Large Language Models (LLMs) such as Gemma-2B have shown strong performance in various natural language processing tasks. However, general-purpose models often lack the domain expertise required for cybersecurity applications. This work presents a methodology to fine-tune the Gemma-2B model into a domain-specific cybersecurity LLM. We detail the processes of dataset preparation, fine-tuning, and synthetic data generation, along with implications for real-world applications in threat detection, forensic investigation, and attack analysis. Experiments highlight challenges in prompt length distribution during domain-specific fine-tuning. Uneven prompt lengths limit the model's effective use of the context window, constraining local inference to 200-400 tokens despite hardware support for longer sequences. Chain-of-thought styled prompts, paired with quantized weights, yielded the best performance under these constraints. To address context limitations, we employed a hybrid strategy using cloud LLMs for synthetic data generation and local fine-tuning for deployment efficiency. To extend the evaluation, we introduce a Retrieval-Augmented Generation (RAG) pipeline and graph-based reasoning framework. This approach enables structured alignment with MITRE ATT&CK techniques through STIX-based threat intelligence, enhancing recall in multi-hop and long-context scenarios. Graph modules encode entity-neighborhood context and tactic chains, helping mitigate the constraints of short prompt windows. Results demonstrate improved model alignment with tactic, technique, and procedure (TTP) coverage, validating the utility of graph-augmented LLMs in cybersecurity threat intelligence applications.

翻译：诸如Gemma-2B等大语言模型（LLMs）已在多种自然语言处理任务中展现出强大性能。然而，通用模型通常缺乏网络安全应用所需的领域专业知识。本研究提出了一种将Gemma-2B模型微调为领域特定网络安全大语言模型的方法。我们详细阐述了数据集准备、模型微调以及合成数据生成的过程，并探讨了其在威胁检测、取证调查和攻击分析等实际应用中的意义。实验揭示了领域特定微调过程中提示长度分布带来的挑战：提示长度不均限制了模型对上下文窗口的有效利用，尽管硬件支持更长的序列，但本地推理仍被约束在200-400个词元范围内。在此约束下，思维链风格的提示与量化权重相结合取得了最佳性能。为突破上下文限制，我们采用了混合策略：利用云端大语言模型生成合成数据，同时通过本地微调提升部署效率。为进一步扩展评估，我们引入了检索增强生成（RAG）流水线与基于图的推理框架。该方法通过基于STIX的威胁情报实现了与MITRE ATT&CK技术框架的结构化对齐，显著提升了多跳推理与长上下文场景中的召回率。图模块通过编码实体邻域上下文及战术链，有效缓解了短提示窗口的约束。实验结果表明，该方法提升了模型在战术、技术与过程（TTP）覆盖范围上的对齐度，验证了图增强大语言模型在网络安全威胁情报应用中的实用价值。