pith. machine review for the scientific record. sign in

arxiv: 2604.02377 · v1 · submitted 2026-04-01 · 💻 cs.SE

Recognition: no theorem link

What Are Adversaries Doing? Automating Tactics, Techniques, and Procedures Extraction: A Systematic Review

Ahmed Ryan, Laurie Williams, Mahzabin Tamanna, Md Erfan, Md Rayhanur Rahman, Shaswata Mitra, Sudip Mittal

Authors on Pith no claims yet

Pith reviewed 2026-05-13 22:47 UTC · model grok-4.3

classification 💻 cs.SE
keywords extractionapproachesclassificationdatasetsevaluationproceduresstudiestactics
0
0 comments X

The pith

Systematic review of 80 papers shows TTP extraction shifting to transformer and LLM methods but limited by narrow datasets, single-label focus, and low reproducibility.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

In cybersecurity, adversaries use tactics, techniques, and procedures (TTPs) to carry out attacks while avoiding detection. These are often described in unstructured text like threat reports. To help defenders, researchers develop automated systems to extract and structure this information, often linking it to the MITRE ATT&CK knowledge base. This paper reviews 80 previous studies on this topic. It examines what the studies aimed to do, where they got their data from, how they built their datasets, what modeling approaches they used, how they evaluated their systems, and whether they made their code and data available. The review finds that most work focuses on classifying specific techniques rather than broader tactics or searching for techniques. Methods have evolved from simple rules and traditional machine learning to more advanced transformer models like BERT and RoBERTa. Recently, some studies are starting to use large language models through prompting or fine-tuning. Despite progress, many studies are limited to single-label classification, use narrow datasets, and have poor reproducibility because datasets are proprietary and code is not shared. This makes it hard to compare results or apply the methods to new situations.

Core claim

Our analysis reveals several dominant trends. Technique-level classification remains the dominant task formulation, while tactic classification and technique searching are underexplored. The field has progressed from rule-based and traditional machine learning to transformer-based architectures (e.g., BERT, SecureBERT, RoBERTa), with recent studies exploring LLM-based approaches including prompting, retrieval-augmented generation, and fine-tuning, though adoption remains emergent.

Load-bearing premise

The selection of 80 peer-reviewed studies accurately captures the current state of research on TTP extraction, depending on the search strategy, databases used, and inclusion/exclusion criteria applied in the systematic review process.

read the original abstract

Adversaries continuously evolve their tactics, techniques, and procedures (TTPs) to achieve their objectives while evading detection, requiring defenders to continually update their understanding of adversary behavior. Prior research has proposed automated extraction of TTP-related intelligence from unstructured text and mapping it to structured knowledge bases, such as MITRE ATT&CK. However, existing work varies widely in extraction objectives, datasets, modeling approaches, and evaluation practices, making it difficult to understand the research landscape. The goal of this study is to aid security researchers in understanding the state of the art in extracting attack tactics, techniques, and procedures (TTPs) from unstructured text by analyzing relevant literature. We systematically analyze 80 peer-reviewed studies across key dimensions: extraction purposes, data sources, dataset construction, modeling approaches, evaluation metrics, and artifact availability. Our analysis reveals several dominant trends. Technique-level classification remains the dominant task formulation, while tactic classification and technique searching are underexplored. The field has progressed from rule-based and traditional machine learning to transformer-based architectures (e.g., BERT, SecureBERT, RoBERTa), with recent studies exploring LLM-based approaches including prompting, retrieval-augmented generation, and fine-tuning, though adoption remains emergent. Despite these advances, important limitations persist: many studies rely on single-label classification, limited evaluation settings, and narrow datasets, constraining cross-domain generalization. Reproducibility is further hindered by proprietary datasets, limited code releases, and restricted corpora.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

1 major / 2 minor

Summary. This paper presents a systematic review of 80 peer-reviewed studies on automating the extraction of Tactics, Techniques, and Procedures (TTPs) from unstructured text, typically mapping to MITRE ATT&CK. It examines extraction purposes, data sources, dataset construction, modeling approaches (from rule-based to transformers and LLMs), evaluation metrics, and artifact availability, revealing trends like the dominance of technique-level classification and limitations in reproducibility and generalization.

Significance. If the selection of studies is representative, this review provides a valuable overview of the current state of TTP extraction research, highlighting underexplored areas such as tactic classification and technique searching, the shift towards LLM-based methods, and key limitations that can inform future work in cybersecurity and natural language processing.

major comments (1)
  1. [Methods (study selection)] Methods (study selection): The paper states that 80 studies were selected via a systematic process but does not detail the databases (e.g., IEEE Xplore, ACM DL, Scopus), Boolean search strings, date ranges, or provide a PRISMA flow diagram. This omission makes it difficult to assess the representativeness of the corpus and potential selection biases that could affect claims about dominant trends like technique-level classification dominance.
minor comments (2)
  1. [Abstract] Abstract: The abstract mentions 'systematically analyze 80 peer-reviewed studies' without referencing the specific methodology section where details should be provided.
  2. [Discussion] Discussion: Some trends, such as 'adoption remains emergent' for LLMs, could benefit from quantitative breakdowns (e.g., number of studies using each approach) to strengthen the claims.

Simulated Author's Rebuttal

1 responses · 0 unresolved

We thank the referee for their constructive feedback and recommendation for minor revision. We agree that greater methodological transparency is needed and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: Methods (study selection): The paper states that 80 studies were selected via a systematic process but does not detail the databases (e.g., IEEE Xplore, ACM DL, Scopus), Boolean search strings, date ranges, or provide a PRISMA flow diagram. This omission makes it difficult to assess the representativeness of the corpus and potential selection biases that could affect claims about dominant trends like technique-level classification dominance.

    Authors: We acknowledge the validity of this observation. The current manuscript provides only a high-level description of the selection process. In the revised version we will expand the Methods section to explicitly list the databases queried, reproduce the precise Boolean search strings, state the date range applied, and include a PRISMA flow diagram that reports the number of records at each stage of screening and inclusion. These additions will allow readers to evaluate the corpus representativeness and any potential selection bias directly. revision: yes

Circularity Check

0 steps flagged

No circularity: systematic review summarizes external literature without derivations or self-referential fits

full rationale

This is a systematic literature review paper that selects and analyzes 80 external peer-reviewed studies on TTP extraction. It contains no equations, fitted parameters, predictions, or derivations that could reduce to its own inputs by construction. All claims (e.g., dominance of technique-level classification, shift to transformer/LLM approaches) are descriptive summaries of the reviewed body of work rather than self-generated results. No self-citation load-bearing steps, ansatz smuggling, or renaming of known results occur; the paper's methodology (study selection) is an input to the synthesis, not a circular loop. The result is self-contained against external benchmarks.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the assumption that the reviewed studies are representative and that standard review practices suffice to identify trends without introducing new fitted parameters or entities.

axioms (1)
  • domain assumption Systematic review methodology provides an unbiased synthesis of the literature
    Invoked to justify the analysis of 80 studies across dimensions of extraction purposes, data sources, modeling, and evaluation

pith-pipeline@v0.9.0 · 5592 in / 1289 out tokens · 43184 ms · 2026-05-13T22:47:14.549034+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

175 extracted references · 175 canonical work pages · 5 internal anchors

  1. [1]

    Accenture. 2025. State of Cybersecurity Resilience 2025. https://www.accenture.com/us-en/insights/security/state- cybersecurity-2025

    work page 2025

  2. [2]

    ACL. 2025. Association for Computational Linguistics. https://www.aclweb.org/portal/

    work page 2025

  3. [3]

    ACM. 2025. ACM Digital Library. https://dl.acm.org/

    work page 2025

  4. [4]

    Ehsan Aghaei, Xi Niu, Waseem Shadid, and Ehab Al-Shaer. 2022. Securebert: A domain-specific language model for cybersecurity. InInternational Conference on Security and Privacy in Communication Systems. Springer, 39–56

    work page 2022

  5. [5]

    Khandakar Ashrafi Akbar, Yigong Wang, Md Shihabul Islam, Anoop Singhal, Latifur Khan, and Bhavani Thuraisingham

    work page

  6. [6]

    InInformation Systems Security: 17th International Conference, ICISS 2021, Patna, India, December 16–20, 2021, Proceedings 17

    Identifying tactics of advanced persistent threats with limited attack traces. InInformation Systems Security: 17th International Conference, ICISS 2021, Patna, India, December 16–20, 2021, Proceedings 17. Springer, 3–25

    work page 2021

  7. [7]

    Md Tanvirul Alam, Dipkamal Bhusal, Youngja Park, and Nidhi Rastogi. 2023. Looking beyond IoCs: Automatically extracting attack patterns from external CTI. InProceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses. 92–108

    work page 2023

  8. [8]

    Asad Ali and Min-Chun Peng. 2024. TTPMapper: Accurate Mapping of TTPs from Unstructured CTI Reports. In2024 IEEE International Conference on Future Machine Learning and Data Science (FMLDS). IEEE, 558–563

    work page 2024

  9. [9]

    Paulo MMR Alves, PR Geraldo Filho, and Vinícius P Gonçalves. 2022. Leveraging BERT’s Power to Classify TTP from Unstructured Text. In2022 Workshop on Communication Networks and Power Systems (WCNPS). IEEE, 1–7

    work page 2022

  10. [10]

    Salwana Mohamad Asmara, Noor Azida Sahabudin, Nor Syahidatul Nadiah Ismail, and Ily Amalina Ahmad Sabri

    work page

  11. [11]

    In2023 IEEE 8th International Conference On Software Engineering and Computer Systems (ICSECS)

    A review of knowledge graph embedding methods of transe, transh and transr for missing links. In2023 IEEE 8th International Conference On Software Engineering and Computer Systems (ICSECS). IEEE, 470–475

    work page

  12. [12]

    Gbadebo Ayoade, Swarup Chandra, Latifur Khan, Kevin Hamlen, and Bhavani Thuraisingham. 2018. Automated threat report classification over multi-source data. In2018 IEEE 4th International Conference on Collaboration and Internet Computing (CIC). IEEE, 236–245

    work page 2018

  13. [13]

    Chanwoo Bae, Guanhong Tao, Zhuo Zhang, and Xiangyu Zhang. 2024. Threat Behavior Textual Search by Attention Graph Isomorphism. InProceedings of the 18th Conference of the European Chapter of the Association for Computational Linguistics, EACL 2024. Association for Computational Linguistics, 2616–2630

    work page 2024

  14. [14]

    Vahid Behzadan, Carlos Aguirre, Avishek Bose, and William Hsu. 2018. Corpus and deep learning classifier for collection of cyber threat indicators in twitter stream. InIEEE International Conference on Big Data (Big Data). IEEE

    work page 2018

  15. [15]

    Mohamed El Amine Bekhouche and Kamel Adi. 2023. A BERT-Based Framework for Automated Extraction of Behavioral Indicators of Compromise from Security Incident Reports. InInternational Symposium on Foundations and Practice of Security. Springer, 219–232

    work page 2023

  16. [16]

    Iz Beltagy, Kyle Lo, and Arman Cohan. 2019. SciBERT: A Pretrained Language Model for Scientific Text. InProceedings of the 2019 Conference on Empirical Methods in Natural Language Processing (EMNLP)

    work page 2019

  17. [17]

    Charalampos Bratsas, Efstathios Konstantinos Anastasiadis, Alexandros K Angelidis, Lazaros Ioannidis, Rigas Kotsakis, and Stefanos Ougiaroglou. 2024. Knowledge graphs and semantic Web tools in cyber threat intelligence: A systematic literature review.Journal of Cybersecurity and Privacy4, 3 (2024), 518–545

    work page 2024

  18. [18]

    Robert A Bridges, Kelly MT Huffer, Corinne L Jones, Michael D Iannacone, and John R Goodall. 2017. Cybersecurity automated information extraction techniques: Drawbacks of current methods, and enhanced extractors. InIEEE international conference on machine learning and applications (ICMLA). IEEE, 437–442

    work page 2017

  19. [19]

    Robert A Bridges, Corinne L Jones, Michael D Iannacone, Kelly M Testa, and John R Goodall. 2013. Automatic labeling for entity extraction in cyber security.arXiv preprint arXiv:1308.4941(2013)

    work page arXiv 2013

  20. [20]

    Marvin Büchel, Tommaso Paladini, Stefano Longari, Michele Carminati, Stefano Zanero, Hodaya Binyamini, Gal Engelberg, Dan Klein, Giancarlo Guizzardi, Marco Caselli, et al. 2025. SoK: Automated TTP Extraction from CTI Reports–Are We There Yet?. In34th USENIX Security Symposium (USENIX Security 25). 4621–4641

    work page 2025

  21. [21]

    Center for Threat-Informed Defense. 2025. TRAM: Threat Report ATT&CK Mapping. https://github.com/center-for- threat-informed-defense/tram

    work page 2025

  22. [22]

    Minghao Chen, Kaijie Zhu, Bin Lu, Ding Li, Qingjun Yuan, and Yuefei Zhu. 2025. AECR: Automatic attack technique intelligence extraction based on fine-tuned large language model.Computers & Security150 (2025), 104213

    work page 2025

  23. [23]

    Zheng-Shao Chen, R Vaitheeshwari, Eric Hsiao-Kuang Wu, Ying-Dar Lin, Ren-Hung Hwang, Po-Ching Lin, Yuan- Cheng Lai, and Asad Ali. 2024. Clustering APT Groups through Cyber Threat Intelligence by Weighted Similarity Measurement.IEEE Access(2024)

    work page 2024

  24. [24]

    Jacob Cohen. 1960. A coefficient of agreement for nominal scales.Educational and psychological measurement20, 1 (1960), 37–46

    work page 1960

  25. [25]

    Corvus Forensics. 2025. VirusShare: A repository of malware samples. https://virusshare.com

    work page 2025

  26. [26]

    Pierre Crochelet, Christopher Neal, Nora Boulahia Cuppens, Frédéric Cuppens, and Alexandre Proulx. 2023. Automated Attacker Behaviour Classification Using Threat Intelligence Insights. InInternational Symposium on Foundations and Practice of Security. Springer, 285–301. , Vol. 1, No. 1, Article . Publication date: April 2018. What Are Adversaries Doing? A...

    work page 2023

  27. [27]

    2024.Global Threat Report

    CrowdStrike. 2024.Global Threat Report. CrowdStrike Holdings, Inc. Available at https://www.crowdstrike.com/global- threat-report/

    work page 2024

  28. [28]

    Hoang Cuong Nguyen, Shahroz Tariq, Mohan Baruwal Chhetri, and Bao Quoc Vo. 2025. Towards effective identification of attack techniques in cyber threat intelligence reports using large language models. InCompanion Proceedings of the ACM on Web Conference 2025. 942–946

    work page 2025

  29. [29]

    Cybereason. 2024. Indicators of Behavior and the Diminishing Value of IOCs. https://www.cybereason.com/blog/ indicators-of-behavior-and-the-diminishing-value-of-iocs

    work page 2024

  30. [30]

    Nir Daniel, Florian Klaus Kaiser, Anton Dzega, Aviad Elyashar, and Rami Puzis. 2023. Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT. InEuropean Symposium on Research in Computer Security. Springer

    work page 2023

  31. [31]

    Nathan Deguara, Junaid Arshad, Anum Paracha, and Muhammad Ajmal Azad. 2022. Threat miner-a text analysis engine for threat identification using Dark Web Data. In2022 IEEE International Conference on Big Data. IEEE

    work page 2022

  32. [32]

    Isuf Deliu, Carl Leichter, and Katrin Franke. 2018. Collecting cyber threat intelligence from hacker forums via a two-stage, hybrid process using support vector machines and latent dirichlet allocation. In2018 IEEE International Conference on Big Data (Big Data). IEEE, 5008–5013

    work page 2018

  33. [33]

    Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. 2019. Bert: Pre-training of deep bidirectional transformers for language understanding. InProceedings of the 2019 conference of the North American chapter of the association for computational linguistics: human language technologies, volume 1 (long and short papers). 4171–4186

    work page 2019

  34. [34]

    Eva Domschot, Ramyaa Ramyaa, and Michael R Smith. 2024. Improving Automated Labeling for ATT&CK Tactics in Malware Threat Reports.Digital Threats: Research and Practice5, 1 (2024), 1–16

    work page 2024

  35. [35]

    Saad El Jaouhari, Nouredine Tamani, and Rohan Isaac Jacob. 2024. GuardLink: Dynamic Linking of CVE to MITRE ATT&CK Techniques using Machine Learning. InIEEE Global Communications Conference. IEEE, 4811–4817

    work page 2024

  36. [36]

    Rafail A Ellinitakis, Konstantinos Fysarakis, Panagiotis Bountakas, and George Spanoudakis. 2024. Uncovering Hidden Threats: Automated, Machine Learning-based Discovery & Extraction of Cyber Threat Intelligence from Online Sources. In2024 IEEE International Conference on Cyber Security and Resilience (CSR). IEEE, 1–6

    work page 2024

  37. [37]

    Elsevier. 2025. ScienceDirect. https://www.sciencedirect.com/

    work page 2025

  38. [38]

    European Union Agency for Cybersecurity (ENISA). 2025. European Vulnerability Database (EUVD). https://euvd. enisa.europa.eu

    work page 2025

  39. [39]

    Jeffrey Fairbanks, Andres Orbe, Christine Patterson, Janet Layne, Edoardo Serra, and Marion Scheepers. 2021. Identifying ATT&CK tactics in Android malware control flow graph through graph representation learning and interpretability. In2021 IEEE International Conference on Big Data (Big Data). IEEE, 5602–5608

    work page 2021

  40. [40]

    Reza Fayyazi, Rozhina Taghdimi, and Shanchieh Jay Yang. 2024. Advancing TTP Analysis: Harnessing the Power of Large Language Models with Retrieval Augmented Generation. In2024 Annual Computer Security Applications Conference Workshops (ACSAC Workshops). IEEE Computer Society, 255–261

    work page 2024

  41. [41]

    Zhangyin Feng, Daya Guo, Duyu Tang, Nan Duan, Xiaocheng Feng, Ming Gong, Linjun Shou, Bing Qin, Ting Liu, Daxin Jiang, and Ming Zhou. 2020. CodeBERT: A Pre-Trained Model for Programming and Natural Languages. In Findings of the Association for Computational Linguistics: EMNLP 2020. 1536–1547. https://arxiv.org/abs/2002.08155

    work page internal anchor Pith review Pith/arXiv arXiv 2020

  42. [42]

    Romy Fieblinger, Md Tanvirul Alam, and Nidhi Rastogi. 2024. Actionable cyber threat intelligence using knowledge graphs and large language models. In2024 IEEE European Symposium on Security and Privacy Workshops (EuroS&PW)

    work page 2024

  43. [43]

    2024.Cyber Threat Intelligence Reports

    FireEye. 2024.Cyber Threat Intelligence Reports. FireEye, Inc. Available at https://www.trellix.com/en-us/threat- center.html

    work page 2024

  44. [44]

    Shota Fujii, Nobutaka Kawaguchi, Tomohiro Shigemoto, and Toshihiro Yamauchi. 2023. Extracting and analyzing cybersecurity named entity and its relationship with noncontextual IOCs from unstructured text of CTI sources. Journal of Information Processing31 (2023), 578–590

    work page 2023

  45. [45]

    Ryan Gabrys, Mark Bilinski, Sunny Fugate, and Daniel Silva. 2024. Using Natural Language Processing Tools to Infer Adversary Techniques and Tactics Under the Mitre ATT&CK Framework. In2024 IEEE 14th Annual Computing and Communication Workshop and Conference (CCWC). IEEE, 0541–0547

    work page 2024

  46. [46]

    Peng Gao, Xiaoyuan Liu, Edward Choi, Sibo Ma, Xinyu Yang, and Dawn Song. 2023. ThreatKG: An AI-Powered System for Automated Open-Source Cyber Threat Intelligence Gathering and Management. InProceedings of the 1st ACM Workshop on Large AI Systems and Models with Privacy and Safety Analysis. 1–12

    work page 2023

  47. [47]

    Peng Gao, Fei Shao, Xiaoyuan Liu, Xusheng Xiao, Zheng Qin, Fengyuan Xu, Prateek Mittal, Sanjeev R Kulkarni, and Dawn Song. 2021. Enabling efficient cyber threat hunting with cyber threat intelligence. In2021 IEEE 37th International Conference on Data Engineering (ICDE). IEEE, 193–204

    work page 2021

  48. [48]

    Wenhan Ge, Junfeng Wang, Tongcan Lin, Binhui Tang, and Xiaohui Li. 2023. Explainable cyber threat behavior identification based on self-adversarial topic generation.Computers & Security132 (2023), 103369

    work page 2023

  49. [49]

    Steven Gianvecchio, Christopher Burkhalter, Hongying Lan, Andrew Sillers, and Ken Smith. 2019. Closing the gap with APTs through semantic clusters and automated cybergames. InSecurity and Privacy in Communication Networks: 15th EAI International Conference, SecureComm 2019, Proceedings, Part I 15. Springer, 235–254. , Vol. 1, No. 1, Article . Publication ...

    work page 2019

  50. [50]

    Emmanouil Gionanidis, Petros Karvelis, George Georgoulas, Konstantinos Stamos, and Purvi Garg. 2022. Evaluating Text Augmentation for Boosting the Automatic Mapping of Vulnerability Information to Adversary Techniques. In 2022 IEEE Secure Development Conference (SecDev). 23–29. doi:10.1109/SecDev53368.2022.00017

    work page doi:10.1109/secdev53368.2022.00017 2022

  51. [51]

    Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical provenance analysis for endpoint detection and response systems. In2020 IEEE symposium on security and privacy (SP). IEEE, 1172–1189

    work page 2020

  52. [52]

    Erik Hemberg, Matthew J Turner, Nick Rutar, and Una-May O’reilly. 2024. Enhancements to threat, vulnerability, and mitigation knowledge for cyber analytics, hunting, and simulations.Digital Threats: Research and Practice5, 1 (2024), 1–33

    work page 2024

  53. [53]

    Yuelin Hu, Futai Zou, Jiajia Han, Xin Sun, and Yilei Wang. 2024. Llm-tikg: Threat intelligence knowledge graph construction utilizing large language model.Computers & Security145 (2024), 103999

    work page 2024

  54. [54]

    Chiao-Cheng Huang, Pei-Yu Huang, Ying-Ren Kuo, Guo-Wei Wong, Yi-Ting Huang, Yeali S Sun, and Meng Chang Chen. 2022. Building cybersecurity ontology for understanding and reasoning adversary tactics and techniques. In 2022 IEEE International Conference on Big Data (Big Data). IEEE, 4266–4274

    work page 2022

  55. [55]

    Yi-Ting Huang, R Vaitheeshwari, Meng-Chang Chen, Ying-Dar Lin, Ren-Hung Hwang, Po-Ching Lin, Yuan-Cheng Lai, Eric Hsiao-Kuang Wu, Chung-Hsuan Chen, Zi-Jie Liao, et al. 2024. MITREtrieval: Retrieving MITRE Techniques From Unstructured Threat Reports by Fusion of Deep Learning and Ontology.IEEE Transactions on Network and Service Management(2024)

    work page 2024

  56. [56]

    Ghaith Husari, Ehab Al-Shaer, Mohiuddin Ahmed, Bill Chu, and Xi Niu. 2017. Ttpdrill: Automatic and accurate extraction of threat actions from unstructured text of cti sources. InProceedings of the 33rd annual computer security applications conference. 103–115

    work page 2017

  57. [57]

    IBM. 2025. Cost of a Data Breach Report 2025. https://www.ibm.com/reports/data-breach

    work page 2025

  58. [58]

    IEEE. 2025. IEEE Xplore Digital Library. (2025). https://ieeexplore.ieee.org/Xplore/home.jsp

    work page 2025

  59. [59]

    Masahiro Ishii, Kento Mori, Ryoichi Kuwana, and Satoshi Matsuura. 2022. Multi-label classification of cybersecurity text with distant supervision. InInternational Conference on A vailability, Reliability and Security. 1–9

    work page 2022

  60. [60]

    Jiandong Jin, Bowen Tang, Mingxuan Ma, Xiao Liu, Yunfei Wang, Qingnan Lai, Jia Yang, and Changling Zhou. 2024. Crimson: Empowering Strategic Reasoning in Cybersecurity through Large Language Models. In2024 5th International Conference on Computer, Big Data and Artificial Intelligence (ICCBD+AI). 18–24

    work page 2024

  61. [61]

    Corinne L Jones, Robert A Bridges, Kelly MT Huffer, and John R Goodall. 2015. Towards a relation extraction framework for cyber-security concepts. InAnnual Cyber and Information Security Research Conference. 1–4

    work page 2015

  62. [62]

    Arnav Joshi, Ravendar Lal, Tim Finin, and Anupam Joshi. 2013. Extracting cybersecurity related linked data from text. In2013 IEEE seventh international conference on semantic computing. IEEE, 252–259

    work page 2013

  63. [63]

    2024.APT Trends Report Q3 2024

    Kaspersky Lab. 2024.APT Trends Report Q3 2024. Technical Report. Kaspersky Global Research and Analysis Team (GReAT). https://securelist.com/category/apt-reports/

    work page 2024

  64. [64]

    Do-Yeon Kim, Seong-Su Yoon, and Ieck-Chae Euom. 2024. Modeling for Identifying Attack Techniques Based on Semantic Vulnerability Analysis. InIEEE International Conference on Information, Communication and Networks

    work page 2024

  65. [65]

    Do-Yeon Kim, Seong-Su Yoon, and Ieck-Chae Euom. 2024. V2TSA: Analysis of Vulnerability to Attack Techniques using a Semantic Approach.IEEE Access(2024)

    work page 2024

  66. [66]

    Hyoung Rok Kim, Donghyeon Lee, Insup Lee, Soohan Lee, and Sangjin Lee. 2025. Multi-Step LLM Pipeline for Enhancing TTP Extraction in Cyber Threat Intelligence.IEEE Access(2025)

    work page 2025

  67. [67]

    TN Kipf. 2016. Semi-supervised classification with graph convolutional networks.arXiv preprint arXiv:1609.02907 (2016)

    work page internal anchor Pith review Pith/arXiv arXiv 2016

  68. [68]

    Barbara Kitchenham, O Pearl Brereton, David Budgen, Mark Turner, John Bailey, and Stephen Linkman. 2009. Systematic literature reviews in software engineering–a systematic literature review.Information and software technology51, 1 (2009), 7–15

    work page 2009

  69. [69]

    Marco Kuhrmann, Daniel Méndez Fernández, and Maya Daneva. 2017. On the pragmatic design of literature studies in software engineering: an experience-based guideline.Empirical software engineering22 (2017), 2852–2891

    work page 2017

  70. [70]

    Neha Mohan Kumar, Fahmida Tasnim Lisa, and Sheikh Rabiul Islam. 2024. Prompt Chaining-Assisted Malware Detec- tion: A Hybrid Approach Utilizing Fine-Tuned LLMs and Domain Knowledge-Enriched Cybersecurity Knowledge Graphs. In2024 IEEE International Conference on Big Data (BigData). IEEE, 1672–1677

    work page 2024

  71. [71]

    Prabhat Kumar, Govind P Gupta, Rakesh Tripathi, Sahil Garg, and Mohammad Mehedi Hassan. 2021. DLTIF: Deep learning-driven cyber threat intelligence modeling and identification framework in IoT-enabled maritime transportation systems.IEEE Transactions on Intelligent Transportation Systems24, 2 (2021), 2472–2481

    work page 2021

  72. [72]

    Udesh Kumarasinghe, Ahmed Lekssays, Husrev Taha Sencar, Sabri Boughorbel, Charitha Elvitigala, and Preslav Nakov. 2024. Semantic ranking for automated adversarial technique annotation in security text. InProceedings of the 19th ACM Asia Conference on Computer and Communications Security. 49–62

    work page 2024

  73. [73]

    Aditya Kuppa, Lamine Aouad, and Nhien-An Le-Khac. 2021. Linking cve’s to mitre att&ck techniques. InProceedings of the 16th International Conference on A vailability, Reliability and Security. 1–12. , Vol. 1, No. 1, Article . Publication date: April 2018. What Are Adversaries Doing? Automating Tactics, Techniques, and Procedures Extraction: A Systematic Review 33

    work page 2021

  74. [74]

    Yosra Lakhdhar and Slim Rekhis. 2021. Machine learning based approach for the automated mapping of discovered vulnerabilities to adversial tactics. In2021 IEEE Security and Privacy Workshops (SPW). IEEE, 309–317

    work page 2021

  75. [75]

    Lukas Lange, Marc Müller, Ghazaleh Haratinezhad Torbati, Dragan Milchevski, Patrick Grau, Subhash Chandra Pujari, and Annemarie Friedrich. 2024. AnnoCTR: A Dataset for Detecting and Linking Entities, Tactics, and Techniques in Cyber Threat Reports. InProceedings of the 2024 Joint International Conference on Computational Linguistics, Language Resources an...

    work page 2024

  76. [76]

    2019.Retrieving ATT&CK tactics and techniques in cyber threat reports

    Valentine Legoy. 2019.Retrieving ATT&CK tactics and techniques in cyber threat reports. Master’s Thesis. University of Twente. https://github.com/vlegoy/rcATT/blob/master/MScThesis_rcATT_VLegoy.pdf In partnership with Siemens

    work page 2019

  77. [77]

    LevelBlue. 2025. Open Threat Exchange (OTX): Community-Powered Threat Intelligence. https://otx.alienvault.com/. Accessed: 2025-12-22

    work page 2025

  78. [78]

    Jingwen Li, Ru Zhang, and Jianyi Liu. 2024. Attack Behavior Extraction Based on Heterogeneous Threat Intelligence Graphs and Data Augmentation. In2024 International Joint Conference on Neural Networks (IJCNN). IEEE, 1–9

    work page 2024

  79. [79]

    Lingzi Li, Cheng Huang, and Junren Chen. 2024. Automated discovery and mapping ATT&CK tactics and techniques for unstructured cyber threat intelligence.Computers & Security140 (2024), 103815

    work page 2024

  80. [80]

    Mengming Li, Rongfeng Zheng, Liang Liu, and Pin Yang. 2019. Extraction of threat actions from threat-related articles using multi-label machine learning classification method. In2019 2nd International Conference on Safety Produce Informatization (IICSPI). IEEE, 428–431

    work page 2019

Showing first 80 references.