{"id":"https://openalex.org/W7154738407","doi":"https://doi.org/10.48550/arxiv.2604.14166","title":"Hierarchical Retrieval Augmented Generation for Adversarial Technique Annotation in Cyber Threat Intelligence Text","display_name":"Hierarchical Retrieval Augmented Generation for Adversarial Technique Annotation in Cyber Threat Intelligence Text","publication_year":2026,"publication_date":"2026-03-24","ids":{"openalex":"https://openalex.org/W7154738407","doi":"https://doi.org/10.48550/arxiv.2604.14166"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.14166","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.14166","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.14166","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5120553862","display_name":"Filippo Morbiato","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Morbiato, Filippo","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5133866914","display_name":"Markus Keller","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Keller, Markus","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101983314","display_name":"Priya Nair","orcid":"https://orcid.org/0000-0002-7712-367X"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Nair, Priya","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5133835015","display_name":"Luca Romano","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Romano, Luca","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":4,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.11760000139474869,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11644","display_name":"Spam and Phishing Detection","score":0.11760000139474869,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11147","display_name":"Misinformation and Its Impacts","score":0.10369999706745148,"subfield":{"id":"https://openalex.org/subfields/3312","display_name":"Sociology and Political Science"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12572","display_name":"Intelligence, Security, War Strategy","score":0.09870000183582306,"subfield":{"id":"https://openalex.org/subfields/3320","display_name":"Political Science and International Relations"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/inference","display_name":"Inference","score":0.5924999713897705},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.5819000005722046},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5171999931335449},{"id":"https://openalex.org/keywords/taxonomy","display_name":"Taxonomy (biology)","score":0.5016000270843506},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.45590001344680786},{"id":"https://openalex.org/keywords/annotation","display_name":"Annotation","score":0.40310001373291016},{"id":"https://openalex.org/keywords/task","display_name":"Task (project management)","score":0.3846000134944916},{"id":"https://openalex.org/keywords/bridge","display_name":"Bridge (graph theory)","score":0.34540000557899475}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.824400007724762},{"id":"https://openalex.org/C2776214188","wikidata":"https://www.wikidata.org/wiki/Q408386","display_name":"Inference","level":2,"score":0.5924999713897705},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.5819000005722046},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5171999931335449},{"id":"https://openalex.org/C58642233","wikidata":"https://www.wikidata.org/wiki/Q8269924","display_name":"Taxonomy (biology)","level":2,"score":0.5016000270843506},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.45590001344680786},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.4325999915599823},{"id":"https://openalex.org/C2776321320","wikidata":"https://www.wikidata.org/wiki/Q857525","display_name":"Annotation","level":2,"score":0.40310001373291016},{"id":"https://openalex.org/C2780451532","wikidata":"https://www.wikidata.org/wiki/Q759676","display_name":"Task (project management)","level":2,"score":0.3846000134944916},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.3492000102996826},{"id":"https://openalex.org/C100776233","wikidata":"https://www.wikidata.org/wiki/Q2532492","display_name":"Bridge (graph theory)","level":2,"score":0.34540000557899475},{"id":"https://openalex.org/C177148314","wikidata":"https://www.wikidata.org/wiki/Q170084","display_name":"Generalization","level":2,"score":0.3450999855995178},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.3418999910354614},{"id":"https://openalex.org/C152124472","wikidata":"https://www.wikidata.org/wiki/Q1204361","display_name":"Redundancy (engineering)","level":2,"score":0.3174999952316284},{"id":"https://openalex.org/C2776973144","wikidata":"https://www.wikidata.org/wiki/Q6880649","display_name":"Misuse detection","level":4,"score":0.30640000104904175},{"id":"https://openalex.org/C187191949","wikidata":"https://www.wikidata.org/wiki/Q1138496","display_name":"Profiling (computer programming)","level":2,"score":0.29679998755455017},{"id":"https://openalex.org/C177769412","wikidata":"https://www.wikidata.org/wiki/Q278090","display_name":"Prior probability","level":3,"score":0.2809999883174896},{"id":"https://openalex.org/C164614171","wikidata":"https://www.wikidata.org/wiki/Q5204775","display_name":"DECIPHER","level":2,"score":0.2702000141143799},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.26170000433921814},{"id":"https://openalex.org/C140547941","wikidata":"https://www.wikidata.org/wiki/Q7797194","display_name":"Threat model","level":2,"score":0.25679999589920044},{"id":"https://openalex.org/C165696696","wikidata":"https://www.wikidata.org/wiki/Q11287","display_name":"Exploit","level":2,"score":0.2531999945640564},{"id":"https://openalex.org/C70518039","wikidata":"https://www.wikidata.org/wiki/Q16000077","display_name":"Dimensionality reduction","level":2,"score":0.25029999017715454}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.14166","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.14166","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.14166","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.14166","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/16","score":0.7472038269042969,"display_name":"Peace, Justice and strong institutions"}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Mapping":[0],"Cyber":[1],"Threat":[2],"Intelligence":[3],"(CTI)":[4],"text":[5],"to":[6,88,118],"MITRE":[7],"ATT\\&amp;CK":[8,57],"technique":[9],"IDs":[10],"is":[11],"a":[12,40,73,84,98,142,147,185,192],"critical":[13],"task":[14],"for":[15],"understanding":[16],"adversary":[17],"behaviors":[18],"and":[19,92,113,138,146,157,191,214],"automating":[20],"threat":[21],"defense.":[22],"While":[23],"recent":[24],"Retrieval-Augmented":[25],"Generation":[26],"(RAG)":[27],"approaches":[28],"have":[29],"demonstrated":[30],"promising":[31],"capabilities":[32],"in":[33,179,188,195],"this":[34,68,80],"domain,":[35],"they":[36],"fundamentally":[37],"rely":[38],"on":[39],"flat":[41],"retrieval":[42,101,137],"paradigm.":[43],"By":[44],"treating":[45],"all":[46],"techniques":[47,60,119],"uniformly,":[48],"these":[49],"methods":[50],"overlook":[51],"the":[52,56,106,116,125,134,174,208],"inherent":[53],"taxonomy":[54,82],"of":[55],"framework,":[58],"where":[59],"are":[61],"structurally":[62],"organized":[63],"under":[64],"high-level":[65],"tactics.":[66],"In":[67],"paper,":[69],"we":[70,140],"propose":[71],"H-TechniqueRAG,":[72],"novel":[74],"hierarchical":[75,100,204],"RAG":[76],"framework":[77],"that":[78,152,169,202],"injects":[79],"tactic-technique":[81],"as":[83],"strong":[85],"inductive":[86],"bias":[87],"achieve":[89],"highly":[90,219],"efficient":[91],"accurate":[93],"annotation.":[94],"Our":[95],"approach":[96],"introduces":[97],"two-stage":[99],"mechanism:":[102],"it":[103],"first":[104],"identifies":[105],"macro-level":[107],"tactics":[108],"(the":[109],"adversary's":[110],"technical":[111],"goals)":[112],"subsequently":[114],"narrows":[115],"search":[117,127],"within":[120],"those":[121],"tactics,":[122],"effectively":[123],"reducing":[124],"candidate":[126],"space":[128],"by":[129,177],"77.5\\%.":[130],"To":[131],"further":[132],"bridge":[133],"gap":[135],"between":[136],"generation,":[139],"design":[141],"tactic-aware":[143],"reranking":[144],"module":[145],"hierarchy-constrained":[148],"context":[149,155],"organization":[150],"strategy":[151],"mitigates":[153],"LLM":[154,196],"overload":[156],"improves":[158],"reasoning":[159],"precision.":[160],"Comprehensive":[161],"experiments":[162],"across":[163],"three":[164],"diverse":[165],"CTI":[166],"datasets":[167],"demonstrate":[168],"H-TechniqueRAG":[170],"not":[171],"only":[172],"outperforms":[173],"state-of-the-art":[175],"TechniqueRAG":[176],"3.8\\%":[178],"F1":[180],"score,":[181],"but":[182],"also":[183],"achieves":[184],"62.4\\%":[186],"reduction":[187],"inference":[189],"latency":[190],"60\\%":[193],"decrease":[194],"API":[197],"calls.":[198],"Further":[199],"analysis":[200],"reveals":[201],"our":[203],"structural":[205],"priors":[206],"equip":[207],"model":[209],"with":[210,218],"superior":[211],"cross-domain":[212],"generalization":[213],"provide":[215],"security":[216],"analysts":[217],"interpretable,":[220],"step-by-step":[221],"decision":[222],"paths.":[223]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-18T00:00:00"}