Robert A. Bridges,Corinne L. Jones,Michael D. Iannacone,Kelly M. Testa,John R. Goodall

DOI: https://doi.org/10.48550/arXiv.1308.4941

2013-08-22

Information Retrieval

Abstract:Timely analysis of cyber-security information necessitates automated information extraction from unstructured text. While state-of-the-art extraction methods produce extremely accurate results, they require ample training data, which is generally unavailable for specialized applications, such as detecting security related entities; moreover, manual annotation of corpora is very costly and often not a viable solution. In response, we develop a very precise method to automatically label text from several data sources by leveraging related, domain-specific, structured data and provide public access to a corpus annotated with cyber-security entities. Next, we implement a Maximum Entropy Model trained with the average perceptron on a portion of our corpus ($\sim$750,000 words) and achieve near perfect precision, recall, and accuracy, with training times under 17 seconds.

Robert A. Bridges,Kelly M.T. Huffer,Corinne L. Jones,Michael D. Iannacone,John R. Goodall

DOI: https://doi.org/10.1109/icmla.2017.0-122

2017-12-01

Abstract:We address a crucial element of applied information extraction-accurate identification of basic security entities in text-by evaluating previous methods and presenting new labelers. Our survey reveals that the previous efforts have not been tested on documents similar to the targeted sources (news articles, blogs, tweets, etc.) and that no sufficiently large publicly available annotated corpus of these documents exists. By assembling a representative test corpus, we perform a quantitative evaluation of previous methods in a realistic setting, revealing an overall lack of recall, and giving insight to the models' beneficial and inhibiting elements. In particular, our results show that many previous efforts overfit to the non-representative test corpora in this domain. Informed by this evaluation, we present three novel cyber entity extractors, which seek to leverage the available labeled data but remain worthwhile on the more diverse documents encountered in the wild. Each new model increases the state of the art in recall, with maximal or near maximal F1 score. Our results establish that the state of the art in cyber entity tagging is characterized by $\mathbf{F1 =0.61}$.

Chengsen Ru,Shasha Li,Jintao Tang,Yi Gao,Ting Wang

DOI: https://doi.org/10.1109/dsc.2017.91

2017-01-01

Abstract:Relation extraction is very useful for many applications and has attracted much attention. The dominant prior methods for relation extraction were supervised methods which are relation-specific and limited by the availability of annotated training data. In this paper, we propose a method using hierarchical clustering to extract unbounded relations without relying on training data. The relation among entities in a sentence depends on the terms associated with the entities. Terms on the expandPath capture the relations between the entities. Given a relation, though an expandPath may have more than one dependency phrase, only the core dependency phrase describes the specific relation between the subject and the object. Our method uses heuristic rules to select the core dependency phrases and clusters entity pairs according to the similarity of the core dependency phrases in order to avoid irrelevant information and capture the semantics of the relation between entities more precisely. At last, our method automatically labels the relation clusters on basis of the semantics of core dependency phrases. The experimental results show that our method can cluster entity pairs which have the same relations more accurately and generate appropriate labels for the relations.

Aditya Pingle,Aritran Piplai,Sudip Mittal,Anupam Joshi,James Holt,Richard Zak

DOI: https://doi.org/10.48550/arXiv.1905.02497

2019-05-07

Computation and Language

Abstract:Security Analysts that work in a `Security Operations Center' (SoC) play a major role in ensuring the security of the organization. The amount of background knowledge they have about the evolving and new attacks makes a significant difference in their ability to detect attacks. Open source threat intelligence sources, like text descriptions about cyber-attacks, can be stored in a structured fashion in a cybersecurity knowledge graph. A cybersecurity knowledge graph can be paramount in aiding a security analyst to detect cyber threats because it stores a vast range of cyber threat information in the form of semantic triples which can be queried. A semantic triple contains two cybersecurity entities with a relationship between them. In this work, we propose a system to create semantic triples over cybersecurity text, using deep learning approaches to extract possible relationships. We use the set of semantic triples generated through our system to assert in a cybersecurity knowledge graph. Security Analysts can retrieve this data from the knowledge graph, and use this information to form a decision about a cyber-attack.

Maxime Würsch,Andrei Kucharavy,Dimitri Percia David,Alain Mermoud

DOI: https://doi.org/10.48550/arXiv.2312.07110

2023-12-12

Computation and Language

Abstract:The cybersecurity landscape evolves rapidly and poses threats to organizations. To enhance resilience, one needs to track the latest developments and trends in the domain. It has been demonstrated that standard bibliometrics approaches show their limits in such a fast-evolving domain. For this purpose, we use large language models (LLMs) to extract relevant knowledge entities from cybersecurity-related texts. We use a subset of arXiv preprints on cybersecurity as our data and compare different LLMs in terms of entity recognition (ER) and relevance. The results suggest that LLMs do not produce good knowledge entities that reflect the cybersecurity context, but our results show some potential for noun extractors. For this reason, we developed a noun extractor boosted with some statistical analysis to extract specific and relevant compound nouns from the domain. Later, we tested our model to identify trends in the LLM domain. We observe some limitations, but it offers promising results to monitor the evolution of emergent trends.

Fei Wang,Zhaoyun Ding,Kai Liu,Lehai Xin,Yu Zhao,Yun Zhou

DOI: https://doi.org/10.3390/electronics13122379

IF: 2.9

2024-06-19

Electronics

Abstract:In the domain of cybersecurity, available annotated data are often scarce, especially for Chinese cybersecurity datasets, often necessitating the manual construction of datasets. The scarcity of samples is one of the challenges in researching cybersecurity, especially for the "no-relation" class. Since the annotation process typically focuses only on known relation classes, there are usually no training samples for the "no-relation" class. This poses a zero-shot classification problem, where during the classification process, there is a tendency to classify into a class with a relationship. Zero-shot classification tasks are particularly challenging in this context. Moreover, most relation classification models currently need to traverse all relations to calculate the class with the highest probability. Therefore, the problem of "computational redundancy" is another challenge faced. Thus, how to accurately and efficiently acquire cyberspace knowledge from heterogeneous data sources and address the challenges such as sample scarcity, zero-shot recognition, and computational redundancy is the main focus of this chapter. To address these problems, this chapter designs a multi-relation extraction model based on ontology rule-enhanced prompt learning, which is a parameter-sharing-based multi-task model. By introducing prompt learning, which has shown significant effectiveness in the few-shot domain, this chapter designs prompt templates combining discrete and continuous tokens and uses rule injection in prompt learning to solve the difficulties in zero-shot recognition of "no-relation" and computational redundancy issues, achieving efficient and accurate multi-relation extraction. Specifically, by constructing sub-prompts to achieve an efficient combination of templates, a parameter-sharing structure is used to implement knowledge extraction step by step: The first step constructs entity prompt templates combining discrete and continuous tokens, identifying the classes of two entities based on prompt learning. The second step involves rule injection, identifying whether it belongs to the "no-relation" class based on the combination of sub-prompts; if there is no connection between the classes of two entities, it is classified as "no relation"; if a connection exists, the candidate relation set is filtered out. The third step uses the pre-trained model and vectors from the first step, utilizing prompt learning and rule judgment to determine the relation class from the candidate relation set. Finally, the effectiveness of our model is validated on the general datasets TACRED, ReTACRED, and the cybersecurity dataset constructed in this paper.

engineering, electrical & electronic,computer science, information systems,physics, applied

Casey Hanks,Michael Maiden,Priyanka Ranade,Tim Finin,Anupam Joshi

DOI: https://doi.org/10.48550/arXiv.2208.01693

2022-08-02

Computation and Language

Abstract:Cyber Threat Intelligence (CTI) is information describing threat vectors, vulnerabilities, and attacks and is often used as training data for AI-based cyber defense systems such as Cybersecurity Knowledge Graphs (CKG). There is a strong need to develop community-accessible datasets to train existing AI-based cybersecurity pipelines to efficiently and accurately extract meaningful insights from CTI. We have created an initial unstructured CTI corpus from a variety of open sources that we are using to train and test cybersecurity entity models using the spaCy framework and exploring self-learning methods to automatically recognize cybersecurity entities. We also describe methods to apply cybersecurity domain entity linking with existing world knowledge from Wikidata. Our future work will survey and test spaCy NLP tools and create methods for continuous integration of new information extracted from text.

Gaosheng Wang,Peipei Liu,Jintao Huang,Haoyu Bin,Xi Wang,Hongsong Zhu

DOI: https://doi.org/10.1016/j.cose.2024.103824

IF: 5.105

2024-03-01

Computers & Security

Abstract:Structured cyber threat intelligence enables security researchers to know the occurrence of cyber threats in time, thereby improving the efficiency of security defense and analysis. Previous works usually use general deep learning and NLP techniques to extract intelligence. Such methods suffer from insufficient semantic understanding in the field of security. To address these issues, we propose a novel method called Knowledge-based Cyber Threat Intelligence Entity and Relation Extraction (KnowCTI), which incorporates cybersecurity knowledge into the model to enhance the understanding of the realm of cybersecurity and has a full picture of threats with the threat intelligence graph generation. Specifically, we first build a cybersecurity knowledge base and train cybersecurity-aware knowledge embeddings based on the base. Secondly, we refine the most related knowledge triples by attention mechanism and gate mechanism, and then construct a sentence tree through these triples. Next, we employ graph attention networks to incorporate knowledge information into the sentence by considering the sentence tree as a graph. Finally, we consider entity extraction as a sequence labeling problem and relation extraction as a classification problem to decode the entities and relation triples according to the threat intelligence ontology we designed. Experimental results demonstrate the superior performance with the F1 score exceeding 90.16 and 81.83 on entity and relation extraction separately.

computer science, information systems

Yutong Cheng,Osama Bajaber,Saimon Amanuel Tsegai,Dawn Song,Peng Gao

2024-10-28

Abstract:Textual descriptions in cyber threat intelligence (CTI) reports, such as security articles and news, are rich sources of knowledge about cyber threats, crucial for organizations to stay informed about the rapidly evolving threat landscape. However, current CTI extraction methods lack flexibility and generalizability, often resulting in inaccurate and incomplete knowledge extraction. Syntax parsing relies on fixed rules and dictionaries, while model fine-tuning requires large annotated datasets, making both paradigms challenging to adapt to new threats and ontologies. To bridge the gap, we propose CTINexus, a novel framework leveraging optimized in-context learning (ICL) of large language models (LLMs) for data-efficient CTI knowledge extraction and high-quality cybersecurity knowledge graph (CSKG) construction. Unlike existing methods, CTINexus requires neither extensive data nor parameter tuning and can adapt to various ontologies with minimal annotated examples. This is achieved through (1) a carefully designed automatic prompt construction strategy with optimal demonstration retrieval for extracting a wide range of cybersecurity entities and relations; (2) a hierarchical entity alignment technique that canonicalizes the extracted knowledge and removes redundancy; (3) an ICL-enhanced long-distance relation prediction technique to further complete the CKSG with missing links. Our extensive evaluations using 150 real-world CTI reports collected from 10 platforms demonstrate that CTINexus significantly outperforms existing methods in constructing accurate and complete CSKGs, highlighting its potential to transform CTI analysis with an efficient and adaptable solution for the dynamic threat landscape.

Cryptography and Security,Artificial Intelligence,Machine Learning

Mingchen Zhang,Jiaan Wang,Jianfeng Qu,Zhixu Li,An Liu,Lei Zhao,Zhigang Chen,Xiaofang Zhou

DOI: https://doi.org/10.1109/ICDE60146.2024.00082

2024-01-01

Abstract:Extracting entities and relations from text is a significant task of information extraction. Existing extraction models often straightforwardly produce their confident prediction results without any reconsideration or double-checking, resulting in avoidable mistakes and sub-optimal performance. In this paper, we propose a novel coarse-to-fine extraction framework, which first extracts high-potential relations as well as entities via knowledge distillation, and then rechecks the predictions via handcrafted natural language inference (NLI) task in a fine-grained manner. Specifically, based on the knowledge distillation mechanism, we train multiple teacher models iteratively through an adaptive loss function for making one teacher concentrate more on the data that others are incompetent for. Then, these complementary teacher models are utilized to provide valuable soft-label information for training a considerate student model, enabling it to generate reliable preliminary predictions. Further, these generated potential relations and entities are formulated as hypotheses, together with the original sentences as premises, serving as the input for an NLI model. Considering the linguistic diversity of relational expression, we automatically generate various semantic templates for hypotheses through an <tex xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">$\mathcal{N}$</tex> -gram mining strategy. Moreover, due to the existence of multi-fact sentences, a relation-guided Gaussian attention is designed to reduce the gap between the single-relation hypothesis and the multi-relation premise. To implement efficient training, we also develop several ways to generate high-quality negative samples, which help the NLI model learn to identify errors. Experimental results show that the proposed method is effective and outperforms other strong baselines on public benchmarks.

John Slankas,Xusheng Xiao,Laurie A. Williams,Tao Xie

DOI: https://doi.org/10.1145/2664243.2664280

2014-01-01

Abstract:With over forty years of use and refinement, access control, often in the form of access control rules (ACRs), continues to be a significant control mechanism for information security. However, ACRs are typically either buried within existing natural language (NL) artifacts or elicited from subject matter experts. To address the first situation, our research goal is to aid developers who implement ACRs by inferring ACRs from NL artifacts . To aid in rule inference, we propose an approach that extracts relations (i.e., the relationship among two or more items) from NL artifacts such as requirements documents. Unlike existing approaches, our approach combines techniques from information extraction and machine learning. We develop an iterative algorithm to discover patterns that represent ACRs in sentences. We seed this algorithm with frequently occurring nouns matching a subject--action--resource pattern throughout a document. The algorithm then searches for additional combinations of those nouns to discover additional patterns. We evaluate our approach on documents from three systems in three domains: conference management, education, and healthcare. Our evaluation results show that ACRs exist in 47% of the sentences, and our approach effectively identifies those ACR sentences with a precision of 81% and recall of 65%; our approach extracts ACRs from those identified ACR sentences with an average precision of 76% and an average recall of 49%.

Su Liu,Wenqi Lyu,Xiao Ma,Jike Ge

DOI: https://doi.org/10.1109/access.2023.3328802

IF: 3.9

2023-01-01

IEEE Access

Abstract:Extracting entity, relation, and attribute information from unstructured text is crucial for constructing large-scale knowledge graphs (KG). Existing research approaches either focus on entity recognition before relation extraction or employ unified annotation. However, these methods overlook the intrinsic relation between entity recognition and relation extraction, resulting in ineffective handling of triple overlap issues where multiple relations share the same entity in a sentence. To address these challenges, this paper proposes an entity-relation joint extraction model comprising two independent sub-modules: one for extracting the head entity and the other for extracting the tail entity and its corresponding relation. The model generates candidate entities and relations by enumerating token sequences in sentences, and then uses the two sub-modules to predict entities and relations. The predicted entities and relations are jointly decoded to obtain relational triples, avoiding error propagation and solving redundancy, entity overlap, and poor generalization. Extensive experiments demonstrate that our model achieves state-of-the-art performance on WebNLG, NYT, WebNLG*, and NYT* public benchmarks. It outperforms all baselines on the WebNLG* dataset, showing significant improvements in different types of triples: normal, SEO, and EPO by 3.8%, 2.9%, and 5.5%, respectively, compared to ETL-Span. For the NYT* dataset, our method improves by 5.7% in triples of Normal type, thereby confirming its effectiveness.

computer science, information systems,telecommunications,engineering, electrical & electronic

El Mehdi Chouham,Jessica López Espejel,Mahaman Sanoussi Yahaya Alassan,Walid Dahhane,El Hassane Ettifouri

2023-07-11

Abstract:The field of programming has a diversity of paradigms that are used according to the working framework. While current neural code generation methods are able to learn and generate code directly from text, we believe that this approach is not optimal for certain code tasks, particularly the generation of classes in an object-oriented project. Specifically, we use natural language processing techniques to extract structured information from requirements descriptions, in order to automate the generation of CRUD (Create, Read, Update, Delete) class code. To facilitate this process, we introduce a pipeline for extracting entity and relation information, as well as a representation called an "Entity Tree" to model this information. We also create a dataset to evaluate the effectiveness of our approach.

Computation and Language

Liu Yuan,Yude Bai,Zhenchang Xing,Sen Chen,Xiaohong Li,Zhidong Deng

DOI: https://doi.org/10.1109/COMPSAC51774.2021.00116

2021-01-01

Abstract:Security databases such as Common Vulnerabilities and Exposures (CVE), Common Weakness Enumeration (CWE), and Common Attack Pattern Enumeration and Classification (CAPEC) maintain diverse high-quality security concepts, which are treated as security entities. Meanwhile, security entities are documented with many potential relation types that profit for security analysis and comprehension across these three popular databases. To support reasoning security entity relationships, translation-based knowledge graph representation learning treats each triple independently for the entity prediction. However, it neglects the important semantic information about the neighbor entities around the triples. To address it, we propose a text-enhanced graph attention network model (text-enhanced GAT). This model highlights the importance of the knowledge in the 2-hop neighbors surrounding a triple, under the observation of the diversity of each entity. Thus, we can capture more structural and textual information from the knowledge graph about the security databases. Extensive experiments are designed to evaluate the effectiveness of our proposed model on the prediction of security entity relationships. Moreover, the experimental results outperform the state-of-the-art by Mean Reciprocal Rank (MRR) 0.132 for detecting the missing relationships.

Hanmin Jung,Sung-Pil Choi,Seungwoo Lee,Shiji Song

DOI: https://doi.org/10.5772/51005

2012-01-01

Abstract:Relation extraction refers to the method of efficient detection and identification of prede‐ fined semantic relationships within a set of entities in text documents (Zelenco, Aone, & Ri‐ chardella, 2003; Zhang, Zhou, and Aiti, 2008). The importance of this method was recognized first at the Message Understanding Conference (MUC, 2001) that had been held from 1987 to 1997 under the supervision of DARPA1. After that, the Automatic Content Ex‐ traction (ACE, 2009) Workshop facilitated numerous researches that from 1999 to 2008 had been promoted by NIST2 as a new project. Currently, the workshop is held every year being the greatest world forum for comparison and evaluation of new technology in the field of information extraction such as named entity recognition, relation extraction, event extrac‐ tion, and temporal information extraction. This workshop is conducted as a sub-field of Text Analytics Conference (TAC, 2012) which is currently under the supervision of NIST.

Junkai Yi,Yuan Liu,Zhongbai Jiang,Zhen Liu

DOI: https://doi.org/10.3390/electronics13214330

IF: 2.9

2024-11-05

Electronics

Abstract:Research on named entity recognition (NER) and command-line generation for network security evaluation tools is relatively scarce, and no mature models for recognition or generation have been developed thus far. Therefore, in this study, the aim is to build a specialized corpus for network security evaluation tools by combining knowledge graphs and information entropy for automatic entity annotation. Additionally, a novel NER approach based on the KG-BERT-BiLSTM-CRF model is proposed. Compared to the traditional BERT-BiLSTM model, the KG-BERT-BiLSTM-CRF model demonstrates superior performance when applied to the specialized corpus of network security evaluation tools. The graph attention network (GAT) component effectively extracts relevant sequential content from datasets in the network security evaluation domain. The fusion layer then concatenates the feature sequences from the GAT and BiLSTM layers, enhancing the training process. Upon successful NER execution, in this study, the identified entities are mapped to pre-established command-line data for network security evaluation tools, achieving automatic conversion from textual content to evaluation commands. This process not only improves the efficiency and accuracy of command generation but also provides practical value for the development and optimization of network security evaluation tools. This approach enables the more precise automatic generation of evaluation commands tailored to specific security threats, thereby enhancing the timeliness and effectiveness of cybersecurity defenses.

engineering, electrical & electronic,computer science, information systems,physics, applied

Jiaqi Hou,Xin Li,Haipeng Yao,Haichun Sun,Tianle Mai,Rongchen Zhu

DOI: https://doi.org/10.1109/access.2020.3002863

IF: 3.9

2020-01-01

IEEE Access

Abstract:The past few years have witnessed some public safety incidents occurring around the world. With the advent of the big data era, effectively extracting public security information from the internet has become of great significance. Up to hundreds of TBs of data are injected into the network every second, and thus it is impossible to process them manually. Natural Language Processing (NLP) is dedicated to the development of an intelligent system for effective text information mining. By analysing the text and quickly extracting the relationships between the relevant entities, NLP can establish the knowledge graph (KG) of public security, which lays the foundation for safety case analysis, information monitoring, and activity tracking and locating. One of the current pre-training relation extraction models is the Word2Vec model. The Word2vec model is single mapped, and it produces a static, single representation of the words in sentences. Then, the BERT model considers contextual information and provides more dynamic, richer vector representations of generated words. Therefore, in this paper, we propose a Bidirectional Encoder Representation from Transformers (BERT) based on the Chinese relation extraction algorithm for public security, which can effectively mine security information. The BERT model is obtained by training the Masked Language Model and predicting the next sentence task, which is based on the Transformer Encoder and the main model structure is the stacked Transformers. Extensive simulations are conducted to evaluate our proposed algorithm in comparison to some state-of-the-art schemes.

computer science, information systems,telecommunications,engineering, electrical & electronic

Pawan Kumar Rajpoot,Ankur Parikh

2023-10-27

Abstract:Relation extraction (RE) has achieved remarkable progress with the help of pre-trained language models. However, existing RE models are usually incapable of handling two situations: implicit expressions and long-tail relation classes, caused by language complexity and data sparsity. Further, these approaches and models are largely inaccessible to users who don't have direct access to large language models (LLMs) and/or infrastructure for supervised training or fine-tuning. Rule-based systems also struggle with implicit expressions. Apart from this, Real world financial documents such as various 10-X reports (including 10-K, 10-Q, etc.) of publicly traded companies pose another challenge to rule-based systems in terms of longer and complex sentences. In this paper, we introduce a simple approach that consults training relations at test time through a nearest-neighbor search over dense vectors of lexico-syntactic patterns and provides a simple yet effective means to tackle the above issues. We evaluate our approach on REFinD and show that our method achieves state-of-the-art performance. We further show that it can provide a good start for human in the loop setup when a small number of annotations are available and it is also beneficial when domain experts can provide high quality patterns.

Computation and Language,Computational Engineering, Finance, and Science

Lalit Mohan Sanagavarapu,Vivek Iyer,Raghu Reddy

DOI: https://doi.org/10.48550/arXiv.2112.08554

2021-12-16

Computation and Language

Abstract:Information Security in the cyber world is a major cause for concern, with a significant increase in the number of attack surfaces. Existing information on vulnerabilities, attacks, controls, and advisories available on the web provides an opportunity to represent knowledge and perform security analytics to mitigate some of the concerns. Representing security knowledge in the form of ontology facilitates anomaly detection, threat intelligence, reasoning and relevance attribution of attacks, and many more. This necessitates dynamic and automated enrichment of information security ontologies. However, existing ontology enrichment algorithms based on natural language processing and ML models have issues with contextual extraction of concepts in words, phrases, and sentences. This motivates the need for sequential Deep Learning architectures that traverse through dependency paths in text and extract embedded vulnerabilities, threats, controls, products, and other security-related concepts and instances from learned path representations. In the proposed approach, Bidirectional LSTMs trained on a large DBpedia dataset and Wikipedia corpus of 2.8 GB along with Universal Sentence Encoder is deployed to enrich ISO 27001-based information security ontology. The model is trained and tested on a high-performance computing (HPC) environment to handle Wiki text dimensionality. The approach yielded a test accuracy of over 80% when tested with knocked-out concepts from ontology and web page instances to validate the robustness.

Wei Shen,Jianyong Wang,Ping Luo,Min Wang

DOI: https://doi.org/10.4018/ijswis.2015070101

2015-01-01

Abstract:Relation extraction from the Web data has attracted a lot of attention in recent years. However, little work has been done when it comes to relation extraction from the enterprise data regardless of the urgent needs to such work in real applications (e.g., E-discovery). One distinct characteristic of the enterprise data (in comparison with the Web data) is its low redundancy. Previous work on relation extraction from the Web data largely relies on the data's high redundancy level and thus cannot be applied to the enterprise data effectively. This paper proposes an unsupervised hybrid framework called REACTOR. REACTOR combines a statistical method, classification, and clustering to identify various types of relations among entities appearing in the enterprise data automatically. Furthermore, the authors explore to apply pronominal anaphora resolution to extract more relations expressed across multiple sentences. They evaluate REACTOR over a real-world enterprise data set from HP that contains over three million pages and the experimental results show the effectiveness of REACTOR.