跳到主要內容

簡易檢索 / 詳目顯示

研究生: 顏聖峰
Yen, Sheng-Fong
論文名稱: 基於LLM建構威脅情報知識圖譜 - 以SQL漏洞為例
LLM-based Threat Intelligence Knowledge Graph Construction: A Case Study on SQL Injection Vulnerabilities
指導教授: 蔡子傑
口試委員: 周承復
吳曉光
陳伶志
蔡子傑
學位類別: 碩士
Master
系所名稱: 資訊學院 - 資訊安全碩士學位學程
Master Program in Information Security
論文出版年: 2026
畢業學年度: 114
語文別: 中文
論文頁數: 48
中文關鍵詞: 知識圖譜大型語言模型自然語言處理威脅情報SQL 注入
外文關鍵詞: Knowledge Graph, Large Language Model, Natural Language Processing, Threat Intelligence, SQL Injection
相關次數: 點閱:6下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報
  • 隨著網頁應用與雲端服務快速發展,SQL Injection仍為常見且具高風險之網路攻擊類型。現有漏洞資訊與威脅情報多以非結構化文字形式存在於安全報告中,缺乏一致之格式與語意關聯,增加後續威脅分析與知識整合之困難。因此,如何有效將非結構化威脅情報轉換為具備語意關聯之結構化知識,已成為重要研究方向。
    本研究提出一套結合大型語言模型(LLM)與知識圖譜之 SQL Injection 威脅情報建構方法,透過建立 SQL Injection 專屬威脅資訊架構,定義漏洞、攻擊參數、程式碼位置與攻擊技術之間的關聯,並以公開漏洞資料建立 SQL Injection 資料集。接著,利用 Few-shot Prompting 與模型微調方式,引導大型語言模型將非結構化漏洞描述轉換為結構化威脅情報,完成實體、關聯分析與攻擊技術分類任務。最後,將抽取結果轉換為三元組格式,建立SQL Injection 威脅情報知識圖譜,以支援漏洞關聯分析與攻擊技術查詢。
    結果顯示,本研究提出之方法能有效提升威脅情報之結構化表示能力,並完成由非結構化文字至知識圖譜之建構流程,進一步建立漏洞、攻擊行為與攻擊技術之間的語意關聯,可作為後續威脅分析、推理之基礎。


    With the rapid development of web applications and cloud services, SQL Injection is still a common and high-risk cyberattack. Existing vulnerability information and threat intelligence are mostly stored in unstructured text formats in security reports, lacking consistent formats and semantic relationships, which increases the difficulty of threat analysis and knowledge integration. Therefore, how to effectively convert unstructured threat intelligence into structured knowledge with semantic relationships has become an important research topic.
    This study proposes a SQL Injection threat intelligence construction method that combines Large Language Models (LLMs) and Knowledge Graphs. By designing a SQL Injection threat information schema, the relationships among vulnerabilities, attack parameters, code locations, and attack techniques are defined. Public vulnerability data is used to build a SQL Injection dataset. Next, Few-shot Prompting and model fine-tuning are used to guide the LLM to convert unstructured vulnerability descriptions into structured threat intelligence, including entity extraction, relation extraction, and attack technique classification tasks. Finally, the extracted results are transformed into triples to construct a SQL Injection threat intelligence knowledge graph for vulnerability relationship analysis and attack technique queries.
    The results show that the proposed method can effectively improve the structured representation of SQL Injection threat intelligence and complete the construction process from unstructured text to a knowledge graph. It also builds semantic relationships among vulnerabilities, attack behaviors, and attack techniques, which can support future threat analysis and reasoning.

    致謝 I
    摘要 II
    ABSTRACT III
    目次 IV
    表次 VI
    圖次 VII
    第一章 緒論 1
    1.1 研究背景 1
    1.2 研究動機 2
    1.3 研究目的 3
    第二章 文獻探討 4
    2.1網路威脅情報 4
    2.2 SQL INJECTION 相關研究 4
    2.3 知識圖譜 5
    2.4 自然語言處理 6
    2.5大型語言模型 7
    第三章 研究方法 8
    3.1研究架構 8
    3.2 資料收集與資料前處理 10
    3.3 SQL INJECTION威脅情報結構設計 12
    3.3.1 實體結構設計(Entity Schema Design) 12
    3.3.2 關係結構設計(Relation Schema Design) 13
    3.3.3 攻擊技術結構設計(TTP Schema Design) 14
    3.4 大型語言模型威脅情報抽取 16
    3.4.1 Few-shot 威脅情報抽取 19
    3.4.2 模型微調 23
    3.5 實驗設計與模型評估 27
    3.6 知識圖譜建構 29
    3.6.1 三元組轉換 29
    3.6.2 知識圖譜產出 30
    第四章 實驗與結果分析 32
    4.1 實驗設置 32
    4.2 威脅情報抽取結果 33
    4.2.1實驗一:Entity抽取結果(Entity Extraction Results) 33
    4.2.2實驗二:關係抽取結果(Relation Extraction Results) 34
    4.2.3實驗三:攻擊技術分類結果(TTP Classification Results) 36
    4.3 微調分析 37
    4.4 知識圖譜建構 38
    第五章 結論與未來展望 41
    5.1 結論 41
    5.2未來展望 42
    參考文獻 44

    [1] Friedberg, I., Skopik, F., Settanni, G., & Fiedler, R. (2015). Combating advanced persistent threats: From network event correlation to incident detection. Computers & Security, 48, 35–57.
    [2] OWASP Foundation. (2025). OWASP Top 10: 2025. Retrieved from
    [3] MITRE. (2025). 2025 CWE Top 25 Most Dangerous Software Weaknesses. Retrieved from
    [4] Halfond, W. G., Viegas, J., & Orso, A. (2006). A classification of SQL-injection attacks and countermeasures. In Proceedings of the IEEE International Symposium on Secure Software Engineering (pp. 13–15).
    [5] Liao, X., Yuan, K., Wang, X., Li, Z., Xing, L., & Beyah, R. (2016). Acing the IOC game: Toward automatic discovery and analysis of open-source cyber threat intelligence. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security (pp. 755–766).
    [6] Rastogi, N., Dutta, S., Zaki, M. J., Gittens, A., & Aggarwal, C. (2021). TINKER: A framework for open-source cyber threat intelligence. arXiv preprint arXiv:2105.09464.
    [7] Bridges, R. A., Jones, K. M., Iannacone, M. D., Testa, K. M., & Goodall, J. R. (2013). Automatic labeling for entity extraction in cyber security. arXiv preprint arXiv:1308.4941.
    [8] Zheng, S., Wang, F., Bao, H., Hao, Y., Zhou, P., & Xu, B. (2017). Joint extraction of entities and relations based on a novel tagging scheme. In Proceedings of ACL 2017 (pp. 1227–1236).
    [9] Sikos, L. F. (2023). Cybersecurity knowledge graphs. Knowledge and Information Systems, 65(9), 3511–3531.
    [10] Devlin, J., Chang, M. W., Lee, K., & Toutanova, K. (2019). BERT: Pre-training of deep bidirectional transformers for language understanding. In Proceedings of NAACL-HLT 2019 (pp. 4171–4186).
    [11] Brown, T., Mann, B., Ryder, N., Subbiah, M., Kaplan, J. D., Dhariwal, P & Amodei, D. (2020). Language models are few-shot learners. Advances in neural information processing systems, 33, 1877-1901.
    [12] Huang, L., & Xiao, X. (2024, October). Ctikg: Llm-powered knowledge graph construction from cyber threat intelligence. In First Conference on Language Modeling.
    [13] Yang, X., Zhong, R., Chen, Y., et al. (2026). CTI-Thinker: An LLM-driven system for CTI knowledge graph construction and attack reasoning. Cybersecurity, 9, 106.
    [14] Gao, P., Liu, X., Choi, E., Ma, S., Yang, X., & Song, D. (2023, November). Threatkg: An ai-powered system for automated open-source cyber threat intelligence gathering and management. In Proceedings of the 1st ACM Workshop on Large AI Systems and Models with Privacy and Safety Analysis (pp. 1-12).
    [15] Mouiche, I., & Saad, S. (2025). Entity and relation extractions for threat intelligence knowledge graphs. Computers & Security, 148, 104120.
    [16] Sarhan, I., & Spruit, M. (2021). Open-CyKG: An open cyber threat intelligence knowledge graph. Knowledge-Based Systems, 233, 107524.
    [17] Huang, Y., Sun, L., Wang, H., Wu, S., Zhang, Q., Li, Y., ... & Zhao, Y. (2024). Trustllm: Trustworthiness in large language models. arXiv preprint arXiv:2401.05561.
    [18] Saeed, S., Suayyid, S. A., Al-Ghamdi, M. S., Al-Muhaisen, H., & Almuhaideb, A. M. (2023). A systematic literature review on cyber threat intelligence for organizational cybersecurity resilience. Sensors, 23(16), 7273.
    [19] Husari, G., Al-Shaer, E., Ahmed, M., Chu, B., & Niu, X. (2017). TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI sources. In Proceedings of ACSAC 2017 (pp. 103–115).
    [20] Barnum, S. (2012) Standardizing Cyber Threat Intelligence Information with the Structured Threat Information Expression (STIX). Mitre Corporation, 11, 1-22.
    [21] Strom, B. E., Applebaum, A., Miller, D. P., Nickels, K. C., Pennington, A. G., & Thomas, C. B. (2018). MITRE ATT&CK: Design and philosophy. The MITRE Corporation.
    [22] Y. Hu, J. Zhang, X. Li, and Z. Chen, “LLM-TIKG: Threat intelligence knowledge graph construction utilizing large language model,” Computers & Security, vol. 145, p. 103999, 2024.
    [23] Valeur, F., Mutz, D., & Vigna, G. (2005, July). A learning-based approach to the detection of SQL attacks. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (pp. 123-140). Berlin, Heidelberg: Springer Berlin Heidelberg.
    [24] MITRE. (2025). CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'). Retrieved from
    [25] Kindy, D., & Pathan, A. S. K. (2011). A detailed survey on various aspects of SQL Injection in web applications. International Journal of Computer Science Issues, 8(6), 80–83.
    [26] Hogan, A., Blomqvist, E., Cochez, M., d’Amato, C., Melo, G. D., Gutierrez, C., ... & Zimmermann, A. (2021). Knowledge graphs. ACM Computing Surveys (Csur), 54(4), 1-37.
    [27] Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A. N., ... & Polosukhin, I. (2017). Attention is all you need. Advances in neural information processing systems, 30.
    [28] Li, J., Sun, A., Han, J., & Li, C. (2020). A survey on deep learning for named entity recognition. IEEE transactions on knowledge and data engineering, 34(1), 50-70.
    [29] Huang, Z., Xu, W., & Yu, K. (2015). Bidirectional LSTM-CRF models for sequence tagging. arXiv preprint arXiv:1508.01991.
    [30] Mikolov, T., Chen, K., Corrado, G., & Dean, J. (2013). Efficient estimation of word representations in vector space. arXiv preprint arXiv:1301.3781.
    [31] Young, T., Hazarika, D., Poria, S., & Cambria, E. (2018). Recent trends in deep learning based natural language processing. IEEE Computational Intelligence Magazine, 13(3), 55–75.
    [32] Touvron, H., Lavril, T., Izacard, G., Martinet, X., Lachaux, M. A., Lacroix, T., ... & Lample, G. (2023). Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971.
    [33] Hu, E. J., Shen, Y., Wallis, P., Allen-Zhu, Z., Li, Y., Wang, S., ... & Chen, W. (2022). Lora: Low-rank adaptation of large language models. Iclr, 1(2), 3.
    [34] Shen, Y., Heacock, L., Elias, J., Hentel, K. D., Reig, B., Shih, G., & Moy, L. (2023). ChatGPT and Other Large Language Models Are Double-edged Swords. Radiology, 307(2), e230163.
    [35] Li, Z., Zeng, J., Chen, Y., & Liang, Z. (2022, September). AttacKG: Constructing technique knowledge graph from cyber threat intelligence reports. In European symposium on research in computer security (pp. 589-609). Cham: Springer International Publishing.

    無法下載圖示 全文公開日期 2031/07/06
    QR CODE
    :::