A threat intelligence entity identification method based on a large language model and contrastive learning

By combining instruction fine-tuning with contrastive learning, the illusion problem of large language models in threat intelligence named entity recognition was solved. By optimizing the model with noisy negative samples and a hybrid loss function, more accurate and stable threat intelligence entity recognition was achieved.

CN122154692APending Publication Date: 2026-06-05BEIJING UNIV OF POSTS & TELECOMM

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
BEIJING UNIV OF POSTS & TELECOMM
Filing Date
2024-11-28
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

Existing large language models suffer from the illusion problem in threat intelligence named entity recognition, generating text that is inconsistent with objective facts, contradictory in context, inaccurate in answers, and has difficulty effectively capturing the interdependencies of masked markers.

Method used

By combining instruction fine-tuning and contrastive learning methods, a hybrid loss function is constructed by introducing different proportions of noise negative samples and random character negative samples to optimize the threat intelligence named entity recognition model. The ChatGLM3-6B model is then used for LoRa fine-tuning, taking into account the contextual information and label dependencies of the threat intelligence text.

Benefits of technology

It improves the accuracy and robustness of threat intelligence named entity recognition, enhances entity recognition performance in complex environments, and outperforms existing methods.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122154692A_ABST
    Figure CN122154692A_ABST
Patent Text Reader

Abstract

The application discloses a threat intelligence entity identification method based on a large language model and contrastive learning, realizes an initial model by injecting safety knowledge through supervised fine-tuning, analyzes and generates entity data, and proposes a contrastive learning method for generating negative samples by a large language model to solve the extraction result illusion problem. It comprises the following steps: according to a public threat intelligence data set, a threat intelligence prompt word data set is constructed as the input of the large language model; a negative sample generation method is responsible for generating entity negative samples by using specific prompt words through the model fine-tuned by Lora, and generating character-level negative samples by adding random character noise to the positive sample entity; a contrastive learning method is responsible for contrastive learning through the constructed positive and negative samples, and alleviating the illusion problem of the large language model. Through the negative sample generation method using the large language model for specific entities prone to confusion, a new idea based on the large language model and contrastive learning is provided for threat intelligence entity identification.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of threat intelligence information extraction, and particularly relates to comparative learning, threat intelligence, large language models and other related fields. Background Technology

[0002] Threat intelligence is typically rich in attack-related information, such as the source IP of suspicious actions, attack behaviors, and log records. Therefore, entities in threat intelligence are often complex in structure, difficult to identify, and challenging to parse, urgently requiring efficient entity identification methods. Effective threat intelligence extraction is fundamental to tasks such as knowledge graph construction and threat hunting. In recent years, most models have been optimized around BERT, but due to the independence assumption of MLM, BERT fails to capture the interdependencies of masked labels. While Large Language Models (LLMs) already possess pre-trained parameters for general domains and achieve good results with complex data and limited training data, they still require fine-tuning within specific domains in the threat intelligence field.

[0003] However, although large language models have been put into practice in the field of information extraction, existing large speech models have the illusion problem in named entity recognition of threat intelligence, that is, the text generated by the model does not match the objective facts, the context is contradictory, and the answers are inaccurate.

[0004] To address the aforementioned issues, this invention proposes a method combining instruction fine-tuning and comparative learning to resolve the illusion problem present in large threat intelligence entity identification models. Summary of the Invention

[0005] This invention proposes a method combining instruction fine-tuning and contrastive learning to address the illusion problem in large-scale threat intelligence entity recognition models, while also verifying the model's robustness. Two types of noise are introduced at different proportions at the input: negative entity samples generated by the large language model and negative samples with added random characters. These are then compared and learned by combining existing positive and negative samples. A hybrid loss function is proposed to maximize the effect of contrastive learning. Finally, based on the above, a model is constructed for threat intelligence named entity recognition.

[0006] This invention provides a threat intelligence entity identification method based on large language models and contrastive learning, comprising the following steps:

[0007] 1) Fuse cue words, raw short texts, and tag data from publicly available threat intelligence datasets as input to a large language model;

[0008] 2) For the constructed prompt words, the ChatGLM3-6B model is trained using LoRa fine-tuning. Finally, the trained parameters are integrated with the original large model pre-trained parameters, taking full account of the threat intelligence context information.

[0009] 3) Two methods for generating negative samples are used to alleviate the illusion problem of large language models through contrastive learning, thereby constructing a model to perform named entity recognition tasks on unstructured threat intelligence texts.

[0010] Furthermore, the threat intelligence entity identification process includes:

[0011] a) After the raw threat intelligence is identified by BIO, it still lacks cue words for the input of the large language model. Therefore, a series of preprocessing work is required: designing cue words, retaining the original threat intelligence text, and reorganizing the BIO data into entity_entity type output. These three parts constitute the input of the ChatGLM3-6B model.

[0012] b) After preprocessing, the resulting threat intelligence cue dataset is used as the training set for LoRa fine-tuning. This invention uses the ChatGLM3-6B model. After LoRa fine-tuning, entity extraction is performed on the threat intelligence. The ChatGLM3-6B model is based on the GLM autoregressive fill-in-the-blank model, which can optimize the original mask independence assumption of BERT and take into account the interdependence between tags, thus optimizing the understanding of the threat intelligence context.

[0013] c) When generating negative samples, there are two different methods, and the improvement in entity recognition accuracy of the model is tested at different proportions, as follows:

[0014] (1) Model generates negative samples y - During the generation process, design new instructions ( Figure 2 (Prompt input) requires initial fine-tuning of the model p(y|x) by randomly generating 200 entities W based on the learned threat entity knowledge. Model (x), and the percentage of entities belonging to significantly unevenly distributed categories in the original dataset at ζ, are denoted as W. vul :

[0015]

[0016] Among them, y - ~p(y|x) represents the negative sample y - It is sampled from the conditional probability distribution p(y|x). ζ is the proportion of negative samples, which are easily confused. Let W... Pos (x) has a length of m, and generates negative sample entities W. Model After (x), a random array of length m is generated, whose elements are random selections from the following entity category set:

[0017] TypeArray = {Type1, ..., Type i ,…,Type mType i ∈

[0018] RandomChoise(Class1,...,Class n )}(4)

[0019] Finally, underscores are used to map entities to types, and commas are used to separate different entities, completing the negative sample W. add Generation:

[0020] W add ={W Model (x)1_Type1,…,W Model (x) m _Type m} (5)

[0021] Assume the correct output entity corresponding to InputText is W Pos ={EntityeTrue1_TypeTrue1,…,EntityeTrue m _TypeTrue m}, then the negative sample with added entity is W AddEntity ={W Pos W add Replace the negative sample W of the entity ReplaceEntity ={W Model (x)1_TypeTrue1…,W Model (x) m _TypeTrue m The negative samples of the deleted entity are W. DeleteEntity ="no", In conclusion, W NegEntity ={W AddEntity W ReplaceEntity W DeleteEntity}

[0022] (2) Negative samples generated by adding character-level noise to entity data. Assume the original entity length is t, and EntityTrue = {z1, ..., z} t}, randomly generate indices ∈ [1, t], randomly generate characters θ, and add negative sample entities of the characters as W. addChar ={z1,…,z index-1 ,θ index ,z index ,…,z t The negative sample entity for deleting the character is W. delChar ={z1,…,z index-1 ,z index+1 ,…,z t The negative sample entity for the replaced character is W.replaceChar ={z1,…,z index-1 ,θ index ,z index+1 ,…,z t}. Randomly generate an index index2∈[1,index)∩(index,t], swap the letters in the two indices, and get W. swapChar In summary, W NegChar ={W addChar W delChar W swapChar W replaceChar},W Neg =

[0023] {W NegChar W NegEntity}

[0024] The negative sample label is obtained after encoding. neg :

[0025] Label neg =transformer.tokenizer

[0026] ([MASK],Instruction,x,W Neg (6)

[0027] Furthermore, in step 1), the original threat intelligence public dataset is split and the data structure is reorganized using the Lora model fine-tuning method, while retaining the original text and entity recognition results and adding prompt words.

[0028] Furthermore, the ChatGLM3-6B pre-trained model used in step 2) is an autoregressive fill-in-the-blank model. Unlike the mask independence assumption of the BERT model, it considers the interdependencies between the original threat intelligence text tags, enabling the model to better understand the context and obtain accurate threat entities. Modern network attack and defense are constantly iterating and updating, and threat intelligence is also constantly changing. Compared with BERT, ChatGLM3-6B is better able to measure the relationship between threat intelligence entities and the context, thereby improving the effectiveness of entity recognition.

[0029] Furthermore, in step 3), considering that the Lora-tuned ChatGLM3-6B model, which already incorporates threat intelligence data features, can generate more easily confused threat intelligence entities based on the designed prompts, the model generation method, combined with randomly generated entity types, can more effectively construct negative samples suitable for comparative learning in the threat intelligence domain. Simultaneously, referring to traditional negative sample generation methods, random characters are added to positive sample entities to construct negative samples. Then, based on the existing positive and negative sample encodings, a hybrid loss function is designed to further train the Lora-tuned ChatGLM3-6B model, which incorporates threat intelligence data features, through comparative learning.

[0030] The method of this invention can effectively perform threat intelligence named entity recognition using large language models, and has the following advantages compared with existing technologies:

[0031] 1. This invention proposes a novel threat intelligence entity identification method. By using an autoregressive fill-in-the-blank model, it considers the dependencies between each tag in the threat intelligence text and performs LoRa fine-tuning on the large language model for threat intelligence domain data features, thereby improving the effectiveness of threat intelligence entity identification.

[0032] 2. This invention solves the problem of illusion in large language models. By comparing and learning two different negative sample construction methods—generating negative samples through the model and adding random character noise negative samples—the final model outperforms existing methods in the publicly available threat intelligence named entity recognition dataset. At the same time, it verifies that the model has robustness. Attached Figure Description

[0033] Figure 1 The flowchart of the complete threat intelligence named entity recognition model of the present invention includes four parts: data preprocessing, LoRa fine-tuning, negative sample generation, and contrastive learning to train the model.

[0034] Figure 2 This is an example diagram illustrating the named entity recognition for threat intelligence in this invention. A short text of original threat intelligence and its corresponding BIO entity recognition result are selected as an example. The input includes a two-slot instruction and the text to be extracted.

[0035] Figure 3 The figures show the entity recognition results under different proportions and types of negative samples. The left side of the figure shows the entity recognition results of the model after learning with different proportions of character-level negative samples, while the right side shows the entity recognition results of the model after learning with different proportions of entity-level negative samples.

[0036] Figure 4This is a graph showing the entity recognition results of the model when the proportion of contrast loss is different in the mixed loss function with different β parameters.

[0037] Figure 5 To verify the robustness of the model, experiments were conducted by injecting different types and proportions of noise into the test set text. The resulting entity recognition images are shown below. Detailed Implementation

[0038] To make the above-mentioned features and advantages of the present invention more apparent and understandable, the present invention will be further described in detail below with reference to specific embodiments and accompanying drawings. The specific training process is as follows: Figure 1 As shown, its main steps include:

[0039] Step 101: Take the original text and BIO classification results from the CyNER dataset, add cue words, and restructure the data into a JSON dataset containing cue words, initial text, and extraction results. This dataset will serve as the input dataset for the large language model. Figure 2 Input box.

[0040] Step 201: Using a threat intelligence dataset, fine-tune the base language model of ChatGLM3-6B using LoRa to obtain an initial model with threat intelligence data characteristics.

[0041] Step 301: Design a second prompt word. This prompt word is used as the input prompt word for the initial model with threat intelligence data characteristics to generate threat intelligence entities with easily confused characteristics.

[0042] Step 302: Combine the negative samples of threat intelligence entities with easily confused characteristics with randomly generated entity types to obtain negative samples of entity-entity type structure with dual slot structure, and mix them into the correct entity recognition output of the original dataset at different proportions.

[0043] Step 303: Combine the entities generated by adding randomly generated characters and the randomly generated entity types to obtain negative samples of the entity-entity type structure with a dual-slot structure, and mix them into the correct entity recognition output of the original dataset at different proportions.

[0044] Step 304: Combining positive and negative samples, a hybrid loss function is constructed using a contrastive learning approach. This function is then trained on a publicly available threat intelligence dataset to ultimately obtain the threat intelligence entity identification results.

[0045] This invention uses the publicly available CyNER and APTNER datasets for training and validation, and conducts experiments under various types and proportions of negative samples. The experimental results show that the model constructed by this invention through a large language model and contrastive learning improves the accuracy of named entity recognition in the threat intelligence field, outperforming the highest score of existing models. At the same time, the robustness of the model is tested, and the model can still maintain stable entity recognition accuracy even with noisy test set input.

[0046] The above description is merely a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any variations or substitutions that can be easily conceived by those skilled in the art within the technical scope disclosed in the present invention should be included within the scope of protection of the present invention. Therefore, the scope of protection of the present invention should be determined by the scope of the claims.

Claims

1. A threat intelligence entity identification method based on large language models and contrastive learning, characterized in that, include: A. Fine-tune the ChatGLM3-6B basic model from massive amounts of unstructured labeled threat intelligence using prompt words, threat intelligence text, and entity type label data; The GLM part of the ChatGLM3-6B basic model adopts the Transformer language model and the autoregressive fill-in-the-blank model to generate entity recognition results based on prompt words, and then trains the model using LoRa fine-tuning, and finally integrates the trained parameters with the pre-trained parameters of the original large model; B. To alleviate the illusion problem of large models, a contrastive learning approach is used. Two methods for generating negative samples are proposed: First, using a Lora-tuned ChatGLM3-6B model and inputting different prompt words, negative samples of threat entities are generated to address the illusion problem in the threat intelligence field. Second, negative samples are generated by inserting random characters into existing positive sample entities. Finally, the generated positive and negative samples are used to train the model using a contrastive learning approach to obtain the final threat intelligence named entity recognition model.

2. The threat intelligence entity identification method based on a large language model and contrastive learning according to claim 1, characterized in that, Step A further includes the following steps: A1. Perform data preprocessing on the threat intelligence annotation dataset. For a BIO-annotated threat intelligence text [a1_B-Type, a2_I-Type, a3_O, a4_O, ..., a...] n The input text x = [a1, a2, ..., a] is divided into two parts: n The entities annotated with B and I are converted into the output entity W. Pos (x)=[entity1_Type,…,entity n _Type], entity 1…n ∈x; A2. Employing the Transformer language model and an autoregressive fill-in-the-blank model, the named entity recognition task is redefined as a blank-filling generation task, generating entities and their corresponding types. A two-slot instruction, "entity_entity type," is designed, and the instruction, input text x, output entity sequence y, and corresponding label Q are encoded to obtain the positive label Label. pos : Label pos =transformer.tokenizer([MASK],Instruction,x,W Pos (x)) After training, the model is adjusted by calculating the cross-entropy loss function based on the obtained prediction results. A3. Perform LoRa fine-tuning on the ChatGLM3-6B model. The original weight parameter of the model is K0. Update the low-rank matrix weight ΔK related to threat intelligence data in the side path. Finally, merge the original weight matrix K0 and the updated parameter ΔK to obtain the weight K = K0 + ΔK of the preliminary threat entity extraction model.

3. The threat intelligence entity identification method based on a large language model and contrastive learning according to claim 1, characterized in that, Step B further includes the following steps: B1, y — Defined as negative knowledge, two methods are used to construct the fragment y that is most likely to be confused by the model. — That is, the negative samples W generated by the initial model. NegEntity Negative samples W are obtained by adding noise to the entity data and characters. NegChar ,as follows: (1) Model generates negative samples y - During the generation process, the initial fine-tuning model is required to randomly generate 200 entities W based on the learned threat entity knowledge. Model (x), and the percentage of entities belonging to significantly unevenly distributed categories in the original dataset at ζ, are denoted as W. vul : Among them, y - ~p(y|x) represents the negative sample y - It is sampled from the conditional probability distribution p(y|x); ζ is the proportion of negative samples of the easily confused class; let W Pos (x) has a length of m, and generates negative sample entities W. Model After (x), a random array of length m is generated, whose elements are random selections from the entity category set: TypeArray = {Type1, ..., Type i ,…,Type m Type i ∈RandomChoise(Class1,...,Class n )}, where n is the size of the entity category set; Finally, underscores are used to map entities to types, and commas are used to separate different entities, completing the negative sample W. add Generation: W add ={W Model (x)1_Type1,…,W Model (x) m _Type m } In the positive sample entity sequence W Pos (x) are used to perform addition, deletion, and replacement operations to generate a sequence of negative sample entities; assuming W Pos ={EntityeTrue1_TypeTrue1,…,EntityeTrue m _TypeTrue m }, then the negative sample with added entity is W AddEntity ={W Pos W add }; Replace the negative sample W of the entity ReplaceEntity ={W Model (x)1_TypeTrue1…,W Model (x) m _TypeTrue m }; The negative sample of the deleted entity is W DeleteEntity ="no"; ultimately, the negative sample entity sequence W NegEntity ={W AddEntity W ReplaceEntity W DeleteEntity }; (2) Negative samples generated by adding character-level noise to entity data: Assuming the original entity length is t, we have EntityTrue={z1,…,z t }, randomly generate indices ∈ [1, t], randomly generate characters θ, and add negative sample entities of the characters as W. addChar ={z1,…,z index-1 ,θ index ,z index ,…,z t The negative sample entity for deleting the character is W. delChar ={z1,…,z index-1 ,z index+1 ,…,z t The negative sample entity for the replaced character is W. replaceChar ={z1,…,z index-1 ,θ index ,z index+1 ,…,z t }; Randomly generate the index index2∈[1,index)∩(index,t], swap the letters in the two indices, and get W swapChar Finally, we obtain the negative sample W with added character-level noise. NegChar ={W addChar W delChar W swapChar W replaceChar }; Combining these two negative sample generation methods, we obtain W. Neg ={W NegChar W NegEntity After encoding, the negative sample label is obtained. neg : Label neg =transformer.tokenizer([MASK],Instruction,x,W Neg ) B2, Based on positive samples W Pos (x) and the generated negative sample W Neg Implement contrastive learning to train the model, and design a hybrid loss function: β is the scaling factor of the mixed loss function, L CE It is the cross-entropy loss function, γ is the temperature parameter, exp(sim(y,y) - )) is the result of the exp function of the cosine similarity between positive and negative samples, and sigmoid(y) is the probability that the positive sample is correctly predicted; During training, by minimizing L Mix To optimize the model, we obtain the final threat intelligence named entity recognition model.