基於大型語言模型之網路威脅情報攻擊生命週期建構

吳和謙; He-Chien Wu

請用此 Handle URI 來引用此文件： http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101808

完整後設資料紀錄

DC 欄位	值	語言
dc.contributor.advisor	孫雅麗	zh_TW
dc.contributor.advisor	Yeali Sun	en
dc.contributor.author	吳和謙	zh_TW
dc.contributor.author	He-Chien Wu	en
dc.date.accessioned	2026-03-04T16:43:52Z	-
dc.date.available	2026-03-05	-
dc.date.copyright	2026-03-04	-
dc.date.issued	2026	-
dc.date.submitted	2026-02-09	-
dc.identifier.citation	[1] "MITRE ATT&CK®," MITRE Corporation, 2025. [Online]. Available: https://attack.mitre.org/. [Accessed Oct. 2025]. [2] Wei, J., Wang, X., Schuurmans, D., Bosma, M., Xia, F., Chi, E., ... & Zhou, D., "Chain-of-thought prompting elicits reasoning in large language models," Advances in neural information processing systems, vol. 35, pp. 24824-24837, 2022. [3] Chen, Y., Cui, M., Wang, D., Cao, Y., Yang, P., Jiang, B., ... & Liu, B, "A survey of large language models for cyber threat detection," Computers & Security, vol. 145, p. 104016, 2024. [4] Sainz, O., García-Ferrero, I., Agerri, R., de Lacalle, O. L., Rigau, G., & Agirre, E., "Gollie: Annotation guidelines improve zero-shot information-extraction," in arXiv preprint arXiv:2310.03668., 2023. [5] Xu, D., Chen, W., Peng, W., Zhang, C., Xu, T., Zhao, X., ... & Chen, E., "Large language models for generative information extraction: A survey," in Frontiers of Computer Science, 18(6), 186357., 2024. [6] Büchel, M., Paladini, T., Longari, S., Carminati, M., Zanero, S., Binyamini, H., ... & van Ede, T., "{SoK}: Automated {TTP} Extraction from {CTI} Reports–Are We There Yet?," 34th USENIX security symposium (USENIX Security 25), pp. 4621-4641, 2025. [7] Krašovec, A., Steri, G., Karopoulos, G., & Trapani, M., "Large Language Models for Cyber Threat Intelligence: Extracting MITRE With LLMs," in International Conference on Availability, Reliability and Security, Cham: Springer Nature Switzerland, 2025. [8] Satyapanich, T., Ferraro, F., & Finin, T., "Casie: Extracting cybersecurity event information from text," in Proceedings of the AAAI conference on artificial intelligence, vol. 34, 2020, pp. 8749-8757. [9] "ChatGPT 5.2," OpenAI, [Online]. Available: https://chat.openai.com/. [Accessed Jan. 2026]. [10] "Targeted attack life cycle," Mandiant, [Online]. Available: https://cloud.google.com/security/resources/insights/targeted-attack-lifecycle?hl=en. [11] "Mermaid: Diagramming and charting tool," Mermaid contributors, [Online]. Available: https://mermaid.js.org/. [Accessed Jan. 2026]. [12] M. Havránek, "DeceptiveDevelopment targets freelance developers," 20 Feb. 2025. [Online]. Available: https://www.welivesecurity.com/en/eset-research/deceptivedevelopment-targets-freelance-developers/. [13] Den Iuzvyk, Tim Peck, "Research Update: Threat Actors Behind the DEV#POPPER Campaign Have Retooled and are Continuing to Target Software Developers via Social Engineering," 31 Jul. 2024. [Online]. Available: https://www.securonix.com/blog/research-update-threat-actors-behind-the-devpopper-campaign-have-retooled-and-are-continuing-to-target-software-developers-via-social-engineering/. [14] Unit 42, "Contagious Interview: DPRK Threat Actors Lure Tech Industry Job Seekers to Install New Variants of BeaverTail and InvisibleFerret Malware," 9 Oct. 2024. [Online]. Available: https://unit42.paloaltonetworks.com/north-korean-threat-actors-lure-tech-job-seekers-as-fake-recruiters/. [15] F. Rondeau, "How RMM abuse fuelled Medusa & DragonForce attacks," Zensec, 30 Oct. 2025. [Online]. Available: https://zensec.co.uk/blog/how-rmm-abuse-fuelled-medusa-dragonforce-attacks/.	-
dc.identifier.uri	http://tdr.lib.ntu.edu.tw/jspui/handle/123456789/101808	-
dc.description.abstract	攻擊行動（attack campaigns）通常分散記錄於多份網路威脅情報（Cyber Threat Intelligence, CTI）報告中，而每份報告僅提供對敵對行為的部分且片段化描述。此外，CTI 敘事往往使用異質且高度依賴語境的語言，其表述方式與 MITRE ATT&CK 架構中對戰術（techniques）的標準化描述存在顯著差異，難以直接對應兩者的語意。上述的資訊片段化與語意不一致問題，對於自動化建構完整連貫的攻擊生命週期（attack life cycle）造成了重大阻礙。本研究提出一套自動化分析框架，利用大型語言模型（Large Language Models, LLMs），透過以攻擊事件（incident）為核心的推理、結構化事件提取（event extraction）、戰術對應以及多來源整合，從分散的 CTI 證據中建構完整的攻擊生命週期。不同於直接將句子映射至技術標籤的作法，本研究透過引入基於 LLM 的批註過濾機制，將惡意行為識別與戰術對應加以解耦。該過濾機制運用語境推理能力，識別中心攻擊事件範圍內之具體攻擊行為。提取出的事件會被轉換為結構化表示，並經由結合封閉（closed -world）與開放（open-world）的標註流程，對應至 MITRE ATT&CK 戰術，隨後再透過以證據為基礎的驗證步驟進行確認。在取得經 TTP 標註的事件後，系統進一步推論事件之間的時間順序與因果關係，以建構具多階段特性的攻擊生命週期。為克服跨情資來源所造成的描述片段化問題，本研究亦提出一個LLM輔助的合成模組，能夠整合多份 CTI 報告各自建構之攻擊生命週期。透過個案研究顯示，所建構之攻擊行動在事件涵蓋範圍與因果關係上，與既有的生命週期模型具有一致性，驗證了從異質 CTI 敘事中自動化建構攻擊行動的可行性。本研究所提出的框架推進了自動化 CTI 分析的發展，使其由單純的戰術識別邁向對攻擊行動流程的整體性建構。	zh_TW
dc.description.abstract	Attack campaigns are typically documented across multiple Cyber Threat Intelligence (CTI) reports, each providing only partial and fragmented descriptions of adversarial activities. Furthermore, CTI narratives often employ heterogeneous, context-dependent language that differs substantially from the canonical representations of techniques in the MITRE ATT&CK framework, making direct semantic alignment unreliable. This fragmentation and semantic mismatch hinder automated construction of coherent attack campaign life cycles. This work proposes an automated framework leveraging Large Language Models (LLMs) to construct comprehensive attack campaign life cycles by constructing campaign progression from fragmented CTI evidence through incident-scoped reasoning, structured event extraction, technique alignment, and multi-source synthesis. Rather than directly mapping sentences to techniques, we decouple malicious activity identification from technique-level alignment by introducing an LLM-based annotation filter that identifies concrete adversarial actions attributable to the focal incident using contextual reasoning. Extracted events are transformed into structured representations and subsequently aligned with MITRE ATT&CK techniques through combined closed-world and open-world labeling stages, followed by evidence-grounded validation. Using TTP-labeled events, our system infers temporal ordering and causal dependencies to construct multi-phase campaign life cycles. To overcome fragmentation across intelligence sources, we further introduce an LLM-assisted synthesis module that integrates life cycles derived from multiple reports into a unified campaign representation. A case study demonstrates that constructed campaigns exhibit event coverage and causal relationships consistent with established life cycle models, illustrating the feasibility of automated campaign construction from heterogeneous CTI narratives. The proposed framework advances automated CTI analysis by moving beyond technique identification toward coherent construction of operational attack workflows.	en
dc.description.provenance	Submitted by admin ntu (admin@lib.ntu.edu.tw) on 2026-03-04T16:43:52Z No. of bitstreams: 0	en
dc.description.provenance	Made available in DSpace on 2026-03-04T16:43:52Z (GMT). No. of bitstreams: 0	en
dc.description.tableofcontents	致謝 I 摘要 II ABSTRACT III TABLE OF CONTENTS V LIST OF FIGURES VI LIST OF TABLES VIII CHAPTER 1. INTRODUCTION 1 CHAPTER 2. BACKGROUND AND RELATED WORK 6 2.1 CYBER THREAT INTELLIGENCE (CTI) 6 2.2 MITRE ATT&CK® FRAMEWORK 7 2.3 EVENT EXTRACTION 8 2.4 LARGE LANGUAGE MODELS (LLMS) FOR CTI ANALYSIS 8 CHAPTER 3. ATTACK LIFE CYCLE CONSTRUCTION 10 3.1 CTI PREPROCESSING 11 3.2 INCIDENT-SCOPED MALICIOUS ACTIVITY IDENTIFICATION 12 3.3 TTP LABELING 14 3.4 ATTACK LIFE CYCLE CONSTRUCTION 17 3.5 DEMO CASE: DECEPTIVE DEVELOPMENT 21 CHAPTER 4. ATTACK LIFE CYCLE SYNTHESIS 58 4.1 MOTIVATION AND GOAL 58 4.2 ATTACK LIFE CYCLE SYNTHESIS 59 4.3 DEMO CASE: DECEPTIVE DEVELOPMENT CAMPAIGN 60 CHAPTER 5. EVALUATION 70 5.1 CROSS-REPORT STRUCTURAL EVALUATION OF THE CONSTRUCTION PIPELINE 70 5.2 COMPARISON WITH EXPERT-DRAWN CAMPAIGN DIAGRAM 73 CHAPTER 6. CONCLUSION 79 REFERENCE 80	-
dc.language.iso	en	-
dc.subject	多威脅情報報告融合	-
dc.subject	資安攻擊生命週期重建	-
dc.subject	網路威脅情報惡意活動辯識與擷取	-
dc.subject	資安攻擊TTP標記	-
dc.subject	人工智慧輔助資安	-
dc.subject	CTI Report Synthesis	-
dc.subject	Attack Campaign Life Cycle Construction	-
dc.subject	Malicious Event Identification in CTI	-
dc.subject	Attack Campaign TTP Labeling	-
dc.subject	AI-Assisted Cybersecurity	-
dc.title	基於大型語言模型之網路威脅情報攻擊生命週期建構	zh_TW
dc.title	LLM-Based Construction of Attack Life Cycles from CTI Reports	en
dc.type	Thesis	-
dc.date.schoolyear	114-1	-
dc.description.degree	碩士	-
dc.contributor.oralexamcommittee	陳孟彰;蕭舜文;陳俊良;黃意婷	zh_TW
dc.contributor.oralexamcommittee	Meng Chang Chen;Shun-Wen Hsiao;Jiann-Liang Chen;Yi-Ting Huang	en
dc.subject.keyword	多威脅情報報告融合,資安攻擊生命週期重建網路威脅情報惡意活動辯識與擷取資安攻擊TTP標記人工智慧輔助資安	zh_TW
dc.subject.keyword	CTI Report Synthesis,Attack Campaign Life Cycle ConstructionMalicious Event Identification in CTIAttack Campaign TTP LabelingAI-Assisted Cybersecurity	en
dc.relation.page	81	-
dc.identifier.doi	10.6342/NTU202600249	-
dc.rights.note	同意授權(全球公開)	-
dc.date.accepted	2026-02-10	-
dc.contributor.author-college	管理學院	-
dc.contributor.author-dept	資訊管理學系	-
dc.date.embargo-lift	2026-03-05	-
顯示於系所單位：	資訊管理學系

文件中的檔案：

檔案	大小	格式
ntu-114-1.pdf	4.86 MB	Adobe PDF	檢視/開啟

顯示文件簡單紀錄

系統中的文件，除了特別指名其著作權條款之外，均受到著作權保護，並且保留所有的權利。