🤖 AI Summary
Existing cybersecurity systems struggle to rapidly identify emerging threats under scarce labeled data. This work proposes a novel approach integrating semantic prototype learning, meta-alignment, and adaptive routing: it leverages large language models to transform unstructured threat intelligence into semantic prototypes, aligns multi-source behavioral features through contrastive fine-tuning, episodic meta-learning, and knowledge distillation, and employs an adaptive routing mechanism to enable unified generalization for both seen and unseen threats. The method is the first to jointly address semantic overlap, modality heterogeneity, class imbalance, and open-set challenges. Evaluated on seven benchmarks, it surpasses current state-of-the-art methods by an average of 10.8 percentage points, with a maximum improvement of 18.1 points, achieving the best-reported inductive generalized zero-shot threat classification performance.
📝 Abstract
Cybersecurity systems must adapt rapidly to emerging threats. However, labeled data for new threat categories is unavailable when those threats first appear. Generalized zero-shot learning offers a natural solution by enabling recognition of unseen classes through auxiliary semantic knowledge rather than labeled examples. Large language models are particularly promising in this setting because they can convert unstructured CTI reports into semantic prototypes for emerging threats. However, applying language-driven zero-shot learning to cybersecurity is difficult due to strong semantic overlap between threat descriptions, heterogeneity between behavioral attributes and text, severe class imbalance, and open-set conditions where unseen threats are unknown during training. We propose SMETA-ZSL, that learns semantic prototypes from overlapping language descriptions through contrastive finetuning, aligns behavioral features through episodic meta-learning and knowledge distillation, and performs adaptive routing for generalization across seen-unseen classes. Across 7 benchmarks, SMETA-ZSL delivers the strongest overall generalized zero-shot performance under the strictest inductive setting, surpassing prior methods by 10.8 points on average, with gains up to 18.1 points. Github:https://github.com/Security-And-Intelligence-Lab-UTEP/SMETA-ZSL