CTI-GEN: A Framework for Generating STIX 2.1 Compliant CTI Using Generative AI

Cyber Threat Intelligence (CTI) enables organisations and individuals to gather knowledge about the cyberattack landscape. This work presents a framework, CTI-GEN, for generating CTI in the Structured Threat Information eXpression (STIX) format from unstructured textual reports. The framework leverages Large Language Models (LLMs) to automate the generation of CTI in STIX. The framework consists of six components, each designed to complement and correct the previous ones, and uses detailed prompt engineering procedures to guide the model in generating CTI in STIX. To this end, the STIX schema was preprocessed to simplify its complex and redundant interdependencies so that to be leveraged it effectively. CTI-GEN achieved an F1-Score of 81% in generating relevant objects from the text, 57% in the generation of relationships between the objects, and, importantly, a precision of 96% in the assignment of values to attributes in the CTI objects. This work presents the first approach to generate complete and error-free CTI using LLMs and the full spectrum of STIX.