Most of the methodologies for ontology engineering found in the literature [ 1, 2, 3 ] include sub-processes, ranging from requirements elicitation to testing. Usually, in the requirements elicitation sub-process, they gather existing vocabularies and other related standard and reference documents. Figure 1 shows a variation of the main sub-processes (white boxes) of the SABIO methodology [ 1 ] in BPMN notation. The conceptualization/formalization sub-process embeds a vocabulary construction task, in which the ontologist must define the terms that can be covered by the ontology. Note that in Figure 1 this task is reified (gray box) and represented as a sub-process. We treated this task as a sub-process because its complexity is greater than it first seemed

According to some authors [ 5 ] [ 6 ], building a vocabulary, i.e. a list of terms and their corresponding definitions, is not a trivial task and may afect the quality and consistency of the ontology under construction. Many challenges emerge and must be solved with the support of domain experts. Some of the main issues that should be addressed are [ 5 ]: (i) Inconsistencies – there are plenty of terminological resources, and diferent definitions coming from these resources can be conflicting and lead to logical contradictions; (ii) Homonyms – two diferent concepts might share the same name but refer to diferent things, resulting in either unintended duplication and ambiguity, and should be distinguished by using diferent terms; (iii) Synonyms - multiple terms that refer to the same concept may create confusion, thus a preferred term must be chosen; (iv) Recursive or Circular Definitions - definitions that define a term in terms of itself, or in terms of another that references it, can create logical inconsistencies, and should be avoided; (v) Redundant Hierarchies – merging can introduce multiple paths between concepts or duplicate subclass relationships, cluttering the structure and making maintenance dificult.

Based on these issues, a set of tasks should be planned, such as reconciling definitions, checking for cycles and inconsistencies, choosing preferred terms, disambiguating homonyms, among others.

Moreover, especially in the case of cybersecurity domain, there are many reference and terminological documents to take into account, which turn the Vocabulary construction into an even more expensive and time-consuming task. In the present work, we intend to address some of these problems in an agile way, by proposing a Vocabulary preparation and enrichment sub-process using a RAG/LLM approach. 2.2. RAG Based on insights derived from references [ 7, 8, 9, 10, 11 ], Retrieval-Augmented Generation (RAG) is a technique that enhances text generation in large language models (LLMs) by integrating information from external, private, or proprietary data sources that are reliable, up-to-date, and provide additional context. This approach improves the accuracy and reliability of the model’s output by referencing an external knowledge base before generating a response. Additionally, RAG promotes transparency by linking the generated text to specific, relevant sources, ofering users insight into the model’s generative process.

The RAG technology has been developing rapidly. RAG originated alongside the Transformers framework, designed to enhance text generation by incorporating external context [ 12 ]. Subsequently, the technology focused on prioritizing the most relevant information to enhance LLM responses. RAG was later utilized to assist in fine-tuning LLMs, further improving their contextual awareness and accuracy [ 13 ]. Thus, there are diferent types of RAG, which can be classified based on their implementation, architecture, or approach to integrating external data. Among the various types of approaches, the following stand out [ 14, 15, 16 ]: • Naïve RAG: Documents are segmented into smaller chunks and transformed into vector embeddings for eficient storage. When a query is received, the system retrieves the most relevant chunks using a similarity function and provides them as context for a language model. • Advanced RAG: enhances the base model with sophisticated preprocessing (e.g., query reformulation) and post-processing (e.g., document re-ranking) to optimize retrieval accuracy. It can integrate LLMs, Large Retrieval Models (LRMs), and Small Language Models (SLMs) to generate precise, coherent, and contextually enriched responses. • Modular RAG: Allows individual components to be replaced or fine-tuned independently, including the retriever (which fetches relevant data), the processor (which pre-processes information), and the generator (which leverages an LLM or LRM to produce coherent and contextually accurate text). • Corrective RAG: After generating a response, the system cross-references it with trusted data sources to identify and correct inaccuracies, ensuring greater factual accuracy and reliability. • Speculative RAG: Typically utilizes an LLM or LRM to generate plausible responses by combining retrieved information with pattern-based reasoning and informed assumptions.

Information Retrieval (IR) [ 17, 18 ] is an area concerned with the extraction of desired information from various sources, but mainly textual content. The most used models in IR are vector space models and probabilistic models, although there are techniques that do not involve embedding of text, such as ranking functions.

Vector space models[ 19, 20 ] aim to embed words (or even entire fragments of text) as vectors in a high-dimensional space. Relevance or similarity are then translated to distance between such vectors, which can be represented in many ways, but mostly via the dot-product between two vectors.

Probabilistic models are based on the principle that documents in a corpus should be ranked by decreasing probability of their relevance to a queried term - the Probabilistic Ranking Principle [ 21 ]. Diferent implementations provide their own probability estimation techniques, and each domain requires adequate crafting of them.

Ranking Functions are another way to retrieve information from texts - usually paired together with word embeddings. Given a set (usually called a corpus) of fragments of text (documents)1 and a certain term to be queried in these documents, this function creates a score for each - indicating the relevance of each to the queried term.

Tf-idf[ 22 ] is a ranking function that stands for a mix of term frequency and inverse document frequency. It is, in fact, a way to take both these concepts into account when scoring documents regarding certain queried terms. Term frequency is the amount of times the queried term appears in each document. Inverse document frequency is the logarithm of the inverse of the frequency with which the term appears in all of the documents - indicating how relevant the document in question is compared to the others. These scores are, then, multiplied (let be the number of documents, a document and a queried term):

TF-IDF(, ) = tf(, ) · ︂(

)︂ df()

Over decades, Tf-idf has been used in several applications (e.g.[ 23 ]), but it does have certain limitations. It does not consider concepts such as normalization and saturation. Normalization is related to the size of each document, i.e. if a term appears 10 times in a document that has 100 words, it should be more relevant than appearing 11 times in 1000 words. Saturation indicates that there must be a threshold up to which the term is still relevant in the document - the more it appears above this point, the less important the syntactical presence of the term in the document is to its semantics.

BM25[ 24 ] stands for Best Match 25 (25 indicates that it was the 25th iteration of the refinement of this algorithm). It is a series of improvements over Tf-idf considering concepts such as the ones described above:

BM25(, ) = ∑︁ ∈ ︂(

)︂ df() · 1 · (1 − ) + · () )︁ ︁( (1 + 1) · tf(, )

+ tf(, ) 1, - parameters () - size of document - average document size

There have been many implementations of BM25 over the years [ 25, 26, 27 ], each adjusting parameters, considering diferent domains, and considering diferent linguistic concepts. However, most of them have better performance than plain Tf-idf in most scenarios. 1In this section we will utilize these terms to define ranking functions, but they are confusing when taking our implementation into account. In the following sections, we will refer to a corpus as a document, and the documents in it exclusively as fragments of text or sentences.

Cybersecurity, the domain addressed in this article, is the prevention of damage to, protection of, and restoration of computers, electronic communications systems, electronic communications services, wire communication and electronic communication, including information contained therein, to ensure its availability, integrity, authentication, confidentiality, and nonrepudiation [ 28 ]. The ontological analysis of the cybersecurity domain is highly valued, as it reveals how diferent initiatives model reality in distinct ways, which can directly impact the understanding of the domain, the interoperability of security systems, and the subsequent implementation of policies and actions. We will extract fundamental concepts from these initiatives; therefore, we provide a brief description of each.

Several initiatives have been proposed to guide best practices in cybersecurity, providing guidelines for identifying, preventing, and responding to threats. Some of the most prominent cybersecurity frameworks and standards include the MITRE strategies, NIST approaches, ISO/IEC 27001, CIS Controls, COBIT, and OWASP.

MITRE is an American corporation that has developed two complementary frameworks: MITRE ATT&CK and MITRE D3FEND. The philosophy of MITRE ATT&CK is to move from a reactive defense to a proactive defense based on adversary behavior [ 29 ]. Therefore, they focus on how adversaries achieve their objectives, i.e., the tactics, techniques, and procedures (TTPs) employed in real-world attacks. MITRE D3FEND, on the other hand, focuses on defensive countermeasures mapped onto ATT&CK ofensive tactics and techniques [ 30 ]. Once one knows how adversaries attack, one can detail how to defend against them.

NIST (National Institute of Standards and Technology) produces a wide range of publications, standards, and frameworks related to cybersecurity. The NIST Cybersecurity Framework (CSF) is a high-level strategic guide for organizations to manage and mitigate cyber risk [ 31 ]. It is organized into six main functions: Govern (establishing strategy, expectations, and policies), Identify (mapping assets, risks, and vulnerabilities), Protect (implementing controls such as encryption and access management), Detect (continuous monitoring to identify incidents), Respond (executing mitigation and communication plans), and Recover (restoring services and improving resilience). The CSF acts as an aggregator, pointing to other standards and norms for the implementation details. The NIST Special Publication (SP) 800 Collection is the most comprehensive collection of NIST cybersecurity guidelines and recommendations, such as NIST 800-53, a catalog of security controls that organizations should implement [ 28 ]. This extensive catalog provides technology-agnostic controls used by risk teams, while security operations teams more commonly use MITRE mitigations. It is possible to map between the two to find a common language. The glossary of terms [ 32 ] used in all technical publications is useful for ontology design.

ISO/IEC 27001 [ 33 ], developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), is an international standard that defines requirements for an Information Security Management System (ISMS), focusing on the confidentiality, integrity, and availability of data. It covers risk management and security controls organized into domains (such as policies, asset management, incident response, and certification). An organization may seek an ISO 27001 certification to demonstrate compliance with an international ISMS standard, which often covers a large portion of the NIST CSF requirements and implements many of the controls in NIST SP 800-53.

CIS Controls [ 34 ], developed by the Center for Internet Security (CIS), provide a set of practical and prioritized controls to protect systems and data. It is focused on immediate implementation, making it accessible for organizations seeking quick and efective solutions. The CIS Controls are closely aligned with the NIST approaches, sharing common goals and complementary structures.

Control Objectives for Information and Related Technology (COBIT), developed by the Information Systems Audit and Control Association [ 35 ], is an IT governance framework that combines cybersecurity with organizational strategic objectives. It promotes efective technology and information management, aligning security with business processes.

OWASP (Open Web Application Security Project) [ 36 ] is an organization focused on software security, particularly in web applications and APIs, providing guidelines and tools for developers and businesses. Its most well-known project, the OWASP Top 10, lists the primary vulnerabilities in web applications, such as SQL injection and authentication failures, helping prioritize mitigation actions.

These initiatives, each with its specificities, are complementary and can be combined to create robust cybersecurity strategies tailored to the needs and objectives of each organization. In the context of ontologies, they provide systematic frameworks that organize, standardize, and implement security concepts consistently and interoperable, facilitating the development and maintenance of ontologies.

Given a term to be incorporated into a vocabulary, together with = {1, 2, . . . , ||}2, a set of queried terms (i.e. words related to the definition of term ), and a corpus = {1, 2, . . . , ||} consisting of relevant documents within the target domain, LAVOHA extracts relevant sentences from 2In this article, || denotes the cardinality of any arbitrary set documents in and uses them to query an LLM for suggested definitions for . It is important to highlight that if is a single word term then ∈ , so that the algorithm will return the sentences related to itself. In case is a compound name, then each word in must be in . Figure 2 presents a modular overview of the designed method.

Step 1 (Sentence Split) splits each document ∈ into sentences, yielding a Bag of Sentences , the set of all sentences in . In Step 2 (Top Sentences Selection), given , and , this step evaluates a relevance score for each pair (, ) ∈ × . For each ∈ , the top sentences are returned, resulting in a set of up to || × distinct sentences. Then, for each sentence ∈ , Step 3 (Select Neighbor Sentences) retrieves the sentences that precede and the sentences that succeed in . The output of this step is, therefore, a set of up to || × (2 + 1) distinct sentences, since the original sentence in is also included. The next step (Step 4 - LLM Request Formulation Task) constructs , the prompt expression for an LLM chosen by the user. To this end, the following strings are concatenated: “You are a specialist in ”; name-of-the-domain-of-the-application; “. "; “Define the term "; ; “, based on the definitions stated in the following set: "; . Note that name-of-the-domain-of-the-application, , and are variables and are not strings themselves. Indeed, they contain the strings to be concatenated to form the prompt. Finally, LAVOHA’s last step (Step 5 - LLM Engine Execution) consists of the execution of ′ engine, given the prompt . Its output is , the definition for suggested by .

We provide further details on the implementation of the most challenging steps of the LAVOHA method. The LAVOHA implementation artifacts are available in the GitHub repository 3. The system was developed in Python (version 3.12), due to its vast availability of useful packages and documentation online. Before Sentence Split, the pdf documents are converted to text files. This process is done only once per document, as a pre-processing step, since it is highly time-costly. Whenever a new document is added to the pool, it is quickly converted to a text file. To convert pdf files to txt, we make use of the PyMuPdf4 in version 1.25.5.

As the document corpus for the cybersecurity domain, we used the following set of documents: • ATTACK_Design_and_Philosophy_March_2020.pdf • getting-started-with-attack-october-2019.pdf • mitre_TTPs.pdf • NBRISO-IEC 27035.pdf 4https://pypi.org/project/PyMuPDF/ 5https://www.nltk.org/ 6https://pypi.org/project/rank-bm25/ The following list shows each term used in the experiment, together with its set of related words (queries) . It is worth recalling that the terms and their respective related words, defined by the user, are precisely the concepts that require harmonization, since the meanings may vary in each document. • Attack: "attack", "attempt", "access", "damage", "interrupt", "malicious", "degrade", "destroy", • Attack vector: "vector", "attack", "method", "methods", "technique", "techniques", "access" • Campaign: "campaign", "grouping", "activities", "intrusion", "period", "targets", "objectives" • Damage: "damage", "efect", "event", "incident", "occurrence", "loss" • Event: : "event", "occurrence", "observable", "indication", "incident", "suspicion", "adverse" • Incident: "incident", "occurrence", "risk", "confidentiality", "integrity", "availability", "information", "violation", "threat", "policies" • Information Asset: "asset", "information", "value", "person", "organization", "organisation", "medium", "resource", "critical" The configuration properties used in the experiment were the following: • N = 6. Step 2 selects the top six sentences. • M = 0. Step 3 adds no neighbors.

• ∈ {GPT-4o, DeepSeek-V3}. In Step 6 we used both GPT-4o and DeepSeek-V3.

To assess whether LAVOHA indeed improved the LLM output, we generated the output (reconciled definitions) in three diferent ways: • Using only the LLM, without LAVOHA; • Using the LLM with LAVOHA; • Through human discussions until reaching a consensual definition.

The human consensual definition was considered the appropriate response, and it was later compared to the first two definitions to evaluate whether the use of LAVOHA improved the LLM response for this task. To achieve this, we calculated the sentence embedding as the average of its word vectors, the cosine similarity between the responses generated by LLMs, and the consensus definition. The definition embeddings were computed with the pre-trained FastText library [ 49, 50 ].

Table 2 shows the mean value and standard deviation of the cosine similarity over the seven terms’ definition. We note that with the use of LAVOHA, the quality of GPT4-o output improved from a 0.9261 mean similarity with the consensus definition to 0.9317, whereas DeepSeek improved from 0.9279 to 0.9443. Therefore, the DeepSeek model responded better with the help of LAVOHA. This result may be due to DeepSeek having a smaller training set than GPT4-o.

We performed the automated evaluation because it is dificult to analyze manually the nuances that diferentiate the two definitions. Still, it may be useful to present definitions produced with and without LAVOHA to illustrate the quality improvement achieved by the method. As an example, we list two definitions of attack: the first was generated by DeepSeek-V3 alone, and the second by DeepSeek-V3 assisted by LAVOHA: 1. A deliberate, malicious attempt by an individual, group, or system to exploit vulnerabilities in a computer system, network, or digital infrastructure with the intent to: - Compromise confidentiality, integrity, or availability (CIA triad) of data or services. - Gain unauthorized access, disrupt operations, steal information, or cause harm. - Deploy malware, execute code, manipulate systems, or escalate privileges. Attacks can be active (directly altering or damaging systems) or passive (eavesdropping without modification). Common types include phishing, ransomware, DDoS, SQL injection, and zero-day exploits. 2. A deliberate, malicious attempt by an adversary to compromise, disrupt, or destroy the confidentiality, integrity, or availability of systems, networks, or data. Attacks may employ various tactics, techniques, and procedures (TTPs), such as exploiting vulnerabilities, deploying malware, or leveraging social engineering, to achieve objectives like unauthorized access, data theft, service disruption (e.g., Denial of Service), or system destruction. These actions can target technical infrastructure (e.g., endpoints, cloud resources) or human elements (e.g., phishing), and often mimic normal activity to evade detection.

The second definition feels cleaner and more precise. In the first sentence, it defines attack, in the second, it demonstrates how attacks may be performed, and in the third sentence, it enumerates the possible targets of an attack. Furthermore, it uses the verb "target", an important predicate, because it characterizes the relation between a typical attack and the attacked assets, suggesting a possible triple modeling (Attack, targets, Asset). Then it identifies "technical infrastructure" as a target, a general term that encompasses the vulnerable entities listed in the first definition. It also includes "human elements", which is a conceptual gap in the first definition.

The other six term definitions generated by DeepSeek and the seven term definitions generated by GPT presented similar improvement with the aid of LAVOHA. Furthermore, DeepSeek answers for the seven terms without LAVOHA seem to vary little, as if reading from the same source. For instance, DeepSeek mentions "confidentiality, integrity, or availability (CIA triad)" in 4 of the 7 definitions without LAVOHA. However, when assisted by LAVOHA, it mentions the CIA triad in only one of the definitions, which shows a better separation of concepts by the diferent definitions.