摘要
网络安全实体识别作为威胁信息抽取、构建知识图谱的基础,对于发现和应对网络威胁具有至关重要的作用。该文针对当前主流的命名实体识别方法在网络安全领域泛化能力欠佳、难以清晰判断网络安全实体边界的问题,提出一种基于字符表示学习与时序边界扩散的网络安全实体识别方法。该方法首先将命名实体识别任务分解为实体边界检测与实体分类两个子任务,分别进行处理;其次,对于实体边界检测任务,使用基于问答的方法将预定义的问题与数据进行编码,采用膨胀卷积残差字符网络进行数据的字符级特征提取,并使用时序边界扩散网络判断实体边界;然后,对于实体分类任务,同样使用问答方法,并独立训练分类器进行实体类型判断;最后将实体边界检测任务的结果输入实体分类任务判断实体的类型。为验证方法有效性,在网络威胁情报数据集DNRTI上进行测试。实验结果表明,边界检测效率的提升能够有效增强命名实体识别的性能。该方法在网络安全实体识别任务中不仅资源开销较小,且对比近年提出的基线方法性能有所提升,其中较最近两年的方法在F1分数上提升了0.40%~1.65%。
Objective The vast amount of unstructured cybersecurity information available online holds significant value.Named Entity Recognition(NER)in cybersecurity facilitates the automatic extraction of such information,providing a foundation for cyber threat analysis and knowledge graph construction.However,existing cybersecurity NER research remains limited,primarily relying on general-purpose approaches that struggle to generalize effectively to domain-specific datasets,often resulting in errors when recognizing cybersecurityspecific terms.Some recent studies decompose the NER task into entity boundary detection and entity classification,optimizing these subtasks separately to enhance performance.However,the representation of complex cybersecurity entities often exceeds the capability of single-feature semantic representations,and existing boundary detection methods frequently produce misjudgments.To address these challenges,this study proposes a cybersecurity entity recognition approach based on character representation learning and temporal boundary diffusion.The approach integrates character-level feature extraction with a boundary diffusion network based on a denoising diffusion probabilistic model.By focusing on optimizing entity boundary detection,the proposed method improves performance in cybersecurity NER tasks.Methods The proposed approach divides the NER task into two subtasks:entity boundary detection and entity classification,which are processed independently,as illustrated(Fig.1).For entity boundary detection,a Question-Answering(QA)framework is adopted.The framework first generates questions about the entities to be extracted,concatenates them with the corresponding input sentences,and encodes them using a pre-trained BERT model to extract preliminary semantic features.Character-level feature extraction is then performed using a Dilated Convolutional Residual Character Network(DCR-CharNet),which processes character-level information through dilated residual blocks.Dilated convolution expands the model’s receptive field,capturing broader contextual information,while a self-attention mechanism dynamically identifies key features.These components enhance the global representation of input data and provide multi-dimensional feature representations.A Temporal Boundary Diffusion Network(TBDN)is then applied for entity boundary detection.TBDN employs a fixed forward diffusion process that introduces Gaussian noise to entity boundaries at each time step,progressively blurring them.A learnable reverse diffusion process subsequently predicts and removes noise at each time step,enabling the gradual recovery of accurate entity boundaries and leading to precise boundary detection.For entity classification,an independent network is trained to assign labels to detected entities.Like boundary detection,this subtask also adopts a QA framework.A cybersecurity-specific pre-trained language model,SecRoBERTa,encodes the concatenated question and input data to extract entity classification features.These features are then processed through a linear-layer-based entity classifier,which outputs the recognized entity type.Results and Discussions The performance of the proposed approach is evaluated on the DNRTI cybersecurity dataset,with comparative results against baseline methods presented(Table 3).The proposed approach achieved a 0.40%improvement in F1-score over UTERMMF,a model incorporating character-level,part-of-speech,and positional features along with inter-word relationship classification.Compared to CTERMRFRAT,which employs an adversarial training framework,the proposed approach improved the F1-score by 1.65%.Additionally,it outperformed BERT+BiLSTM+CRF by 5.20%and achieved gains of 12.21%,17.90%,and 18.31%over BERT,CNN+BiLSTM+CRF,and IDCNN+CRF,respectively.These results highlight that boundary detection accuracy is a key factor limiting NER performance,and optimizing boundary detection methods can significantly enhance overall model effectiveness.The proposed approach’s emphasis on boundary detection enables more accurate identification of entity boundaries,contributing to higher F1-scores.However,in terms of accuracy,it slightly underperforms CNN+BiLSTM+CRF.This discrepancy is attributed to class imbalance in the dataset,where certain categories are overrepresented while others are underrepresented.The approach demonstrates strong performance in handling minority categories,but its focus on rare entities slightly reduces prediction accuracy for common categories,affecting overall accuracy.Despite this trade-off,the approach enhances entity boundary detection,reducing misidentifications and improving precision and recall,thereby increasing the F1-score.Errors in boundary detection may propagate to the entity classification stage,impacting overall accuracy.However,the proposed two-stage approach,which prioritizes boundary detection optimization,ensures more precise boundary identification,which is crucial for improving NER performance.In terms of computational efficiency,the proposed approach is compared with DiffusionNER(Table 4),another diffusion-based NER model.Results indicate that the proposed approach requires fewer parameters,achieves faster inference speeds,and delivers higher F1-scores under the same hardware and software conditions.Conclusions Enhancing boundary detection efficiency significantly improves NER performance.The proposed approach reduces resource consumption while achieving superior performance compared to recent baseline methods in cybersecurity NER tasks.
作者
胡泽
李文君
杨宏宇
HU Ze;LI Wenjun;YANG Hongyu(School of Safety Science and Engineering,Civil Aviation University of China,Tianjin 300300,China;School of Computer Science and Technology,Civil Aviation University of China,Tianjin 300300,China)
出处
《电子与信息学报》
北大核心
2025年第5期1554-1568,共15页
Journal of Electronics & Information Technology
基金
国家自然科学基金(62201576,U1833107),国家自然科学基金配套基金(3122023PT10)。
关键词
命名实体识别
网络安全
边界检测
深度学习
自然语言处理
Named Entity Recognition(NER)
Cybersecurity
Boundary detection
Deep learning
Natural language processing
