Instantiating Standards: Enabling Standard-Driven Text TTP Extraction with Evolvable Memory

TL;DR

This paper presents a novel framework that leverages Large Language Models to convert standard definitions into structured, evolvable knowledge for more reliable and explainable extraction of threat tactics, techniques, and procedures from natural language reports.

Contribution

It introduces a new method that transforms standard definitions into dual-layer situational knowledge, improving TTP extraction accuracy, transparency, and standardization using LLMs.

Findings

Boosts Technique F1 scores by 11% over GPT-4o

Enhances transparency and explainability in threat intelligence

First to use LLMs for generating and applying TTP standard knowledge

Abstract

Extracting MITRE ATT\&CK Tactics, Techniques, and Procedures (TTPs) from natural language threat reports is crucial yet challenging. Existing methods primarily focus on performance metrics using data-driven approaches, often neglecting mechanisms to ensure faithful adherence to the official standard. This deficiency compromises reliability and consistency of TTP assignments, creating intelligence silos and contradictory threat assessments across organizations. To address this, we introduce a novel framework that converts abstract standard definitions into actionable, contextualized knowledge. Our method utilizes Large Language Model (LLM) to generate, update, and apply this knowledge. This framework populates an evolvable memory with dual-layer situational knowledge instances derived from labeled examples and official definitions. The first layer identifies situational contexts (e.g., "Communication with C2 using encoded subdomains"), while the second layer captures distinctive features that differentiate similar techniques (e.g., distinguishing T1132 "Data Encoding" from T1071 "Application Layer Protocol" based on whether the focus is on encoding methods or protocol usage). This structured approach provides a transparent basis for explainable TTP assignments and enhanced human oversight, while also helping to standardize other TTP extraction systems. Experiments show our framework (using Qwen2.5-32B) boosts Technique F1 scores by 11\% over GPT-4o. Qualitative analysis confirms superior standardization, enhanced transparency, and improved explainability in real-world threat intelligence scenarios. To the best of our knowledge, this is the first work that uses the LLM to generate, update, and apply the a new knowledge for TTP extraction.