CTI-Specialist: A Multimodal Large Language Model for the Threat Intelligence Domain

CTI-Specialist is a multimodal large language model fine-tuned for the cybersecurity threat intelligence domain. It can process text, code, and structured data, and is positioned as an intelligent assistant for security analysts to help complete tasks such as malicious sample analysis, IOC extraction, and attack chain reconstruction, addressing the shortcomings of traditional methods and general-purpose large models in the threat intelligence field.

Today's cybersecurity threats are complex and hidden, with new attacks like APT and ransomware emerging one after another. Threat intelligence work faces problems such as massive data, diverse formats, and high professional thresholds. Traditional rule matching struggles to deal with variant threats, and general-purpose large models lack professional knowledge in the security domain.

Base Model Selection: Based on open-source models with 7B-13B parameters, balancing performance and deployment costs; Domain Data Construction: Integrate public sources like MISP, VirusTotal, security vendor reports, vulnerability databases, malicious sample analysis reports, and expert-annotated data; Fine-tuning Strategy: Three stages (domain pre-training → instruction fine-tuning → multimodal alignment) to inject security domain knowledge and multimodal capabilities.

1. Malicious script analysis: Interpret obfuscated script logic and identify suspicious behaviors;
2. Threat report summarization: Automatically extract key information from reports to generate structured summaries;
3. Attack incident investigation: Integrate clues to restore the attack chain and provide investigation directions;
4. Intelligence Q&A: Query threat knowledge in natural language and return accurate results along with sources.

• Data sensitivity: Use desensitization processing + synthetic data generation to protect privacy;
• Knowledge timeliness: Combine RAG technology to query the latest intelligence and make up for the knowledge cutoff issue;
• False positive risk: Emphasize interpretability and provide analysis basis to assist manual review;
• Adversarial attacks: Introduce adversarial sample training to improve robustness.

• Traditional rule engines: Poor flexibility, difficult to handle unknown threats;
• Machine learning classifiers: Insufficient generality, only for specific tasks;
• General-purpose large models: Lack of security professional knowledge; CTI-Specialist advantages: Combine general language capabilities with domain knowledge, supporting direct processing of multimodal data.

Project open-source content includes: fine-tuned model weights, desensitized training datasets, complete fine-tuning code, and threat intelligence task evaluation benchmarks, aiming to promote collaboration and technology sharing in the security AI field.

Limitations: Insufficient coverage of emerging threats, need to improve non-English support, poor real-time performance, need to pay attention to ethical compliance; Future Directions: Expand threat coverage, enhance multilingual capabilities, optimize real-time inference, establish usage guidelines and review mechanisms.