this end, we propose a semantic augmentation method which incorporates different linguistic features to enrich the representation of input tokens to detect and classify the cybersecurity names over unstructured text. In particular, we encode and aggregate the constituent feature, morphological feature and part of speech feature for each input token to improve the robustness of the method. More than that, a token gets augmented semantic information from its most similar K words in cybersecurity domain corpus where an attentive module is leveraged to weigh differences of the words, and from contextual clues based on a large-scale general field corpus. We have conducted experiments on the cybersecurity datasets DNRTI and MalwareTextDB, and the results demonstrate the effectiveness of the proposed method.

Junkai Yi,Yuan Liu,Zhongbai Jiang,Zhen Liu

DOI: https://doi.org/10.3390/electronics13214330

IF: 2.9

2024-11-05

Electronics

Abstract:Research on named entity recognition (NER) and command-line generation for network security evaluation tools is relatively scarce, and no mature models for recognition or generation have been developed thus far. Therefore, in this study, the aim is to build a specialized corpus for network security evaluation tools by combining knowledge graphs and information entropy for automatic entity annotation. Additionally, a novel NER approach based on the KG-BERT-BiLSTM-CRF model is proposed. Compared to the traditional BERT-BiLSTM model, the KG-BERT-BiLSTM-CRF model demonstrates superior performance when applied to the specialized corpus of network security evaluation tools. The graph attention network (GAT) component effectively extracts relevant sequential content from datasets in the network security evaluation domain. The fusion layer then concatenates the feature sequences from the GAT and BiLSTM layers, enhancing the training process. Upon successful NER execution, in this study, the identified entities are mapped to pre-established command-line data for network security evaluation tools, achieving automatic conversion from textual content to evaluation commands. This process not only improves the efficiency and accuracy of command generation but also provides practical value for the development and optimization of network security evaluation tools. This approach enables the more precise automatic generation of evaluation commands tailored to specific security threats, thereby enhancing the timeliness and effectiveness of cybersecurity defenses.

engineering, electrical & electronic,computer science, information systems,physics, applied

Xiu Tang,Sai Wu,Gang Chen,Ke Chen,Lidan Shou

DOI: https://doi.org/10.1007/978-3-030-73197-7_36

2021-01-01

Abstract:Training data labelling is financially expensive in domain-specific learning applications, which heavily relies on the intelligence from domain experts. Thus, with budget constraint, it is important to judiciously select high-quality training data for labelling in order to prevent over-fitting. In this paper, we propose a learning-to-label (L2L) framework leveraging active learning and reinforcement learning to iteratively select data to label for Name Entity Recognition (NER) task. Experimental results show that our approach is more effective than strong previous methods using heuristics and reinforcement learning. With the same number of labeled data, our approach improves the accuracy of NER by 11.91%. Our approach is superior to state-of-the-art learning-to-label method, with an improvement of accuracy by 6.49%.

Somnath Banerjee,Avik Dutta,Aaditya Agrawal,Rima Hazra,Animesh Mukherjee

2024-06-20

Abstract:With the AI revolution in place, the trend for building automated systems to support professionals in different domains such as the open source software systems, healthcare systems, banking systems, transportation systems and many others have become increasingly prominent. A crucial requirement in the automation of support tools for such systems is the early identification of named entities, which serves as a foundation for developing specialized functionalities. However, due to the specific nature of each domain, different technical terminologies and specialized languages, expert annotation of available data becomes expensive and challenging. In light of these challenges, this paper proposes a novel named entity recognition (NER) technique specifically tailored for the open-source software systems. Our approach aims to address the scarcity of annotated software data by employing a comprehensive two-step distantly supervised annotation process. This process strategically leverages language heuristics, unique lookup tables, external knowledge sources, and an active learning approach. By harnessing these powerful techniques, we not only enhance model performance but also effectively mitigate the limitations associated with cost and the scarcity of expert annotators. It is noteworthy that our model significantly outperforms the state-of-the-art LLMs by a substantial margin. We also show the effectiveness of NER in the downstream task of relation extraction.

Computation and Language