IRTUM – Institutional Repository of the Technical University of Moldova
A comparative analysis of LLMs in mapping malware behaviors to MITRE ATT&CK techniques from textual threat intelligence reports
JavaScript is disabled for your browser. Some features of this site may not work without it.
| dc.contributor.author | RESUL, Ebru | |
| dc.contributor.author | TURCANU, Dinu | |
| dc.contributor.author | RUGHINIS, Rǎzvan | |
| dc.date.accessioned | 2026-02-18T16:39:37Z | |
| dc.date.available | 2026-02-18T16:39:37Z | |
| dc.date.issued | 2025 | |
| dc.identifier.citation | RESUL, Ebru; Dinu TURCANU and Rǎzvan RUGHINIS. A comparative analysis of LLMs in mapping malware behaviors to MITRE ATT&CK techniques from textual threat intelligence reports. In: 24th RoEduNet International Conference Networking in Education and Research, Chisinau, Republic of Moldova, 17-19 September, 2025. Universitatea Politehnică din Bucureşti. IEEE, 2025, pp. 1-6. ISBN 979-8-3315-5714-0, eISBN 979-8-331-55713-3, ISSN 2068-1038, eISSN 2247-5443. | en_US |
| dc.identifier.isbn | 979-8-3315-5714-0 | |
| dc.identifier.isbn | 979-8-331-55713-3 | |
| dc.identifier.issn | 2068-1038 | |
| dc.identifier.issn | 2247-5443 | |
| dc.identifier.uri | https://doi.org/10.1109/RoEduNet68395.2025.11208322 | |
| dc.identifier.uri | https://repository.utm.md/handle/5014/35310 | |
| dc.description | Acces full text: https://doi.org/10.1109/RoEduNet68395.2025.11208322 | en_US |
| dc.description.abstract | Cyber Threat Intelligence (CTI) Reports are valuable resources of information for understanding adversarial behaviors and malware functionalities. However, their lack of consistency and structure often results in a challenge for security analysts in interpreting, correlating and applying them effectively. Structuring the data in a common format, such as the MITRE ATT&CK v17.1 framework, is crucial for integrating CTI into detection and response processes. This article assesses the extent to which Large Language Models (LLMs) - GPT (OpenAI), Claude (Anthropic) and Gemini (Google) - can extract and map the malware description from natural language CTI reports to specific MITRE ATT&CK techniques. To achieve this, a set of publicly available CTI reports were used that already contained verified MITRE ATT&CK techniques labels. This served as ground truth for evaluating the outputs of each model. The performance of the LLMs was measured using standard evaluation metrics: Precision, Recall, and F1-score. While differences and mistakes were found in our models execution, such as technique confusion and context loss, the results indicate a strong potential in the use of LLMs for structured threat intelligence mapping. Their ability to reduce manual effort and improve consistency could address a major gap in today's cyber threat analysis workflow. | en_US |
| dc.language.iso | en | en_US |
| dc.publisher | IEEE (Institute of Electrical and Electronics Engineers) | en_US |
| dc.rights | Attribution-NonCommercial-NoDerivs 3.0 United States | * |
| dc.rights.uri | http://creativecommons.org/licenses/by-nc-nd/3.0/us/ | * |
| dc.subject | component | en_US |
| dc.subject | formatting | en_US |
| dc.subject | style | en_US |
| dc.subject | insert | en_US |
| dc.title | A comparative analysis of LLMs in mapping malware behaviors to MITRE ATT&CK techniques from textual threat intelligence reports | en_US |
| dc.type | Article | en_US |
Files in this item
The following license files are associated with this item:
This item appears in the following Collection(s)
Except where otherwise noted, this item's license is described as Attribution-NonCommercial-NoDerivs 3.0 United States