Context-aware Entity-Relation Extraction for Threat Intelligence Knowledge Graphs

TL;DR

This paper presents CTiKG, a context-aware framework that improves the extraction of entity-relation triples from cybersecurity reports, enhancing the accuracy and robustness of threat intelligence knowledge graphs.

Contribution

The introduction of CTiKG, a hybrid NLP pipeline utilizing SecureBERT+ and domain ontology, to improve entity and relation extraction from unstructured CTI reports.

Findings

Achieved 3-4% improvements in NER performance.

Achieved up to 8% improvements in relation extraction.

Validated robustness on multiple benchmark datasets.

Abstract

Cybersecurity Knowledge Graphs (CKGs) unify diverse Cyber Threat Intelligence (CTI) sources into structured, queryable formats, offering scalable solutions for automating proactive and real-time security responses. Their increasing adoption has significantly enhanced the workflow and decision-making efficiency of security professionals. However, constructing CKGs requires extracting entity-relation triples from unstructured CTI reports, a task hindered by complex report structure, domain-specific language, and semantic ambiguity. As a result, existing pipeline-based approaches often suffer from error propagation, reducing extraction accuracy and limiting generalizability. This paper introduces the Context-aware Threat Intelligence Knowledge Graph (CTiKG) framework, a pipeline architecture designed to accurately extract and classify threat entities and their relationships from CTI reports. CTiKG incorporates hybrid NLP models that leverage SecureBERT+ contextual embeddings and expert knowledge from a domain ontology to reduce misclassifications and mitigate cascading errors. Experiments on the DNRTI-AUG-STIX2 dataset, which comprises 21 entity types aligned with STIX 2.1, demonstrate significant improvements over state-of-the-art baselines, yielding 3-4% gains in NER and up to 8% in RE performance, based on precision, recall, and F1-score. Additional validation on DNRTI and STUCCO benchmarks confirms the framework's robustness and practical applicability. All datasets, including the curated DNRTI-AUG-STIX2, are released on GitHub to foster reproducibility and further research.