Automated Attack Testflow Extraction from Cyber Threat Report using BERT for Contextual Analysis

• URL: http://arxiv.org/abs/2507.07244v1
• Date: Wed, 09 Jul 2025 19:33:13 GMT
• Title: Automated Attack Testflow Extraction from Cyber Threat Report using BERT for Contextual Analysis
• Authors: Faissal Ahmadou, Sepehr Ghaffarzadegan, Boubakr Nour, Makan Pourzandi, Mourad Debbabi, Chadi Assi,
• Abstract summary: This paper proposes FLOWGUARDIAN, a novel solution to automate the extraction of attack testflows from unstructured threat reports.<n>FLOWGUARDIAN systematically analyzes and contextualizes security events, reconstructs attack sequences, and then generates comprehensive testflows.
• Score: 16.226849875047165
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: In the ever-evolving landscape of cybersecurity, the rapid identification and mitigation of Advanced Persistent Threats (APTs) is crucial. Security practitioners rely on detailed threat reports to understand the tactics, techniques, and procedures (TTPs) employed by attackers. However, manually extracting attack testflows from these reports requires elusive knowledge and is time-consuming and prone to errors. This paper proposes FLOWGUARDIAN, a novel solution leveraging language models (i.e., BERT) and Natural Language Processing (NLP) techniques to automate the extraction of attack testflows from unstructured threat reports. FLOWGUARDIAN systematically analyzes and contextualizes security events, reconstructs attack sequences, and then generates comprehensive testflows. This automated approach not only saves time and reduces human error but also ensures comprehensive coverage and robustness in cybersecurity testing. Empirical validation using public threat reports demonstrates FLOWGUARDIAN's accuracy and efficiency, significantly enhancing the capabilities of security teams in proactive threat hunting and incident response.

Related papers

• Preliminary Investigation into Uncertainty-Aware Attack Stage Classification [81.28215542218724]
  This work addresses the problem of attack stage inference under uncertainty.<n>We propose a classification approach based on Evidential Deep Learning (EDL), which models predictive uncertainty by outputting parameters of a Dirichlet distribution over possible stages.<n>Preliminary experiments in a simulated environment demonstrate that the proposed model can accurately infer the stage of an attack with confidence.
  arXiv  Detail & Related papers  (2025-08-01T06:58:00Z)
• CLIProv: A Contrastive Log-to-Intelligence Multimodal Approach for Threat Detection and Provenance Analysis [6.680853786327484]
  This paper introduces CLIProv, a novel approach for detecting threat behaviors in a host system.<n>By leveraging attack pattern information in threat intelligence, CLIProv identifies TTPs and generates complete and concise attack scenarios.<n>Compared to state-of-the-art methods, CLIProv achieves higher precision and significantly improved detection efficiency.
  arXiv  Detail & Related papers  (2025-07-12T04:20:00Z)
• A Survey on Model Extraction Attacks and Defenses for Large Language Models [55.60375624503877]
  Model extraction attacks pose significant security threats to deployed language models.<n>This survey provides a comprehensive taxonomy of extraction attacks and defenses, categorizing attacks into functionality extraction, training data extraction, and prompt-targeted attacks.<n>We examine defense mechanisms organized into model protection, data privacy protection, and prompt-targeted strategies, evaluating their effectiveness across different deployment scenarios.
  arXiv  Detail & Related papers  (2025-06-26T22:02:01Z)
• ThreatLens: LLM-guided Threat Modeling and Test Plan Generation for Hardware Security Verification [1.0816123715383426]
  ThreatLens is a multi-agent framework that automates security threat modeling and test plan generation for hardware security verification.<n>The framework reduces the manual verification effort, enhances coverage, and ensures a structured, adaptable approach to security verification.
  arXiv  Detail & Related papers  (2025-05-11T03:10:39Z)
• AutoAdv: Automated Adversarial Prompting for Multi-Turn Jailbreaking of Large Language Models [0.0]
  Large Language Models (LLMs) continue to exhibit vulnerabilities to jailbreaking attacks.<n>We present AutoAdv, a novel framework that automates adversarial prompt generation.<n>We show that our attacks achieve jailbreak success rates of up to 86% for harmful content generation.
  arXiv  Detail & Related papers  (2025-04-18T08:38:56Z)
• FATH: Authentication-based Test-time Defense against Indirect Prompt Injection Attacks [45.65210717380502]
  Large language models (LLMs) have been widely deployed as the backbone with additional tools and text information for real-world applications. prompt injection attacks are particularly threatening, where malicious instructions injected in the external text information can exploit LLMs to generate answers as the attackers desire. This paper introduces a novel test-time defense strategy, named AuThentication with Hash-based tags (FATH)
  arXiv  Detail & Related papers  (2024-10-28T20:02:47Z)
• Towards Automated Classification of Attackers' TTPs by combining NLP with ML Techniques [77.34726150561087]
  We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research. Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
  arXiv  Detail & Related papers  (2022-07-18T09:59:21Z)
• Certifiers Make Neural Networks Vulnerable to Availability Attacks [70.69104148250614]
  We show for the first time that fallback strategies can be deliberately triggered by an adversary. In addition to naturally occurring abstains for some inputs and perturbations, the adversary can use training-time attacks to deliberately trigger the fallback. We design two novel availability attacks, which show the practical relevance of these threats.
  arXiv  Detail & Related papers  (2021-08-25T15:49:10Z)
• EXTRACTOR: Extracting Attack Behavior from Threat Reports [6.471387545969443]
  We propose a novel approach and tool called provenanceOR that allows precise automatic extraction of concise attack behaviors from CTI reports. provenanceOR makes no strong assumptions about the text and is capable of extracting attack behaviors as graphs from unstructured text. Our evaluation results show that provenanceOR can extract concise graphs from CTI reports and can successfully be used by cyber-analytics tools in threat-hunting.
  arXiv  Detail & Related papers  (2021-04-17T18:51:00Z)
• A System for Efficiently Hunting for Cyber Threats in Computer Systems Using Threat Intelligence [78.23170229258162]
  We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI. ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
  arXiv  Detail & Related papers  (2021-01-17T19:44:09Z)
• Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence [94.94833077653998]
  ThreatRaptor is a system that facilitates threat hunting in computer systems using open-source Cyber Threat Intelligence (OSCTI) It extracts structured threat behaviors from unstructured OSCTI text and uses a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities. Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
  arXiv  Detail & Related papers  (2020-10-26T14:54:01Z)
• An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions [46.40410084504383]
  In order to derive a relevant attack graph, up-to-date information on known attack techniques should be represented as interaction rules. We present a novel, end-to-end, automated framework for modeling new attack techniques from textual description of a security vulnerability.
  arXiv  Detail & Related papers  (2020-08-10T19:27:34Z)
• Automated Retrieval of ATT&CK Tactics and Techniques for Cyber Threat Reports [5.789368942487406]
  We evaluate several classification approaches to automatically retrieve Tactics, Techniques and Procedures from unstructured text. We present rcATT, a tool built on top of our findings and freely distributed to the security community to support cyber threat report automated analysis.
  arXiv  Detail & Related papers  (2020-04-29T16:45:14Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.