Submitted:
08 July 2025
Posted:
08 July 2025
You are already at the latest version
Abstract
Keywords:
1. Introduction
- We delineate the challenges inherent in existing dataset construction and introduce CTINER—a novel dataset specifically designed for Named Entity Recognition in Cyber Threat Intelligence—to address the paucity of suitable NER datasets.
- We further propose PROMPT-BART, a multi-prompt NER model that seamlessly integrates domain-specific threat intelligence knowledge. By leveraging prefix, demonstration, and template prompts, PROMPT-BART expands its knowledge base and overcomes the limitations of conventional single-prompt approaches.
2. Related Work
2.1. Research on Methods for Named Entity Recognition
2.1.1. General Domain Named Entity Recognition Research
2.1.2. Named Entity Recognition Research in Cyber Threat Intelligence
2.1.3. Research on Prompt Engineering-based Named Entity Recognition
2.2. Construction of Datasets for Named Entity Recognition
2.2.1. General Domain Datasets
2.2.2. Cybersecurity Domain Datasets
3. Construction of Cyber Threat Intelligence Datasets
3.1. Dataset Extraction Methods and Corresponding Modules
3.1.1. Threat Intelligence Acquisition Module
3.1.2. Data Preprocessing Module
3.1.3. Entity Pre-definition Module
3.1.4. Annotation and Verification Module
3.1.5. Data Format Conversion Module
3.1.6. Annotation Data Cleaning Module
3.1.7. Rare Data Supplementation Module
3.2. Dataset Overview and Entity Distribution
3.3. Comparison with Other Datasets: DNRTI, CTIReports, APTNER
3.3.1. Label Rationality
3.3.2. Dataset Scale Comparison
4. Model
4.1. Model Construction
4.1.1. Constructing Task Prompts
4.1.2. Constructing Entity Demonstration Prompts
4.1.3. Constructing Template Prompts
Prompt Paraphrasing:
Prompt Decomposition:
4.2. Model Training and Inference
5. Experiment
5.1. Comparison and Analysis of Template Prompts
5.2. Comparison of NER Models
5.3. Ablation Experiment Results and Analysis
6. Conclusions
- Development of an Open-Source Annotation System: Creating an annotation system (e.g., based on Doccano) that leverages its AutoLabel feature to facilitate efficient automated annotation. Additionally, incorporating human-in-the-loop reinforcement techniques could further streamline the processing of unlabeled data.
- Integration of GANs with Prompt Learning: Employing Generative Adversarial Networks (GANs) to generate novel training samples could enable more effective model training, thereby improving the overall generalization capabilities of the NER model.
7. Patents
Author Contributions
Funding
Data Availability Statement
Conflicts of Interest
References
- McMillan, R.; Pratap, K. Market guide for security threat intelligence services. Gartner Report (G00259127) 2014.
- Ma, X.; Hovy, E. End-to-end sequence labeling via bi-directional LSTM-CNNs-CRF. In Proceedings of the 54th Annual Meeting of the Association for Computational Linguistics, 2016; pp. 1064–1074.
- Pinheiro, P.; Collobert, R. Recurrent convolutional neural networks for scene labeling. In International Conference on Machine Learning, 2014; pp. 82–90.
- Jiang, S.; Zhao, S.; Hou, K. A BERT-BiLSTM-CRF model for Chinese electronic medical records named entity recognition. In 12th International Conference on Intelligent Computation Technology and Automation (ICICTA), 2019; pp. 166–169.
- Fang, J.; Wang, X.; Meng, Z. MANNER: A variational memory-augmented model for cross domain few-shot named entity recognition. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2023; pp. 4261–4276.
- Chen, W.; Zhao, L.; Luo, P. Heproto: A hierarchical enhancing protonet based on multi-task learning for few-shot named entity recognition. In Proceedings of the 32nd ACM International Conference on Information and Knowledge Management, 2023; pp. 296–305.
- Arora, J.; Park, Y. Split-NER: Named entity recognition via two question-answering-based classifications. In Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 2: Short Papers), Toronto, Canada, July 2023; Association for Computational Linguistics: pp. 416.
- Wang, H.; Cheng, L.; Zhang, W.; Soh, D.W.; Bing, L. Order-Agnostic Data Augmentation for Few-Shot Named Entity Recognition. In *Proceedings of the 62nd Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers)*, Bangkok, Thailand, August 2024; Association for Computational Linguistics: Bangkok, Thailand, 2024; pp. 7792–7807. https://doi.org/10.18653/v1/2024.acl-long.421. [CrossRef]
- Liao, X.; Yuan, K.; Wang, X.F. Acing the IOC Game: Toward Automatic Discovery and Analysis of Open-Source Cyber Threat Intelligence. In *Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security*, 2016; pp. 755–766.
- Zhu, Z.; Dumitras, T. Chainsmith: Automatically Learning the Semantics of Malicious Campaigns by Mining Threat Intelligence Reports. In 2018 IEEE European Symposium on Security and Privacy (EuroS&P); 2018; pp. 458–472.
- Zhou, S.; Long, Z.; Tan, L. Automatic Identification of Indicators of Compromise Using Neural-Based Sequence Labelling. In Proceedings of the 32nd Pacific Asia Conference on Language, Information and Computation; 2018; pp. 849–857.
- Dionísio, N.; Alves, F.; Ferreira, P.M. Cyberthreat Detection from Twitter Using Deep Neural Networks. In 2019 International Joint Conference on Neural Networks (IJCNN); 2019; pp. 1–8.
- Wang, Y.; Wang, Z.-h.; Li, H.; Huang, W.-j. Named Entity Recognition in Threat Intelligence Domain Based on Deep Learning. Journal of Northeastern University (Natural Science) 2023, 44(1), 33–39. https://doi.org/10.12068/j.issn.1005-3026.2023.01.005. [CrossRef]
- Chen, S.-S.; Hwang, R.-H.; Sun, C.-Y.; Lin, Y.-D.; Pai, T.-W. Enhancing Cyber Threat Intelligence with Named Entity Recognition Using BERT-CRF. In GLOBECOM 2023 - 2023 IEEE Global Communications Conference; 2023; pp. 7532–7537. https://doi.org/10.1109/GLOBECOM54140.2023.10436853. [CrossRef]
- Chen, J.; Liu, Q.; Lin, H. Few-Shot Named Entity Recognition with Self-Describing Networks. In Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics; 2022; pp. 5711–5722.
- Ben-David, E.; Oved, N.; Reichart, R. PADA: Example-Based Prompt Learning for On-the-Fly Adaptation to Unseen Domains. Transactions of the Association for Computational Linguistics 2022, 10, 414–433. https://doi.org/10.1162/tacl_a_00468. [CrossRef]
- Cui, L.; Wu, Y.; Liu, J. Template-Based Named Entity Recognition Using BART. In Findings of the Association for Computational Linguistics: ACL-IJCNLP; 2021; pp. 1835–1845.
- Chen, X.; Zhang, N.; Li, L. LightNER: A Lightweight Generative Framework with Prompt-Guided Attention for Low-Resource NER. In Proceedings of the 29th International Conference on Computational Linguistics; 2022; pp. 2374–2387.
- Wang, X.; Wei, C.; Zhang, L. Chinese Named Entity Recognition Based on Prompt Learning and Multi-Level Feature Fusion. Journal of Data Acquisition and Processing 2024, 39(4), 1020–1032.
- Ye, F.; Huang, L.; Liang, S.; Chi, K. Decomposed Two-Stage Prompt Learning for Few-Shot Named Entity Recognition. Information 2023, 14(5), 262. https://doi.org/10.3390/info14050262. [CrossRef]
- Xia, Y.; Tong, Z.; Wang, L.; Liu, Q.; Wu, S.; Zhang, X. MPE3: Learning Meta-Prompt with Entity-Enhanced Semantics for Few-Shot Named Entity Recognition. Neurocomputing 2025, 620, 129031. https://doi.org/10.1016/j.neucom.2024.129031. [CrossRef]
- Tjong Kim Sang, E.F.; De Meulder, F. Introduction to the CoNLL-2003 Shared Task: Language-Independent Named Entity Recognition. In Proceedings of the Seventh Conference on Natural Language Learning at HLT-NAACL 2003; 2003; pp. 142–147.
- Linguistic Data Consortium. ACE 2005 Multilingual Training Corpus. Linguistic Data Consortium, 2006.
- Wang, X.; Liu, X.; Ao, S. DNR-TI: A Large-Scale Dataset for Named Entity Recognition in Threat Intelligence. In 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom); 2020; pp. 1842–1848.
- Kim, G.; Lee, C.; Jo, J. Automatic Extraction of Named Entities of Cyber Threats Using a Deep Bi-LSTM-CRF Network. International Journal of Machine Learning and Cybernetics 2020, 11, 2341–2355. https://doi.org/10.1007/s13042-020-01122-6. [CrossRef]
- Wang, X.; He, S.; Xiong, Z. APTNER: A Specific Dataset for NER Missions in Cyber Threat Intelligence Field. In 2022 IEEE 25th International Conference on Computer Supported Cooperative Work in Design (CSCWD); 2022; pp. 1233–1238.
- OASIS Cyber Threat Intelligence (CTI) Technical Committee. STIX 2.1. OASIS, 2019. STIX Version 2.1 Specification. Available: https://docs.oasis-open.org/cti/stix/v2.1/csprd01/stix-v2.1-csprd01.html.




| Name | Type | Explanation |
|---|---|---|
| Threat Actor | ACT | The individuals, organizations, or groups with malicious intent and their aliases, namely, the initiators of the attack actions. |
| Attack Target | TAR | Industries, governments, etc. |
| Campaign | CAM | A set of malicious activities or attacks launched against specific targets over a period of time. |
| Identity | IDTY | Individuals, organizations, or groups, as well as categories of individuals, organizations, or groups. |
| Vulnerability | VUL | Vulnerability names and Vulnerability numbers. |
| Tool | TOOL | Legitimate software utilized by threat actors to launch attacks. |
| Malware | MAL | A program inserted into a system to disrupt confidentiality, integrity. |
| Location | LOC | Specific locations, geographical positions. |
| Time | TIME | Dates, years, months, time points, etc. |
| Sample File | FILE | For instance: at.exe, Vietnam.exe. |
| URL | URL | For example: http://shwoo.gov.taipei/buyer_flowchart.asp |
| OS | OS | Various operating systems. |
| EML | For example: uglygorilla@163.com. |
| Dataset | Sentences | Words | Entities | Entity Tokens |
|---|---|---|---|---|
| Training Set | 11,653 | 321,471 | 30,360 | 44,783 |
| Test Set | 3,291 | 91,854 | 8,202 | 10,389 |
| Validation Set | 1,629 | 45,983 | 3,987 | 4,995 |
| Total | 16,573 | 459,308 | 42,549 | 60,167 |
| Entity Type | Max Number of Entities | Sentence Containing the Entities |
|---|---|---|
| ACT | APT1 (263) | The timeline and details of APT1’s extensive attack infrastructure. |
| TAR | organizations (241) | A relatively advanced threat actor, it has been targeting a variety of organizations over the past years. |
| CAM | phishing (110) | Users are directed to either a phishing page or a survey scam. |
| IDTY | Recorded Future (256) | Learn more about using Recorded Future for cyber security analysis. |
| VUL | zero-day (100) | And this year quite a number of zero-days were used in targeted attacks. |
| TOOL | C2 (227) | The threat actors also leverage popular code and file-sharing sites for their C2 domains. |
| MAL | Olympic Destroyer (158) | But it has now become more popular, especially in more publicized malware, and Olympic Destroyer is a good example of that. |
| LOC | China (518) | The “Belt and Road Initiative” and China’s Economic Goals. |
| TIME | 2018 (169) | It was detected on a machine in 2018, unrelated to any of the attacks in the current operation. |
| FILE | payload (215) | The payload is detected as BKDR_FYNLOS.SM1 and has been used in similar attacks in the past. |
| URL | downloads.zyns.com (5) | downloads.zyns.com has resolved to 108.177.181.66. |
| OS | Windows (414) | There is an order in which executables load DLLs on the Windows operating system. |
| EML | uglygorilla@163.com (2) | The infrastructure was registered by an individual using the email address uglygorilla@163.com. |
| Seed Template | Translated Template |
|---|---|
| [X] is [Y]. | [X] is [Y]. |
| [X] is [Y] entity. | [X] is [Y] unit. |
| In this sentence, [X] is [Y]. | In this sentence is [X] [Y]. |
| In the field of cyber threat intelligence, [X] is a named entity and its category is [Y]. | In the area of cyber threat information, [X] is a designated entity and its category is [Y]. |
| In the field of cybersecurity, [X] belongs to the [Y] entity type. | In the field of cybersecurity, [X] belongs to the type of [Y] unit. |
| Library Name | Version |
|---|---|
| transformers | 4.34.0 |
| tqdm | 4.66.1 |
| sentence_transformers | 0.64.3 |
| fairseq | 0.12.2 |
| Template | Precision | Recall | F1 | Template Length |
|---|---|---|---|---|
| [X] is [Y]. | 87.92 | 88.39 | 88.16 | 4 |
| [X] is [Y] entity. | 84.44 | 84.68 | 84.56 | 5 |
| [X] is [Y] unit. | 83.96 | 84.05 | 84.01 | 5 |
| In this sentence, [X] is [Y]. | 75.13 | 82.74 | 78.75 | 8 |
| In the field of cybersecurity, [X] belongs to the [Y] entity type. | 76.21 | 82.89 | 79.41 | 14 |
| In the field of cyber threat intelligence, [X] is a named entity and its category is [Y]. | 73.54 | 84.75 | 78.75 | 19 |
| In the area of cyber threat information, [X] is a designated entity and its category is [Y]. | 77.50 | 81.82 | 79.60 | 19 |
| Model | Precision | Recall | F1 |
|---|---|---|---|
| XLNet-Bi-LSTM-CRF | 80.53 | 86.98 | 83.31 |
| XLNet-Bi-GRU-CRF | 80.51 | 88.07 | 83.90 |
| BERT-Bi-LSTM-CRF | 74.63 | 87.21 | 79.86 |
| BERT-Bi-GRU-CRF | 75.71 | 86.85 | 80.22 |
| Template-NER | 85.31 | 88.44 | 86.85 |
| PROMPT-BART (ours) | 87.92 | 88.39 | 88.16 |
| Model | Precision | Recall | F1 |
|---|---|---|---|
| without-task-prompt | 86.63 | 87.59 | 87.10 |
| without-demonstration | 86.14 | 87.89 | 87.00 |
| PROMPT-BART (ours) | 87.92 | 88.39 | 88.16 |
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content. |
© 2025 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (http://creativecommons.org/licenses/by/4.0/).