The rapid evolution of cyber threats has highlighted significant gaps in security knowledge integration. Cybersecurity Knowledge Graphs (CKGs) relying on structured data inherently exhibit hysteresis, as the timely incorporation of rapidly evolving unstructured data remains limited, potentially leading to the omission of critical insights for risk analysis. To address these limitations, we introduce TRACE, a framework designed to integrate structured and unstructured cybersecurity data sources. TRACE integrates knowledge from 24 structured databases and 3 categories of unstructured data, including APT reports, papers, and repair notices. Leveraging Large Language Models (LLMs), TRACE facilitates efficient entity extraction and alignment, enabling continuous updates to the CKG. Evaluations demonstrate that TRACE achieves a 1.8x increase in node coverage compared to existing CKGs. TRACE attains the precision of 86.08%, the recall of 76.92%, and the F1 score of 81.24% in entity extraction, surpassing the best-known LLM-based baselines by 7.8%. Furthermore, our entity alignment methods effectively harmonize entities with existing knowledge structures, enhancing the integrity and utility of the CKG. With TRACE, threat hunters and attack analysts gain real-time, holistic insights into vulnerabilities, attack methods, and defense technologies.

翻译：网络威胁的快速演进凸显了安全知识整合方面存在的显著差距。依赖结构化数据的网络安全知识图谱（CKG）本质上存在滞后性，因为对快速演变的非结构化数据的及时整合仍然有限，这可能导致风险分析中关键洞察的遗漏。为应对这些局限性，我们提出了TRACE框架，旨在整合结构化和非结构化网络安全数据源。TRACE整合了来自24个结构化数据库和3类非结构化数据（包括APT报告、学术论文和修复通告）的知识。通过利用大型语言模型（LLMs），TRACE实现了高效的实体抽取与对齐，从而支持对CKG的持续更新。评估结果表明，与现有CKG相比，TRACE的节点覆盖范围提升了1.8倍。在实体抽取任务中，TRACE达到了86.08%的精确率、76.92%的召回率以及81.24%的F1值，较已知最佳的基于LLM的基线方法提升了7.8%。此外，我们的实体对齐方法能有效协调实体与现有知识结构，从而增强了CKG的完整性与实用性。借助TRACE，威胁猎手和攻击分析师能够实时、全面地洞察漏洞、攻击方法和防御技术。