ACTIC: A Large Language Model‐Based Method for Threat Intelligence Perception

Inefficient threat intelligence analysis: Conventional threat intelligence analysis methods have low processing efficiency for increasingly complex and stealthy cyber-attacks.

Limited semantic comprehension: Conventional threat intelligence analysis methods have limited semantic comprehension.

Heterogeneous dynamic data adaptation: Conventional threat intelligence analysis methods struggle to adapt to dynamic, multi-source, heterogeneous data.

Threat intelligence awareness enhancement: The study addresses the need to enhance threat intelligence awareness.

Inefficient threat intelligence analysis: Conventional threat intelligence analysis methods have low processing efficiency for increasingly complex and stealthy cyber-attacks.

ACTIC LLM-based threat intelligence KG construction: ACTIC is an automated method that constructs a threat intelligence knowledge graph using large language models.

DeepSeek LoRA information extraction: The approach uses a locally deployed DeepSeek-32B model with prompt engineering and LoRA fine-tuning to extract entities, relationships, and attack steps from unstructured reports.

Dual-layer threat and attack knowledge graph: ACTIC produces a dual-layer knowledge graph comprising a Threat Intelligence Knowledge Graph and an Attack Knowledge Graph.

ATT&CK-based TTP classification and recommendations: ACTIC incorporates the ATT&CK framework for TTP classification and supports threat search and protective recommendation generation.

ACTIC LLM-based threat intelligence KG construction: ACTIC is an automated method that constructs a threat intelligence knowledge graph using large language models.

Improved entity recognition and relation extraction F1:

Improved TTP classification F1:

Applicable local cybersecurity LLM deployment: