SynthCTI: LLM-Driven Synthetic CTI Generation to enhance MITRE Technique Mapping

TL;DR

SynthCTI introduces a data augmentation framework that generates high-quality synthetic threat intelligence sentences to address data scarcity and class imbalance in mapping CTI to MITRE ATT&CK techniques, improving classification performance.

Contribution

The paper presents SynthCTI, a novel clustering-based data augmentation method using LLMs to generate diverse, semantically faithful synthetic CTI data for underrepresented techniques.

Findings

Synthetic data improves macro-F1 scores significantly.

Smaller models with augmentation outperform larger models without it.

SynthCTI enhances CTI classification accuracy across datasets.

Abstract

Cyber Threat Intelligence (CTI) mining involves extracting structured insights from unstructured threat data, enabling organizations to understand and respond to evolving adversarial behavior. A key task in CTI mining is mapping threat descriptions to MITRE ATT\&CK techniques. However, this process is often performed manually, requiring expert knowledge and substantial effort. Automated approaches face two major challenges: the scarcity of high-quality labeled CTI data and class imbalance, where many techniques have very few examples. While domain-specific Large Language Models (LLMs) such as SecureBERT have shown improved performance, most recent work focuses on model architecture rather than addressing the data limitations. In this work, we present SynthCTI, a data augmentation framework designed to generate high-quality synthetic CTI sentences for underrepresented MITRE ATT\&CK techniques. Our method uses a clustering-based strategy to extract semantic context from training data and guide an LLM in producing synthetic CTI sentences that are lexically diverse and semantically faithful. We evaluate SynthCTI on two publicly available CTI datasets, CTI-to-MITRE and TRAM, using LLMs with different capacity. Incorporating synthetic data leads to consistent macro-F1 improvements: for example, ALBERT improves from 0.35 to 0.52 (a relative gain of 48.6\%), and SecureBERT reaches 0.6558 (up from 0.4412). Notably, smaller models augmented with SynthCTI outperform larger models trained without augmentation, demonstrating the value of data generation methods for building efficient and effective CTI classification systems.