- The paper introduces IOCRegex-gen, an LLM-based system that automates translating CTI IOCs into deployable regexes for SOCs.
- It employs a two-phase approach with capture group identification and iterative reasoning, achieving a 99.1% hit rate with low false positives.
- Evaluation on over 3,000 CTI reports demonstrates scalability, high syntactic consistency across models, and robust performance against adversarial inputs.
Automating CTI Operationalization: Regex Generation for Security IOCs via LLMs
Introduction and Motivation
The operational utility of Cyber Threat Intelligence (CTI) in Security Operations Centers (SOCs) is critically dependent on the effective translation of Indicators of Compromise (IOCs) into machine-actionable forms that support detection, forensics, and rule construction. While most automated pipelines focus on extracting IOCs from free-text CTI, the translation of these artifacts into regular expressions (regexes)—the operational primitives for log hunting and SIEM rule matching—has remained an error-prone and labor-intensive task, bottlenecked by manual regex engineering. Existing works leveraging LLMs predominantly output IOCs as raw strings, failing to bridge the gap between CTI intelligence and actionable security automation.
This work introduces IOCRegex-gen, an LLM-based system for automatic, scalable, and semantically precise translation of extracted IOCs into deployable regexes. The framework targets high-value IOC classes (file paths, registry keys, and command line arguments), proposes a knowledge-enhanced capture-group identification mechanism, and couples it with reasoning-driven, iterative LLM-based regex synthesis. The design explicitly addresses the limitations of naive regex translation with LLMs, including imprecise grouping, syntactic errors, and the generation of trivial or over-general patterns.
Figure 2: An illustrative example underscores the diversity and context-sensitivity of IOC variants that challenge naive regex construction.
System Architecture
The IOCRegex-gen pipeline comprises two main phases: Capture Group Finding and Regex Generation, each engineered to address distinct sources of incompleteness and error.
- The Capture Group Finding phase utilizes a curated graph database of OS-native file paths, registry keys, and CLI syntax trees to determine which IOC substrings correspond to stable (capture group) versus attacker-controlled (non-capture group) components. Preprocessing standardizes diverse IOC presentations, and algorithms traverse database trees to align extracted string elements with canonical OS entities, enabling robust and context-aware group segmentation.
Figure 1: The hierarchical tree structures of file paths and command line arguments in the graph database facilitate accurate identification of canonical components.
- The Regex Generation phase employs a reasoning-based, multi-loop LLM pipeline. Initial regex proposals are generated with guidance from capture group output. Subsequent debugging, non-capture group validation, and over-generalization rejection steps iteratively refine the regex pattern, leveraging regex debuggers and synthetic test case generation to ensure both syntactic validity and semantic alignment. The selection of final patterns is governed by a grading metric balancing capture group inclusion with penalization of excessive generalization.
Figure 4: The IOCRegex-gen approach: from IOCs, through grouping, regex generation, iterative refinement, and selection based on scoring.
Figure 3: The system’s reasoning-based regex generation workflow implements stepwise construction, validation, filtering, and scoring.
Evaluation
Data and Metrics
- A corpus of over 3,000 real CTI reports was used for IOC extraction, with more than 63,000 candidate IOCs parsed and classified into regex-applicable types (file path, registry, CLI arguments).
- Regexes were evaluated against 2,400+ ground-truth strings extracted from MITRE ATT&CK Evaluation SIEM output screenshots, ensuring absence of overlap with CTI-derived inputs.
Key Numerical Results:
False Positives, Generalization, and Specificity:
- False positive analysis shows the remaining errors are induced by attacker artifacts in non-standard directories, not reflected in the OS-native database, and are operationally trivial to filter in practice.
- Over-generalization is controlled via scoring and synthetic negative matching; regexes avoid simplistic catch-all patterns and retain multi-component matching logic.
- Levenshtein similarity assessment shows mean similarity scores around 0.4, confirming regexes introduce substantial abstraction over literal IOC matching, essential for robust detection in adversarial settings.
Figure 6: Distribution of similarity scores between regexes and their source IOCs reveals a broad spectrum, with average similarity near 0.4, indicating adequate generalization without drifting from original intent.
Cross-Model Consistency
- Structural analysis of regexes generated by GPT-4o, LLaMA3, and DeepSeek-V3 demonstrates high syntactic resemblance (cosine similarity >0.97), confirming the approach's invariance to LLM selection among state-of-the-art models.
Implications and Future Directions
The IOCRegex-gen system robustly automates the conversion of CTI-extracted IOCs into deployable regexes, enabling significant labor and time reduction in SOC operationalization workflows. The design directly addresses the adversarial nature, structural variability, and limited positive-negative sample regimes in real-world CTI, improving over prior approaches in both regex synthesis fidelity and practical utility.
- For SOCs, the deployment of IOCRegex-gen means scalable, analyst-independent production of high-quality regexes suitable for immediate SIEM integration or forensics workflows.
- Methodologically, the work motivates a shift from direct, prompt-based code synthesis to structured, context-enhanced, and validation-driven LLM pipelines in security automation.
Future research can extend this paradigm to:
- Incorporate adversarial test case generation for further robustness.
- Integrate active learning cycles to refine the capture group schema for non-Windows OSes or novel attacker tooling.
- Develop hybrid symbolic-LLM systems that can propose regexes with formal guarantees of coverage and bounded false positive rates.
Conclusion
IOCRegex-gen constitutes a significant advance in CTI operationalization: it bridges the automation gap between IOC extraction and actionable regex deployment through domain-aware grouping and robust, iterative LLM-guided pattern generation. Its empirical performance on real-world datasets demonstrates its viability for large-scale SOC deployment, marking a transition point for automated, high-accuracy threat detection infrastructure.