Enabling Transparent Cyber Threat Intelligence Combining Large Language Models and Domain Ontologies
This work addresses the need for more accurate and explainable cyber threat intelligence for cybersecurity analysts, though it is incremental as it builds on existing LLM and ontology techniques.
The paper tackled the problem of unreliable and non-transparent information extraction from cybersecurity logs by proposing a methodology that combines Large Language Models with domain ontologies, resulting in higher accuracy compared to traditional prompt-only approaches.
Effective Cyber Threat Intelligence (CTI) relies upon accurately structured and semantically enriched information extracted from cybersecurity system logs. However, current methodologies often struggle to identify and interpret malicious events reliably and transparently, particularly in cases involving unstructured or ambiguous log entries. In this work, we propose a novel methodology that combines ontology-driven structured outputs with Large Language Models (LLMs), to build an Artificial Intelligence (AI) agent that improves the accuracy and explainability of information extraction from cybersecurity logs. Central to our approach is the integration of domain ontologies and SHACL-based constraints to guide the language model's output structure and enforce semantic validity over the resulting graph. Extracted information is organized into an ontology-enriched graph database, enabling future semantic analysis and querying. The design of our methodology is motivated by the analytical requirements associated with honeypot log data, which typically comprises predominantly malicious activity. While our case study illustrates the relevance of this scenario, the experimental evaluation is conducted using publicly available datasets. Results demonstrate that our method achieves higher accuracy in information extraction compared to traditional prompt-only approaches, with a deliberate focus on extraction quality rather than processing speed.