Semantic Ranking for Automated Adversarial Technique Annotation in Security Text

We introduce a new method for extracting structured threat behaviors from threat intelligence text. Our method is based on a multi-stage ranking architecture that allows jointly optimizing for efficiency and effectiveness. Therefore, we believe this problem formulation better aligns with the real-world nature of the task considering the large number of adversary techniques and the extensive body of threat intelligence created by security analysts. Our findings show that the proposed system yields state-of-the-art performance results for this task. Results show that our method has a top-3 recall performance of 81% in identifying the relevant technique among 193 top-level techniques. Our tests also demonstrate that our system performs significantly better (+40%) than the widely used large language models when tested under a zero-shot setting.