Evo-TTP: Generative and robust prediction of novel cyber threat tactics using adversarial fine-tuning of large language models

Dilkhaz Mohammed; Shahram Jamali; Dilkhaz Mohammed; Shahram Jamali

doi:10.3934/electreng.2026013

AIMS Electronics and Electrical Engineering

2026, Volume 10, Issue 2: 314-333. doi: 10.3934/electreng.2026013

Previous Article Next Article

Research article

Evo-TTP: Generative and robust prediction of novel cyber threat tactics using adversarial fine-tuning of large language models

Dilkhaz Mohammed ^,,
Shahram Jamali

Department of Computer Engineering, University of Mohaghegh Ardabili, Ardabil, Iran

Academic Editor: Andrea Sanna

Received: 07 January 2026 Revised: 15 March 2026 Accepted: 30 March 2026 Published: 10 April 2026

The asymmetrical nature of the modern cyber threat landscape allows advanced persistent threats (APTs) to innovate tactics at a significantly faster rate than defensive frameworks can document them. While the MITRE ATT & CK® framework provides a standardized taxonomy of known behaviors, it essentially functions as a retrospective database — a "dictionary of the past" which fails to anticipate future "zero-day" tactics, techniques, and procedures (TTPs). This paper introduces Evo-TTP, a comprehensive framework for the predictive generation of novel and robust tactics, techniques, and procedures via big data mining and adversarial learning. By leveraging the massive structured data from the MITRE ATT & CK® Enterprise Matrix v18.0, Evo-TTP treats the prediction of future threats as a high-dimensional pattern completion problem. Our methodology addresses two primary failures in current generative AI applications to big data: mode collapse, which refers to hallucinating biologically or technically impossible scenarios, and algorithmic brittleness, which is characterized by its susceptibility to adversarial perturbations. We employ a tripartite approach: (1) applying semantic pattern mining on the v18.0 dataset to create a baseline knowledge graph that reveals hidden correlations; (2) utilizing synthetic novelty expansion with a teacher-student architecture, using Llama-3.1-405B as the teacher and Llama-3.1-8B as the student model, to overcome data scarcity; and (3) conducting training in adversarial group relative policy optimization (GRPO). This training regime maximizes a composite reward function by balancing novelty, technical feasibility, and resilience against adversarial noise. Validated against the 2025 benchmarks and vetted according to SafeGen-X principles, Evo-TTP demonstrates a 23.1% increase in utility and an 18.2% improvement in robustness to adversarial attacks when compared with standard fine-tuning methods. This research positions generative AI not only as a text processor but also as a critical instrument in big data for uncovering the hidden evolutionary mechanics of cyberwarfare.
- large language models (LLMs),
- cybersecurity,
- MITRE ATT&CK v18.0,
- adversarial fine-tuning,
- group relative policy optimization (GRPO),
- big data mining,
- predictive threat intelligence,
- hidden pattern discovery
Citation: Dilkhaz Mohammed, Shahram Jamali. Evo-TTP: Generative and robust prediction of novel cyber threat tactics using adversarial fine-tuning of large language models[J]. AIMS Electronics and Electrical Engineering, 2026, 10(2): 314-333. doi: 10.3934/electreng.2026013

Related Papers:

Abstract

The asymmetrical nature of the modern cyber threat landscape allows advanced persistent threats (APTs) to innovate tactics at a significantly faster rate than defensive frameworks can document them. While the MITRE ATT & CK® framework provides a standardized taxonomy of known behaviors, it essentially functions as a retrospective database — a "dictionary of the past" which fails to anticipate future "zero-day" tactics, techniques, and procedures (TTPs). This paper introduces Evo-TTP, a comprehensive framework for the predictive generation of novel and robust tactics, techniques, and procedures via big data mining and adversarial learning. By leveraging the massive structured data from the MITRE ATT & CK® Enterprise Matrix v18.0, Evo-TTP treats the prediction of future threats as a high-dimensional pattern completion problem. Our methodology addresses two primary failures in current generative AI applications to big data: mode collapse, which refers to hallucinating biologically or technically impossible scenarios, and algorithmic brittleness, which is characterized by its susceptibility to adversarial perturbations. We employ a tripartite approach: (1) applying semantic pattern mining on the v18.0 dataset to create a baseline knowledge graph that reveals hidden correlations; (2) utilizing synthetic novelty expansion with a teacher-student architecture, using Llama-3.1-405B as the teacher and Llama-3.1-8B as the student model, to overcome data scarcity; and (3) conducting training in adversarial group relative policy optimization (GRPO). This training regime maximizes a composite reward function by balancing novelty, technical feasibility, and resilience against adversarial noise. Validated against the 2025 benchmarks and vetted according to SafeGen-X principles, Evo-TTP demonstrates a 23.1% increase in utility and an 18.2% improvement in robustness to adversarial attacks when compared with standard fine-tuning methods. This research positions generative AI not only as a text processor but also as a critical instrument in big data for uncovering the hidden evolutionary mechanics of cyberwarfare.

References

[1]	Rani N, Saha B, Maurya V, Shukla SK (2025) Decoding shadows: Towards Tactics, Techniques, and Procedures (TTP)-based Advanced Persistent Threat (APT) attribution. Information Security Journal: A Global Perspective, 1‒28. https://doi.org/10.1080/19393555.2025.2543450 doi: 10.1080/19393555.2025.2543450
[2]	Ali A, Ghanem MC (2025) Beyond detection: large language models and next-generation cybersecurity. SHIFRA 2025: 81‒97. https://doi.org/10.70470/SHIFRA/2025/005 doi: 10.70470/SHIFRA/2025/005
[3]	Kanj S, Garcia P, Rosés O, Pegueroles J (2025) A Review of Tactics, Techniques, and Procedures (TTPs) of MITRE Framework for Business Email Compromise (BEC) Attacks. IEEE access 13: 50761‒50776.
[4]	Mezzi E, Massacci F, Tuma K (2025) Large language models are unreliable for cyber threat intelligence. In International Conference on Availability, Reliability and Security, 343‒364. Cham: Springer Nature Switzerland. https://doi.org/10.1007/978-3-032-00627-1_17
[5]	Graham CM (2025) Enhancing cybersecurity: a semantic network analysis of MITRE ATT & CK® techniques. Inf Comput Secur 33: 826‒844. https://doi.org/10.1108/ICS-09-2024-0225 doi: 10.1108/ICS-09-2024-0225
[6]	Stein L (2025) Advancing proactive cybersecurity through cyber threat intelligence mining: A comprehensive review and future directions. International Journal of Cyber Threat Intelligence and Secure Networking 2: 1‒7. https://doi.org/10.55640/ijctisn-v02i02-01 doi: 10.55640/ijctisn-v02i02-01
[7]	Ouaissa M, Ouaissa M, Nadifi Z, El Himer S, Al Masmoudi Y, Kartit A (2025) A framework for cyber threat modeling and risk assessment in smart city environments. Frontiers in Computer Science 7: 1647179. https://doi.org/10.3389/fcomp.2025.1647179 doi: 10.3389/fcomp.2025.1647179
[8]	Alam MT, Bhusal D, Nguyen L, Rastogi N (2024) Ctibench: A benchmark for evaluating llms in cyber threat intelligence. Advances in Neural Information Processing Systems 37: 50805‒50825. https://doi.org/10.52202/079017-1607 doi: 10.52202/079017-1607
[9]	Büchel M, Paladini T, Longari S, Carminati M, Zanero S, Binyamini H, et al. (2025) {SoK}: Automated {TTP} Extraction from {CTI} Reports–Are We There Yet? In 34th USENIX security symposium (USENIX Security 25), 4621‒4641.
[10]	Ruiz-Ródenas Á, Sáez JP, García-Algora D, Béjar MR, Blasco J, Hernández-Ramos JL (2025) SynthCTI: LLM-Driven Synthetic CTI Generation to enhance MITRE Technique Mapping. Future Generation Computer Systems, 108232. https://doi.org/10.1016/j.future.2025.108232 doi: 10.1016/j.future.2025.108232
[11]	Ong YJ, Gala JP, An S, Moore R, Jadav D (2024) Exploring Vulnerabilities in LLMs: A Red Teaming Approach to Evaluate Social Bias. In IEEE International Congress on Intelligent and Service-Oriented Systems Engineering.
[12]	Das BC, Amini MH, Wu Y (2025) Security and privacy challenges of large language models: A survey. ACM Comput Surv 57: 1‒39. https://doi.org/10.1145/3712001 doi: 10.1145/3712001
[13]	Lekssays A, Sencar HT, Yu T (2025) From Text to Actionable Intelligence: Automating STIX Entity and Relationship Extraction. arXiv preprint arXiv: 2507.16576.
[14]	Cuong Nguyen H, Tariq S, Baruwal Chhetri M, Quoc Vo B (2025) Towards effective identification of attack techniques in cyber threat intelligence reports using large language models. In Companion Proceedings of the ACM on Web Conference 2025, 942‒946. https://doi.org/10.1145/3701716.3715469 doi: 10.1145/3701716.3715469
[15]	Rani N, Saha B, Maurya V, Shukla SK (2023) TTPHunter: Automated extraction of actionable intelligence as TTPs from narrative threat reports. In Proceedings of the 2023 australasian computer science week, 126‒134. https://doi.org/10.1145/3579375.3579391
[16]	Loumachi FY, Ghanem MC, Ferrag MA (2025) Advancing cyber incident timeline analysis through retrieval-augmented generation and large language models. Computers 14: 1‒42. https://doi.org/10.3390/computers14020067 doi: 10.3390/computers14020067
[17]	Zhang J, Zheng J, Shi N, Ci Z, Wang Y, Zhu L (2025) Towards mitigating apt attacks with zero-trust networks access control model. IEEE Internet of Things Journal. https://doi.org/10.1109/JIOT.2025.3592616
[18]	Zhang Y, Du T, Ma Y, Wang X, Xie Y, Yang G, et al. (2025) AttacKG+: Boosting attack graph construction with large language models. Computers & Security 150: 104220. https://doi.org/10.1016/j.cose.2024.104220 doi: 10.1016/j.cose.2024.104220
[19]	Ma B, Zhou Y, Wu S, Wang Z, Xiao Y, Cui Y, et al. (2025) APT-KG2QA: An Intelligent Fine-tuning Strategy for Large Language Models Utilizing the APT Knowledge Graph. IEEE Internet of Things Journal. https://doi.org/10.1109/JIOT.2025.3586658
[20]	Loevenich JF, Adler E, Hürten T, Spelter F, Roncevic D, Lopes RRF (2025) Automating cyber threat intelligence and attack chain generation using cyber security knowledge graphs and large language models. In 2025 International Conference on Military Communication and Information Systems (ICMCIS), 1‒10. IEEE. https://doi.org/10.1109/ICMCIS64378.2025.11047951
[21]	Aghaei E, Niu X, Shadid W, Al-Shaer E (2023) Securebert: A domain-specific language model for cybersecurity. In international conference on security and privacy in communication systems, 39‒56. Cham: Springer Nature Switzerland. https://doi.org/10.1007/978-3-031-25538-0_3
[22]	Zhang J, Xue X, Zhang J, Qu T, Li L, Xi R, et al. (2025). Research on TTP Data Augmentation Methods Based on the ATT & CK Framework. In 2025 28th International Conference on Computer Supported Cooperative Work in Design (CSCWD), 1722‒1727. IEEE. https://doi.org/10.1109/CSCWD64889.2025.11033315
[23]	Ren Y, Wang J, Zhao Z, Wen H, Li H, Zhu H (2025) Automated tactics planning for cyber-attack and defense based on large language model agents. Neural Networks, 107842. https://doi.org/10.1016/j.neunet.2025.107842 doi: 10.1016/j.neunet.2025.107842
[24]	ElZemity A, Arief B, Li S (2025) Analysing Safety Risks in LLMs Fine-Tuned with Pseudo-Malicious Cyber Security Data. arXiv preprint arXiv: 2505.09974.
[25]	Huang H, Sun N, Tani M, Zhang Y, Jiang J, Jha S (2025). Can LLM-generated misinformation be detected: A study on Cyber Threat Intelligence. Future Generation Computer Systems 173: 107877. https://doi.org/10.1016/j.future.2025.107877 doi: 10.1016/j.future.2025.107877
[26]	Angioni D, Demetrio L, Pintor M, Oneto L, Anguita D, Biggio B, et al. (2025) Robustness-congruent adversarial training for secure machine learning model updates. IEEE T Pattern Anal Mach Intell. https://doi.org/10.1109/TPAMI.2025.3573237
[27]	Wu H, Luo X, Gao J, Huang D (2025) Improving text processing via adversarial low-rank adaptation. Machine Learning 114: 196. https://doi.org/10.1007/s10994-025-06817-x doi: 10.1007/s10994-025-06817-x
[28]	Ji W, Wu J, Li A, Zhang S, Wu J, Zhang A, et al. (2025) bi-GRPO: Bidirectional Optimization for Jailbreak Backdoor Injection on LLMs. arXiv preprint arXiv: 2509.19775.
[29]	Zhou D, Wang N, Han B, Liu T, Gao X (2025) Defending Against Adversarial Examples Via Modeling Adversarial Noise. Int J Comput Vision 133: 5920‒5937. https://doi.org/10.1007/s11263-025-02467-7 doi: 10.1007/s11263-025-02467-7
[30]	Li B, Hu T, Liu X, Xie J, Yi P (2025) An Effective Adversarial Defense Framework: From Robust Feature Perspective. CMC-Comput Mater Con 85. https://doi.org/10.32604/cmc.2025.066370 doi: 10.32604/cmc.2025.066370
[31]	Blefari F, Cosentino C, Furfaro A, Marozzo F, Pironti FA (2025) SecFlow: an agentic LLM-based framework for modular cyberattack analysis and explainability. In CEUR Workshop Proceedings.
[32]	Sandoval G, Fenchenko D, Chen J (2025) Early Approaches to Adversarial Fine-Tuning for Prompt Injection Defense: A 2022 Study of GPT-3 and Contemporary Models. arXiv preprint arXiv: 2509.14271.
[33]	Belcastro L, Carlucci C, Cosentino C, Liò P, Marozzo F (2025) Enhancing network security using knowledge graphs and large language models for explainable threat detection. Future Generation Computer Systems, 108160. https://doi.org/10.1016/j.future.2025.108160 doi: 10.1016/j.future.2025.108160
[34]	Belcastro L, Cosentino C, Marozzo F (2024) Infrastructures for High-Performance Computing: Cloud Infrastructures. Reference Module in Life Sciences. https://doi.org/10.1016/B978-0-323-95502-7.00006-3
[35]	Mamalakis M, Azevedo T, Cosentino C, D'Ercoli C, Abulikemu S, Sun Z, et al. (2026) A Monosemantic Attribution Framework for Stable Interpretability in Clinical Neuroscience Large Language Models. arXiv preprint arXiv: 2601.17952.
[36]	Salek MS, Chowdhury M, Munir MB, Cai Y, Hasan MI, Tine JM, et al. (2025) A Large Language Model-Supported Threat Modeling Framework for Transportation Cyber-Physical Systems. IEEE Access 13: 163046‒163070. https://doi.org/10.1109/ACCESS.2025.3603580 doi: 10.1109/ACCESS.2025.3603580
[37]	Weerawardhena S, Kassianik P, Nelson B, Saglam B, Vellore A, Priyanshu A, et al. (2025) Llama-3.1-foundationai-securityllm-8b-instruct technical report. arXiv preprint arXiv: 2508.01059.
[38]	Weng Y, Yang X, Zhang X, Jin Y, Lei F, Zhang T (2025) SafeGen-X: A Comprehensive Framework for Enhancing Security, Compliance, and Robustness in Large Language Models. In 2025 8th International Conference on Advanced Algorithms and Control Engineering (ICAACE), 2294‒2298. IEEE. https://doi.org/10.1109/ICAACE65325.2025.11019350
[39]	Unsloth AI. (2025). Unsloth Documentation: Kernel-level optimizations for LLM fine-tuning [GitHub repository]. Retrieved from https://github.com/unslothai/unsloth.
[40]	Nimmaturi D, Bhargava V, Ghosh R, George J, Dutta D (2025) Predictive scaling laws for efficient grpo training of large reasoning models. arXiv preprint arXiv: 2507.18014.
[41]	Zambianco, M., Facchinetti, C., & Siracusa, D. (2025). A Proactive Decoy Selection Scheme for Cyber Deception using MITRE ATT & CK. Computers & Security 148: 104144. https://doi.org/10.1016/j.cose.2024.104144 doi: 10.1016/j.cose.2024.104144

Reader Comments

Your name:*

Email:*
© 2026 the Author(s), licensee AIMS Press. This is an open access article distributed under the terms of the Creative Commons Attribution License (http://creativecommons.org/licenses/by/4.0)