基於大型語言模型之網路威脅情報攻擊生命週期建構

Abstract

攻擊行動（attack campaigns）通常分散記錄於多份網路威脅情報（Cyber Threat Intelligence, CTI）報告中，而每份報告僅提供對敵對行為的部分且片段化描述。此外，CTI 敘事往往使用異質且高度依賴語境的語言，其表述方式與 MITRE ATT&CK 架構中對戰術（techniques）的標準化描述存在顯著差異，難以直接對應兩者的語意。上述的資訊片段化與語意不一致問題，對於自動化建構完整連貫的攻擊生命週期（attack life cycle）造成了重大阻礙。 本研究提出一套自動化分析框架，利用大型語言模型（Large Language Models, LLMs），透過以攻擊事件（incident）為核心的推理、結構化事件提取（event extraction）、戰術對應以及多來源整合，從分散的 CTI 證據中建構完整的攻擊生命週期。不同於直接將句子映射至技術標籤的作法，本研究透過引入基於 LLM 的批註過濾機制，將惡意行為識別與戰術對應加以解耦。該過濾機制運用語境推理能力，識別中心攻擊事件範圍內之具體攻擊行為。提取出的事件會被轉換為結構化表示，並經由結合封閉（closed -world）與開放（open-world）的標註流程，對應至 MITRE ATT&CK 戰術，隨後再透過以證據為基礎的驗證步驟進行確認。 在取得經 TTP 標註的事件後，系統進一步推論事件之間的時間順序與因果關係，以建構具多階段特性的攻擊生命週期。為克服跨情資來源所造成的描述片段化問題，本研究亦提出一個LLM輔助的合成模組，能夠整合多份 CTI 報告各自建構之攻擊生命週期。透過個案研究顯示，所建構之攻擊行動在事件涵蓋範圍與因果關係上，與既有的生命週期模型具有一致性，驗證了從異質 CTI 敘事中自動化建構攻擊行動的可行性。本研究所提出的框架推進了自動化 CTI 分析的發展，使其由單純的戰術識別邁向對攻擊行動流程的整體性建構。

Attack campaigns are typically documented across multiple Cyber Threat Intelligence (CTI) reports, each providing only partial and fragmented descriptions of adversarial activities. Furthermore, CTI narratives often employ heterogeneous, context-dependent language that differs substantially from the canonical representations of techniques in the MITRE ATT&CK framework, making direct semantic alignment unreliable. This fragmentation and semantic mismatch hinder automated construction of coherent attack campaign life cycles. This work proposes an automated framework leveraging Large Language Models (LLMs) to construct comprehensive attack campaign life cycles by constructing campaign progression from fragmented CTI evidence through incident-scoped reasoning, structured event extraction, technique alignment, and multi-source synthesis. Rather than directly mapping sentences to techniques, we decouple malicious activity identification from technique-level alignment by introducing an LLM-based annotation filter that identifies concrete adversarial actions attributable to the focal incident using contextual reasoning. Extracted events are transformed into structured representations and subsequently aligned with MITRE ATT&CK techniques through combined closed-world and open-world labeling stages, followed by evidence-grounded validation. Using TTP-labeled events, our system infers temporal ordering and causal dependencies to construct multi-phase campaign life cycles. To overcome fragmentation across intelligence sources, we further introduce an LLM-assisted synthesis module that integrates life cycles derived from multiple reports into a unified campaign representation. A case study demonstrates that constructed campaigns exhibit event coverage and causal relationships consistent with established life cycle models, illustrating the feasibility of automated campaign construction from heterogeneous CTI narratives. The proposed framework advances automated CTI analysis by moving beyond technique identification toward coherent construction of operational attack workflows.