LSTM Recurrent Neural Networks for Cybersecurity Named Entity Recognition

TL;DR

This paper presents an LSTM-CRF based approach for cybersecurity Named Entity Recognition that outperforms existing methods without requiring domain-specific feature engineering.

Contribution

It introduces a domain-independent LSTM-CRF model for cybersecurity NER that eliminates the need for manual feature engineering and domain expertise.

Findings

Outperforms state-of-the-art methods on cybersecurity NER tasks.

Does not require domain-specific feature engineering.

Effective on a reasonably sized annotated corpus.

Abstract

The automated and timely conversion of cybersecurity information from unstructured online sources, such as blogs and articles to more formal representations has become a necessity for many applications in the domain nowadays. Named Entity Recognition (NER) is one of the early phases towards this goal. It involves the detection of the relevant domain entities, such as product, version, attack name, etc. in technical documents. Although generally considered a simple task in the information extraction field, it is quite challenging in some domains like cybersecurity because of the complex structure of its entities. The state of the art methods require time-consuming and labor intensive feature engineering that describes the properties of the entities, their context, domain knowledge, and linguistic characteristics. The model demonstrated in this paper is domain independent and does not rely on any features specific to the entities in the cybersecurity domain, hence does not require expert knowledge to perform feature engineering. The method used relies on a type of recurrent neural networks called Long Short-Term Memory (LSTM) and the Conditional Random Fields (CRFs) method. The results we obtained showed that this method outperforms the state of the art methods given an annotated corpus of a decent size.