In today’s interconnected digital landscape, cyber security remains a critical concern, due to the proliferation of sophisticated cyber threats and vulnerabilities across global networks. The timely identification and mitigation of these threats rely heavily on Cyber Threat Intelligence (CTI), which encompasses the structured and unstructured information essential for preemptive defense strategies. While structured databases like NVD [ 1 ] or ExploitDB [ 2 ] provide valuable and well-defined security information, a significant amount of critical intelligence emerges initially in unstructured formats, often in natural language, such as blogs, mailing lists, and news sites [ 3 ]. These sources contain valuable and constantly updated information about cyber threats, vulnerabilities, risks, mitigation strategies, but their nature, due to the intrinsic complexity of natural language, often delays the classification and integration of new information into structured databases. The challenge of extracting actionable intelligence from unstructured sources is exacerbated in the cyber security, where domain-specific entities require specialized Named Entity Recognition (NER) tools, often integrated with ontologies and Knowledge Bases [ 4, 5 ], because general-purpose NER tools trained on broad corpora often fail to capture the specialized terminology and entity types in cyber security reports [ 6 ]. As a result, there is a need for domain-specific datasets that facilitate the training and evaluation of NLP models capable of extracting cyber threat indicators with high accuracy and relevance [ 7, 8 ]. In recent years, eforts such as the development of the APTNER dataset [ 8 ] have aimed to address this need, providing a substantial corpus for training and evaluating NER models in the CTI domain. However, existing datasets often lack the scale and diversity necessary to comprehensively cover the breadth of cyber threat scenarios encountered in practice. The advent of Large Language Models (LLMs) has introduced ∗Corresponding author.

CEUR

ceur-ws.org new perspectives in the NLP domain, significantly improving, among the others, the understanding and extracting domain-specific entities from complex unstructured texts. These models ofer the potential to bridge the gap between structured and unstructured CTI sources, enabling more timely and accurate threat detection and response and allowing the development of efective NLP-based cyber security tools and methods [ 9, 10, 11 ]. On the other hand, LLMs needs to be fine-tuned on the specific task and domain, but, as mentioned above, in cyber security doimain there is a lack of efective annotated NER resources. Therefore, this paper proposes to merge two prominent cyber security NER datasets: CyNER [ 7 ] and APTNER [ 8 ]. CyNER aggregates a wide array of openCTI from diverse sources, and complements APTNER’s focus on structured NER tasks. By merging these datasets, we aim to establish a more comprehensive resource that enriches the availability of NER datasets for the research community, and also supports enhanced threat detection, incident response, and vulnerability mitigation strategies.

APTNER [ 8 ] and CyNER [ 7 ], two datasets for NER in the cyber security domain, were combined to create a new merged dataset. Each source has diferent definitions and classifications for entities and it is required a mapping scheme for these diferent labels. To balance eficiency and simplicity, while improving coverage, the decision was made to utilize the CyNER scheme and extend it with one entity type from APTNER (i.e., Secteam). The APTNER annotation scheme comprises a larger label set that could be remapped into the final annotation scheme, and standardizing entity types and annotations makes it easier to create strong NER models for improved cyber security analysis and response. Moreover, the labels used in APTNER include several subtypes of CyNER labels, so a natural mapping approach and association were made using the mapping scheme shown in Table 1, aggregating some subtypes into a single type. The combined cyber security NER dataset’s annotation scheme resulted in seven labels, with the following meanings: 1. Indicator represents information useful to identify the resource compromised or the technology afected by the attack. 2. Malware represents all possible threat elements extracted from the corpora, such as action, actors, software, techniques, and so on. 3. Secteam represents the group announcing the vulnerability identified. 4. System represents operating system, software, and hardware. 5. Vulnerability represents both CVE ID and mention of exploits. 6. Organization represents companies, organizations, institutions, brands, and others. 7. Other includes the additional and generic entity types that are not annotated in one of the considered dataset and cannot be mapped in a specific category of the other one.

As result, we obtained a merged dataset, further split in a training set and a test set (approximately 70% and 30%), whose statistics and distributions of the various entity types are summarized in Table 2.

The assessment of the proposed augmented dataset presented in this study is performed by using it in the NER fine-tuning of LLMs, comparing the obtained results with the performances obtained using the original two datasets. We fine-tuned two NER models tailored to the cyber security domain, namely SecBert1 and SecureBERT [ 12 ], both available on the Hugging Face LLM repository. These models, respectively built upon BERT [ 13 ] and RoBERTa [ 14 ] architectures, have been pre-trained on large corpora in the cyber security domain, demonstrating that they are both able to provide improved results when fine-tuned for NLP tasks in the same domain. In addition to these models, we also trained two baseline models, BERT-base-cased and RoBERTa-base, using them as benchmarks for a comparison against the specialized models. The evaluation is based on standard NER metrics (P, R, and F1) calculated at the token level. The obtained results, summarized in Table 3, provided insights into each model’s efectiveness and generalization capability on the cyber security NER task. When comparing the performance across all datasets, it is evident that the merged dataset significantly improves the NER model results, showcasing its ability to enhance the performance through richer and more diverse entity coverage, also when used with general-domain LLMs. On the other hand, the datasets (including the original ones) have some very unbalanced classes, and this can limit their performances, as well as their generalization capabilities, causing in some experiments lower performances, compared with the expected ones.

The merged dataset, including the documentation on the annotation scheme, and the fine-tuned NER models are publicly available on the SoBigData research infrastructure2.

This work presented a cyber security NER dataset, obtained by combining APTNER and CyNER datasets, with the purposes of addressing the scarcity of open cyber security NER corpora and improving the performances of the original ones. The merged dataset standardizes and harmonizes entity types across diferent sources, providing a comprehensive and diverse set of annotations. Our experiments demonstrated that the proposed dataset significantly enhances model performance, highlighting its ability to improve the recognition capabilities of NER models in the cyber security domain.

Future work could focus on further expanding the dataset by integrating additional cyber security corpora to cover a wider range of entities and scenarios, as well as to reduce the unbalance of the dataset, also leveraging augmenting techniques or semi-supervised annotation approaches [ 15 ]. Additionally, exploring transfer learning techniques to apply the knowledge gained from this dataset to other related tasks in cyber security, such as threat detection and incident response, could be highly beneficial. Finally, it would be valuable to investigate the impact of diferent annotation schemes and entity definitions on model performance, to refine further and optimize the dataset.