Abstract
Cyber-attack attribution is an important process that allows experts to put in place attacker-oriented countermeasures and legal actions. The analysts mainly perform attribution manually, given the complex nature of this task. AI and, more specifically, Natural Language Processing (NLP) techniques can be leveraged to support cybersecurity analysts during the attribution process. However powerful these techniques may be, they must address the lack of datasets in the attack attribution domain. In this work, we will fill this gap and will provide, to the best of our knowledge, the first dataset on cyber-attack attribution. We designed our dataset with the primary goal of extracting attack attribution information from cybersecurity texts, utilizing named entity recognition (NER) methodologies from the field of NLP. Unlike other cybersecurity NER datasets, ours offers a rich set of annotations with contextual details, including some that span phrases and sentences. We conducted extensive experiments and applied NLP techniques to demonstrate the dataset’s effectiveness for attack attribution. These experiments highlight the potential of Large Language Models (LLMs) capabilities to improve the NER tasks in cybersecurity datasets for cyber-attack attribution.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
- 2.
- 3.
- 4.
- 5.
- 6.
- 7.
- 8.
- 9.
- 10.
- 11.
All LLM models use the same prompt, with only syntactical differences for GPT-3.5.
References
Alam, M.T., Bhusal, D., Park, Y., Rastogi, N.: Cyner: a python library for cybersecurity named entity recognition. arXiv preprint arXiv:2204.05754 (2022)
Devlin, J., Chang, M.W., Lee, K., Toutanova, K.: BERT: pre-training of deep bidirectional transformers for language understanding. NAACL-HLT 1, 4171–4186 (2019)
Evangelatos, P., et al.: Named entity recognition in cyber threat intelligence using transformer-based models. In: 2021 IEEE CSR, pp. 348–353 (2021)
Gasmi, H., Bouras, A., Laval, J.: LSTM recurrent neural networks for cybersecurity named entity recognition. ICSEA 11, 2018 (2018)
Gasmi, H., Laval, J., Bouras, A.: Information extraction of cybersecurity concepts: an LSTM approach. Appl. Sci. 9(19), 3945 (2019)
Gill, D.K., Karafili, E.: A novel ontology for cyber-attack attribution and investigation (2024)
Joshi, A., Lal, R., Finin, T., Joshi, A.: Extracting cybersecurity related linked data from text. In: 2013 IEEE ICSC, pp. 252–259 (2013)
Karafili, E., Cristani, M., Viganò, L.: A formal approach to analyzing cyber-forensics evidence. In: ESORICS 2018, 23rd European Symposium on Research in Computer Security, vol. 11098, pp. 281–301 (2018)
Karafili, E., Kakas, A.C., Spanoudakis, N.I., Lupu, E.C.: Argumentation-based security for social good. In: AAAI Fall Symposium Series; 2017 AAAI Fall Symposium Series, pp. 164–170 (2017)
Karafili, E., Wang, L., Kakas, A.C., Lupu, E.: Helping forensic analysts to attribute cyber-attacks: an argumentation-based reasoner. In: 21st International Conference on Principles and Practice of Multi-agent Systems (PRIMA), pp. 510–518 (2018)
Karafili, E., Wang, L., Lupu, E.C.: An argumentation-based reasoner to assist digital investigation and attribution of cyber-attacks. Forens. Sci. Int.: Digit. Invest. 32, 300925 (2020). https://doi.org/10.1016/j.fsidi.2020.300925
Lyu, K., Zhao, H., Gu, X., Yu, D., Goyal, A., Arora, S.: Keeping LLMs aligned after fine-tuning: The crucial role of prompt templates. arXiv preprint arXiv:2402.18540 (2024)
Mikolov, T., Sutskever, I., Chen, K., Corrado, G.S., Dean, J.: Distributed representations of words and phrases and their compositionality. Adv. Neural Information Processing Systems. 26 (2013)
Mulwad, V., Li, W., Joshi, A., Finin, T., Viswanathan, K.: Extracting information about security vulnerabilities from web text. In: 2011 IEEE/WIC/ACM WI-IAT, vol. 3, pp. 257–260 (2011)
Perry, L., Shapira, B., Puzis, R.: No-doubt: attack attribution based on threat intelligence reports. In: 2019 IEEE ISI, pp. 80–85 (2019)
Rasga, J., Sernadas, C., Karafili, E., Viganò, L.: Time-stamped claim logic. Logic J. IGPL (2019)
Rid, T., Buchanan, B.: Attributing cyber attacks. J. Strateg. Stud. 38(1–2), 4–37 (2015)
Sarker, I.H., Furhad, M.H., Nowrozy, R.: AI-driven cybersecurity: an overview, security intelligence modeling and research directions. SN Comput. Sci. 2, 1–18 (2021)
Shafee, S., Bessani, A., Ferreira, P.M.: Evaluation of LLM chatbots for osint-based cyberthreat awareness. arXiv preprint arXiv:2401.15127 (2024)
Tikhomirov, M., Loukachevitch, N., Sirotina, A., Dobrov, B.: Using bert and augmentation in named entity recognition for cybersecurity domain. In: NLDB, pp. 16–24 (2020)
Vaswani, A., et al.: Attention is all you need. Adv. Neural Inf. Process. Syst. 30 (2017)
Wang, S., et al.: Gpt-ner: named entity recognition via large language models. arXiv preprint arXiv:2304.10428 (2023)
Wang, X., et al.: Aptner: a specific dataset for NER missions in cyber threat intelligence field. In: IEEE CSCWD, pp. 1233–1238 (2022)
Wang, X., et al.: Dnrti: a large-scale dataset for named entity recognition in threat intelligence. In: IEEE TrustCom (2020)
Wheeler, D.A., Larsen, G.N.: Techniques for cyber attack attribution. In: Institute for Defense Analysis, p. 2 (2003)
Würsch, M., Kucharavy, A., Percia David, D., Mermoud, A.: LLM-based entity extraction is not for cybersecurity. EEKE2023 3451, 26–32 (2023)
Yim, W.W., Denman, T., Kwan, S.W., Yetisgen, M.: Tumor information extraction in radiology reports for hepatocellular carcinoma patients. AMIA Summits Transl. Sci. Proc. 2016, 455 (2016)
Zhang, Z., Zhao, Y., Gao, H., Hu, M.: LinkNER: linking local named entity recognition models to large language models using uncertainty. Proc. ACM Web Conf. 2024, 4047–4058 (2024)
Acknowledgement
Research funded by the University of Southampton on behalf of the Defence Science and Technology Laboratory (Dstl) which is an executive agency of the UK Ministry of Defence providing world class expertise and delivering cutting-edge science and technology for the benefit of the nation and allies. The research supports the Autonomous Resilient Cyber Defence (ARCD) project within the Dstl Cyber Defence Enhancement programme.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Appendices
A Appendix A
Other sources from where we collected our data include BleepingComputer, HexaCorn, SentinelOne, CrowdStrike, Reuters, Att, Kaspersky, Webroot, Welivesecurity, Virusbulletin, Tadviser, Forumspb, Netresec, Brighttalk, Libevent, Fortinet, Microsoft, Washingtonpost, Reversemode, Viasat, Wikipedia, Wired, Cisa, Airforcemag, Businesswire, Cyberuk, Proofpoint, Fb, Withsecure, Techcrunch, Mozilla, Humansecurity, Nist, Intel471, Morphisec, Payplug, Sophos, Coretech, Stratixsystems, Crayondata, Medium, Cybergeeks, Gridinsoft, Securin, Rsisecurity, ITgovernance, DigitalGuardian, IronNet, ThreatConnect, ProtectUK, Forbes.
B Appendix B
Table 6 presents the prompt template for Llama-2 zero-shot learning.
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this paper
Cite this paper
Deka, P., Rajapaksha, S., Rani, R., Almutairi, A., Karafili, E. (2025). AttackER: Towards Enhancing Cyber-Attack Attribution with a Named Entity Recognition Dataset. In: Barhamgi, M., Wang, H., Wang, X. (eds) Web Information Systems Engineering – WISE 2024. WISE 2024. Lecture Notes in Computer Science, vol 15440. Springer, Singapore. https://doi.org/10.1007/978-981-96-0576-7_20
Download citation
DOI: https://doi.org/10.1007/978-981-96-0576-7_20
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-96-0575-0
Online ISBN: 978-981-96-0576-7
eBook Packages: Computer ScienceComputer Science (R0)