To address the increasing complexity and frequency of cybersecurity incidents emphasized by the recent cybersecurity threat reports with over 10 billion instances, cyber threat intelligence (CTI) plays a critical role in the modern cybersecurity landscape by offering the insights required to understand and combat the constantly evolving nature of cyber threats. Inspired by the powerful capability of large language models (LLMs) in handling complex tasks, in this paper, we introduce a framework to benchmark, elicit, and improve cybersecurity incident analysis and response abilities in LLMs for Security Events (SEvenLLM). Specifically, we create a high-quality bilingual instruction corpus by crawling cybersecurity raw text from cybersecurity websites to overcome the lack of effective data for information extraction. Then, we design a pipeline to auto-select tasks from the tasks pool and convert the raw text into supervised corpora comprised of question and response. The instruction dataset SEvenLLM-Instruct is used to train cybersecurity LLMs with the multi-task learning objective (27 well-designed tasks) for augmenting the analysis of cybersecurity events. Extensive experiments in our curated benchmark (SEvenLLM-bench) demonstrate that SEvenLLM performs more sophisticated threat analysis and fortifies defenses against the evolving landscape of cyber threats.

翻译：为应对近期网络安全威胁报告中强调的、数量超过百亿次的日益复杂和频发的网络安全事件，网络威胁情报在现代网络安全领域中发挥着关键作用，它提供了理解和应对不断演变的网络威胁所需的洞察力。受大型语言模型在处理复杂任务方面强大能力的启发，本文提出了一个框架，用于评估、激发和提升大型语言模型在安全事件分析及响应方面的能力。具体而言，我们通过从网络安全网站爬取网络安全原始文本来构建高质量的双语指令语料库，以克服信息抽取领域有效数据不足的问题。随后，我们设计了一个自动化流水线，从任务池中自动选择任务，并将原始文本转换为由问题和回答组成的监督式语料库。指令数据集SEvenLLM-Instruct用于以多任务学习目标训练网络安全领域的大型语言模型，该目标包含27项精心设计的任务，旨在增强对网络安全事件的分析能力。在我们构建的基准测试上的大量实验表明，SEvenLLM能够执行更复杂的威胁分析，并针对不断演变的网络威胁态势强化防御能力。