TRAPPER:Learning with Weak Supervision for Threat Intelligence Entity Recognition

The emergence of threat intelligence provides more foundation for tracing the source of network attacks, but it also necessitates a significant amount of manual analysis. Although data-driven automatic information extraction can effectively reduce labor consumption, it is limited by a lack of labeled data in the field of threat intelligence. To overcome this limitation, we propose TRAPPER, a threat entity recognition framework that can infer real threat entities from unlabeled threat sentences, avoiding the difficult labeling work. TRAPPER relies on label functions and three components, label aggregator, label predictor, and label expander, which guides the model with weak supervision and uses transfer knowledge as an aid. The label functions permit us to inject expert knowledge into the label aggregator to generate the inputs needed by the label predictor. It enables the label predictor to learn to recognize threat entities. The label expander combines the multi-source noisy label information with the transferred entity recognition semantic knowledge to further expand the entities. Throughout the process, the components promote each other by learning from each other. Comparative experiments on three threat intelligence-related datasets show that our method can effectively identify threat entities and achieve a maximum F1 score improvement of 6.3% over the best baseline.