Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network

Gyeongmin Kim, Chanhee Lee, Jaechoon Jo, Heuiseok Lim

Research output: Contribution to journalArticlepeer-review

41 Citations (Scopus)


Countless cyber threat intelligence (CTI) reports are used by companies around the world on a daily basis for security reasons. To secure critical cybersecurity information, analysts and individuals should accordingly analyze information on threats and vulnerabilities. However, analyzing such overwhelming volumes of reports requires considerable time and effort. In this study, we propose a novel approach that automatically extracts core information from CTI reports using a named entity recognition (NER) system. During the process of constructing our proposed NER system, we defined meaningful keywords in the security domain as entities, including malware, domain/URL, IP address, Hash, and Common Vulnerabilities and Exposures. Furthermore, we linked these keywords with the words extracted from the text data of the report. To achieve a higher performance, we utilized the character-level feature vector as an input to bidirectional long-short-term memory using a conditional random field network. We finally achieved an average F1-score of 75.05%. We release 498,000 tag datasets created during our research.

Original languageEnglish
Pages (from-to)2341-2355
Number of pages15
JournalInternational Journal of Machine Learning and Cybernetics
Issue number10
Publication statusPublished - 2020

Bibliographical note

Publisher Copyright:
© 2020, Springer-Verlag GmbH Germany, part of Springer Nature.


  • Bidirectional long-short-term memory conditional random field
  • Cyber threat intelligence
  • Cybersecurity
  • Named entity recognition
  • Vulnerability

ASJC Scopus subject areas

  • Software
  • Computer Vision and Pattern Recognition
  • Artificial Intelligence


Dive into the research topics of 'Automatic extraction of named entities of cyber threats using a deep Bi-LSTM-CRF network'. Together they form a unique fingerprint.

Cite this