Papers
Topics
Authors
Recent
Search
2000 character limit reached

From IOCs to Regex: Automating CTI Operationalization for SOC with LLMs

Published 14 Apr 2026 in cs.CR | (2604.12228v1)

Abstract: Cyber Threat Intelligence (CTI) reports contain Indicators of Compromise (IOCs) that are critical for security operations. To operationalize these IOCs across heterogeneous logs, analysts often convert them into regular expressions (regexes) for tasks such as digital forensics, log parsing, and SIEM rule creation. However, regex construction is still largely manual, requiring analysts to extract IOCs from CTI reports and transform them into syntactically valid and semantically precise patterns. This process is slow, error-prone, and increasingly impractical as CTI volumes grow. Although recent studies have applied LLMs to IOC extraction, they typically output plain strings rather than regexes, limiting practical deployment. Plain IOCs cannot effectively capture variations in system context, log format, or attacker behavior. To address this gap, we propose IOCRegex-gen, a fully automated LLM-based regex generation system that converts IOCs into regexes. The system introduces two key innovations: (i) a group-aware mechanism that identifies which IOC segments should be represented as capture or non-capture groups, and (ii) an iterative reasoning and multi-stage validation pipeline to ensure syntactic validity and semantic correctness. Experiments on over 3,000 real CTI reports and 2,400 ground-truth strings from the MITRE ATT&CK Evaluation framework show that IOCRegex-gen achieves an average hit rate of 99.1% and a false-positive rate of only 0.8%, demonstrating its effectiveness for large-scale CTI processing and automated regex generation.

Summary

  • The paper introduces IOCRegex-gen, an LLM-based system that automates translating CTI IOCs into deployable regexes for SOCs.
  • It employs a two-phase approach with capture group identification and iterative reasoning, achieving a 99.1% hit rate with low false positives.
  • Evaluation on over 3,000 CTI reports demonstrates scalability, high syntactic consistency across models, and robust performance against adversarial inputs.

Automating CTI Operationalization: Regex Generation for Security IOCs via LLMs

Introduction and Motivation

The operational utility of Cyber Threat Intelligence (CTI) in Security Operations Centers (SOCs) is critically dependent on the effective translation of Indicators of Compromise (IOCs) into machine-actionable forms that support detection, forensics, and rule construction. While most automated pipelines focus on extracting IOCs from free-text CTI, the translation of these artifacts into regular expressions (regexes)—the operational primitives for log hunting and SIEM rule matching—has remained an error-prone and labor-intensive task, bottlenecked by manual regex engineering. Existing works leveraging LLMs predominantly output IOCs as raw strings, failing to bridge the gap between CTI intelligence and actionable security automation.

This work introduces IOCRegex-gen, an LLM-based system for automatic, scalable, and semantically precise translation of extracted IOCs into deployable regexes. The framework targets high-value IOC classes (file paths, registry keys, and command line arguments), proposes a knowledge-enhanced capture-group identification mechanism, and couples it with reasoning-driven, iterative LLM-based regex synthesis. The design explicitly addresses the limitations of naive regex translation with LLMs, including imprecise grouping, syntactic errors, and the generation of trivial or over-general patterns. Figure 1

Figure 2: An illustrative example underscores the diversity and context-sensitivity of IOC variants that challenge naive regex construction.

System Architecture

The IOCRegex-gen pipeline comprises two main phases: Capture Group Finding and Regex Generation, each engineered to address distinct sources of incompleteness and error.

  • The Capture Group Finding phase utilizes a curated graph database of OS-native file paths, registry keys, and CLI syntax trees to determine which IOC substrings correspond to stable (capture group) versus attacker-controlled (non-capture group) components. Preprocessing standardizes diverse IOC presentations, and algorithms traverse database trees to align extracted string elements with canonical OS entities, enabling robust and context-aware group segmentation. Figure 3

    Figure 1: The hierarchical tree structures of file paths and command line arguments in the graph database facilitate accurate identification of canonical components.

  • The Regex Generation phase employs a reasoning-based, multi-loop LLM pipeline. Initial regex proposals are generated with guidance from capture group output. Subsequent debugging, non-capture group validation, and over-generalization rejection steps iteratively refine the regex pattern, leveraging regex debuggers and synthetic test case generation to ensure both syntactic validity and semantic alignment. The selection of final patterns is governed by a grading metric balancing capture group inclusion with penalization of excessive generalization. Figure 4

    Figure 4: The IOCRegex-gen approach: from IOCs, through grouping, regex generation, iterative refinement, and selection based on scoring.

    Figure 5

    Figure 3: The system’s reasoning-based regex generation workflow implements stepwise construction, validation, filtering, and scoring.

Evaluation

Data and Metrics

  • A corpus of over 3,000 real CTI reports was used for IOC extraction, with more than 63,000 candidate IOCs parsed and classified into regex-applicable types (file path, registry, CLI arguments).
  • Regexes were evaluated against 2,400+ ground-truth strings extracted from MITRE ATT&CK Evaluation SIEM output screenshots, ensuring absence of overlap with CTI-derived inputs.

Effectiveness and Performance

Key Numerical Results:

  • IOCRegex-gen’s regexes achieve an average hit rate of 99.1% with a false-positive rate of 0.8% across all datasets.
  • On several scenarios (e.g., Enterprise2024_LockBit, Turla_Snake, APT29_scenario2), coverage is complete at 100% hit rate.
  • Ablation studies confirm that both the capture group identification and iterative reasoning modules are essential: disabling either leads to a >16% absolute drop in hit rate and a ≥23% increase in false positives compared to the full system. Figure 6

    Figure 5: Boxplots of regex scores quantify the complexity of generated patterns; average scores above 3 indicate multi-component, structured regexes consistent with operational SIEM use.

False Positives, Generalization, and Specificity:

  • False positive analysis shows the remaining errors are induced by attacker artifacts in non-standard directories, not reflected in the OS-native database, and are operationally trivial to filter in practice.
  • Over-generalization is controlled via scoring and synthetic negative matching; regexes avoid simplistic catch-all patterns and retain multi-component matching logic.
  • Levenshtein similarity assessment shows mean similarity scores around 0.4, confirming regexes introduce substantial abstraction over literal IOC matching, essential for robust detection in adversarial settings. Figure 7

    Figure 6: Distribution of similarity scores between regexes and their source IOCs reveals a broad spectrum, with average similarity near 0.4, indicating adequate generalization without drifting from original intent.

Cross-Model Consistency

  • Structural analysis of regexes generated by GPT-4o, LLaMA3, and DeepSeek-V3 demonstrates high syntactic resemblance (cosine similarity >0.97), confirming the approach's invariance to LLM selection among state-of-the-art models.

Implications and Future Directions

The IOCRegex-gen system robustly automates the conversion of CTI-extracted IOCs into deployable regexes, enabling significant labor and time reduction in SOC operationalization workflows. The design directly addresses the adversarial nature, structural variability, and limited positive-negative sample regimes in real-world CTI, improving over prior approaches in both regex synthesis fidelity and practical utility.

  • For SOCs, the deployment of IOCRegex-gen means scalable, analyst-independent production of high-quality regexes suitable for immediate SIEM integration or forensics workflows.
  • Methodologically, the work motivates a shift from direct, prompt-based code synthesis to structured, context-enhanced, and validation-driven LLM pipelines in security automation.

Future research can extend this paradigm to:

  • Incorporate adversarial test case generation for further robustness.
  • Integrate active learning cycles to refine the capture group schema for non-Windows OSes or novel attacker tooling.
  • Develop hybrid symbolic-LLM systems that can propose regexes with formal guarantees of coverage and bounded false positive rates.

Conclusion

IOCRegex-gen constitutes a significant advance in CTI operationalization: it bridges the automation gap between IOC extraction and actionable regex deployment through domain-aware grouping and robust, iterative LLM-guided pattern generation. Its empirical performance on real-world datasets demonstrates its viability for large-scale SOC deployment, marking a transition point for automated, high-accuracy threat detection infrastructure.

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.