TRACE: Timely Retrieval and Alignment for Cybersecurity Knowledge Graph Construction and Expansion

TL;DR

TRACE is a framework that enhances cybersecurity knowledge graphs by integrating structured and unstructured data sources using LLMs, significantly improving coverage, accuracy, and timeliness for threat analysis.

Contribution

The paper introduces TRACE, a novel framework that combines multiple data sources and LLMs to continuously update and improve cybersecurity knowledge graphs.

Findings

1.8x increase in node coverage over existing CKGs

Entity extraction precision of 86.08%, recall of 76.92%, F1 score of 81.24%

Effective entity alignment improves knowledge graph integrity

Abstract

The rapid evolution of cyber threats has highlighted significant gaps in security knowledge integration. Cybersecurity Knowledge Graphs (CKGs) relying on structured data inherently exhibit hysteresis, as the timely incorporation of rapidly evolving unstructured data remains limited, potentially leading to the omission of critical insights for risk analysis. To address these limitations, we introduce TRACE, a framework designed to integrate structured and unstructured cybersecurity data sources. TRACE integrates knowledge from 24 structured databases and 3 categories of unstructured data, including APT reports, papers, and repair notices. Leveraging Large Language Models (LLMs), TRACE facilitates efficient entity extraction and alignment, enabling continuous updates to the CKG. Evaluations demonstrate that TRACE achieves a 1.8x increase in node coverage compared to existing CKGs. TRACE attains the precision of 86.08%, the recall of 76.92%, and the F1 score of 81.24% in entity extraction, surpassing the best-known LLM-based baselines by 7.8%. Furthermore, our entity alignment methods effectively harmonize entities with existing knowledge structures, enhancing the integrity and utility of the CKG. With TRACE, threat hunters and attack analysts gain real-time, holistic insights into vulnerabilities, attack methods, and defense technologies.