Summary

Cybersecurity incident repositories contain large volumes of narrative descriptions that must be transformed into structured representations to support analysis, reporting, and coordinated response in critical infrastructures. This paper investigates the feasibility of automating this process using a transformer-based named entity recognition (NER) approach aligned with the

VERIS 4A framework. The aim of the work is to evaluate whether a domain-specialized language model can reliably extract ACTOR, ACTION, and ASSET entities from unstructured cybersecurity incident narratives.

To this end, a BERT-like model (Bidirectional Encoder Representations from Transformers) previously trained on cybercrime-related text is adapted for token classification by replacing its pre-training head with a named entity recognition layer. The model is fine-tuned on a corpus of 2,200 manually annotated incident narratives derived from validated records, which are split into training and evaluation subsets. Model performance is assessed using standard token-level metrics to measure classification accuracy, precision, recall, and F1 scores. The experimental results indicate that the proposed approach achieves high token-level accuracy and produces confidence estimates suitable for analyst review, demonstrating its potential to support semi-automated processing of incident reports. At the same time, the evaluation highlights limitations in entity boundary detection, particularly affecting precision and recall. The study concludes that transformer-based token classification is a viable approach for structuring cybersecurity incident narratives in critical infrastructure contexts, while improvements in annotation coverage and fine-tuning strategies are required to enhance robustness and generalization.

Additional informations

Publication type Session Materials
Reference D2_12394_2026
Publication year
Publisher CIGRE
Country Paraguay
Study committees
File size 810 KB
Price for non member 30 €
Price for member 30 €

Authors

BENITEZ Guido - ITAIPU BINACIONAL / UNE; PELAEZ Jose - UMA; SANTO-ORCERO David - UMA

Keywords

Cyber Threat Intelligence, Critical Infrastructure, Named Entity Recognition, NLP, Token Classification, VERIS, Transformers

VERISBERT: Exploring darkBERT’s Capabilities for Cyber Threat Intelligence in Critical Infrastructure