# Enabling Transparent Cyber Threat Intelligence Combining Large Language Models and Domain Ontologies

**Authors:** Luca Cotti, Anisa Rula, Devis Bianchini, Federico Cerutti

arXiv: 2509.00081 · 2026-04-28

## TL;DR

This paper introduces a method combining Large Language Models and domain ontologies to improve the accuracy and transparency of extracting cyber threat information from logs, especially for malicious activities.

## Contribution

It presents a novel approach integrating ontology-driven constraints with LLMs to enhance structured, semantically valid information extraction from cybersecurity logs.

## Key findings

- Higher accuracy in information extraction compared to prompt-only methods
- Effective organization of extracted data into ontology-enriched graphs
- Demonstrated applicability on honeypot log data and public datasets

## Abstract

Effective Cyber Threat Intelligence (CTI) relies upon accurately structured and semantically enriched information extracted from cybersecurity system logs. However, current methodologies often struggle to identify and interpret malicious events reliably and transparently, particularly in cases involving unstructured or ambiguous log entries. In this work, we propose a novel methodology that combines ontology-driven structured outputs with Large Language Models (LLMs), to build an Artificial Intelligence (AI) agent that improves the accuracy and explainability of information extraction from cybersecurity logs. Central to our approach is the integration of domain ontologies and SHACL-based constraints to guide the language model's output structure and enforce semantic validity over the resulting graph. Extracted information is organized into an ontology-enriched graph database, enabling future semantic analysis and querying. The design of our methodology is motivated by the analytical requirements associated with honeypot log data, which typically comprises predominantly malicious activity. While our case study illustrates the relevance of this scenario, the experimental evaluation is conducted using publicly available datasets. Results demonstrate that our method achieves higher accuracy in information extraction compared to traditional prompt-only approaches, with a deliberate focus on extraction quality rather than processing speed.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/2509.00081/full.md

## Figures

6 figures with captions in the complete paper: https://tomesphere.com/paper/2509.00081/full.md

## References

34 references — full list in the complete paper: https://tomesphere.com/paper/2509.00081/full.md

---
Source: https://tomesphere.com/paper/2509.00081