Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network

Gyeongmin Kim; Chanhee Lee; Jaechoon Jo; Heuiseok Lim

doi:10.1007/s13042-020-01122-6

Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network

Gyeongmin Kim, Chanhee Lee, Jaechoon Jo, Heuiseok Lim

Research output: Contribution to journal › Article

Abstract

Countless cyber threat intelligence (CTI) reports are used by companies around the world on a daily basis for security reasons. To secure critical cybersecurity information, analysts and individuals should accordingly analyze information on threats and vulnerabilities. However, analyzing such overwhelming volumes of reports requires considerable time and effort. In this study, we propose a novel approach that automatically extracts core information from CTI reports using a named entity recognition (NER) system. During the process of constructing our proposed NER system, we defined meaningful keywords in the security domain as entities, including malware, domain/URL, IP address, Hash, and Common Vulnerabilities and Exposures. Furthermore, we linked these keywords with the words extracted from the text data of the report. To achieve a higher performance, we utilized the character-level feature vector as an input to bidirectional long-short-term memory using a conditional random field network. We finally achieved an average F1-score of 75.05%. We release 498,000 tag datasets created during our research.

Original language	English
Pages (from-to)	2341-2355
Number of pages	15
Journal	International Journal of Machine Learning and Cybernetics
Volume	11
Issue number	10
DOIs	https://doi.org/10.1007/s13042-020-01122-6
Publication status	Published - 2020

Keywords

Bidirectional long-short-term memory conditional random field
Cyber threat intelligence
Cybersecurity
Named entity recognition
Vulnerability

ASJC Scopus subject areas

Software
Computer Vision and Pattern Recognition
Artificial Intelligence

Access to Document

10.1007/s13042-020-01122-6

Fingerprint Dive into the research topics of 'Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network'. Together they form a unique fingerprint.

Cite this

Kim, G., Lee, C., Jo, J., & Lim, H. (2020). Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network. International Journal of Machine Learning and Cybernetics, 11(10), 2341-2355. https://doi.org/10.1007/s13042-020-01122-6

@article{bcdc10701eaf4ef1ba729a7c2b6e2499,

title = "Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network",

abstract = "Countless cyber threat intelligence (CTI) reports are used by companies around the world on a daily basis for security reasons. To secure critical cybersecurity information, analysts and individuals should accordingly analyze information on threats and vulnerabilities. However, analyzing such overwhelming volumes of reports requires considerable time and effort. In this study, we propose a novel approach that automatically extracts core information from CTI reports using a named entity recognition (NER) system. During the process of constructing our proposed NER system, we defined meaningful keywords in the security domain as entities, including malware, domain/URL, IP address, Hash, and Common Vulnerabilities and Exposures. Furthermore, we linked these keywords with the words extracted from the text data of the report. To achieve a higher performance, we utilized the character-level feature vector as an input to bidirectional long-short-term memory using a conditional random field network. We finally achieved an average F1-score of 75.05%. We release 498,000 tag datasets created during our research.",

keywords = "Bidirectional long-short-term memory conditional random field, Cyber threat intelligence, Cybersecurity, Named entity recognition, Vulnerability",

author = "Gyeongmin Kim and Chanhee Lee and Jaechoon Jo and Heuiseok Lim",

year = "2020",

doi = "10.1007/s13042-020-01122-6",

language = "English",

volume = "11",

pages = "2341--2355",

journal = "International Journal of Machine Learning and Cybernetics",

issn = "1868-8071",

publisher = "Springer Science + Business Media",

number = "10",

}

TY - JOUR

T1 - Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network

AU - Kim, Gyeongmin

AU - Lee, Chanhee

AU - Jo, Jaechoon

AU - Lim, Heuiseok

PY - 2020

Y1 - 2020

N2 - Countless cyber threat intelligence (CTI) reports are used by companies around the world on a daily basis for security reasons. To secure critical cybersecurity information, analysts and individuals should accordingly analyze information on threats and vulnerabilities. However, analyzing such overwhelming volumes of reports requires considerable time and effort. In this study, we propose a novel approach that automatically extracts core information from CTI reports using a named entity recognition (NER) system. During the process of constructing our proposed NER system, we defined meaningful keywords in the security domain as entities, including malware, domain/URL, IP address, Hash, and Common Vulnerabilities and Exposures. Furthermore, we linked these keywords with the words extracted from the text data of the report. To achieve a higher performance, we utilized the character-level feature vector as an input to bidirectional long-short-term memory using a conditional random field network. We finally achieved an average F1-score of 75.05%. We release 498,000 tag datasets created during our research.

AB - Countless cyber threat intelligence (CTI) reports are used by companies around the world on a daily basis for security reasons. To secure critical cybersecurity information, analysts and individuals should accordingly analyze information on threats and vulnerabilities. However, analyzing such overwhelming volumes of reports requires considerable time and effort. In this study, we propose a novel approach that automatically extracts core information from CTI reports using a named entity recognition (NER) system. During the process of constructing our proposed NER system, we defined meaningful keywords in the security domain as entities, including malware, domain/URL, IP address, Hash, and Common Vulnerabilities and Exposures. Furthermore, we linked these keywords with the words extracted from the text data of the report. To achieve a higher performance, we utilized the character-level feature vector as an input to bidirectional long-short-term memory using a conditional random field network. We finally achieved an average F1-score of 75.05%. We release 498,000 tag datasets created during our research.

KW - Bidirectional long-short-term memory conditional random field

KW - Cyber threat intelligence

KW - Cybersecurity

KW - Named entity recognition

KW - Vulnerability

UR - http://www.scopus.com/inward/record.url?scp=85085090748&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85085090748&partnerID=8YFLogxK

U2 - 10.1007/s13042-020-01122-6

DO - 10.1007/s13042-020-01122-6

M3 - Article

AN - SCOPUS:85085090748

VL - 11

SP - 2341

EP - 2355

JO - International Journal of Machine Learning and Cybernetics

JF - International Journal of Machine Learning and Cybernetics

SN - 1868-8071

IS - 10

ER -