DOI: 10.14569/IJACSA.2026.0170233

Hybrid BERT–BiLSTM Architecture for Enhanced Cyber Threat Intelligence Classification

Author 1: Syarif Hidayatulloh
Author 2: Salman Topiq
Author 3: Ifani Hariyanti
Author 4: Dwi Sandini

International Journal of Advanced Computer Science and Applications(IJACSA), Volume 17 Issue 2, 2026.

Abstract: Cyber Threat Intelligence (CTI) plays a crucial role in supporting proactive cybersecurity defence by offering insights into adversarial behaviours and attack tactics. However, CTI data are mainly presented in unstructured natural language, characterised by dense technical terminology, implicit attack semantics, and sequential descriptions of multi-stage threat activities. While transformer-based language models such as BERT have shown strong contextual representation abilities, they are naturally limited in explicitly modelling long-range sequential dependencies that often occur in CTI narratives. On the other hand, recurrent neural networks like BiLSTM effectively capture temporal dependencies, but lack deep contextual understanding. This study proposes a hybrid BERT–BiLSTM architecture that combines the contextual semantic strengths of transformers with the sequential learning abilities of bidirectional recurrent networks for improved CTI text classification. In the proposed framework, BERT acts as a feature extractor to produce contextualised token representations, which are then processed by a BiLSTM layer to model the progression of threats before final classification. A unified experimental setup is used, employing a publicly available CTI dataset, with consistent preprocessing, training strategies, and evaluation metrics to ensure fair assessment. Experimental results show that the proposed hybrid model consistently surpasses standalone BERT and BiLSTM baselines across multiple performance metrics, including accuracy and macro F1-score, with significant improvements especially in minority and semantically ambiguous threat categories. Further analysis indicates that the hybrid architecture effectively reduces common misclassification patterns caused by overlapping attack stages and implicit indicators. These findings demonstrate the effectiveness of combining contextual and sequential modelling approaches for CTI analysis. The proposed BERT–BiLSTM framework provides a robust and interpretable solution for automated CTI classification and offers practical insights for deploying hybrid deep learning architectures in real-world cybersecurity intelligence systems.

Keywords: Cyber Threat Intelligence; hybrid deep learning; BERT–BiLSTM architecture; text classification; sequential modelling; cybersecurity natural language processing

Syarif Hidayatulloh, Salman Topiq, Ifani Hariyanti and Dwi Sandini. “Hybrid BERT–BiLSTM Architecture for Enhanced Cyber Threat Intelligence Classification”. International Journal of Advanced Computer Science and Applications (IJACSA) 17.2 (2026). http://dx.doi.org/10.14569/IJACSA.2026.0170233

@article{Hidayatulloh2026,
title = {Hybrid BERT–BiLSTM Architecture for Enhanced Cyber Threat Intelligence Classification},
journal = {International Journal of Advanced Computer Science and Applications},
doi = {10.14569/IJACSA.2026.0170233},
url = {http://dx.doi.org/10.14569/IJACSA.2026.0170233},
year = {2026},
publisher = {The Science and Information Organization},
volume = {17},
number = {2},
author = {Syarif Hidayatulloh and Salman Topiq and Ifani Hariyanti and Dwi Sandini}
}


Copyright Statement: This is an open access article licensed under a Creative Commons Attribution 4.0 International License, which permits unrestricted use, distribution, and reproduction in any medium, even commercially as long as the original work is properly cited.

IJACSA

Upcoming Conferences

Computer Vision Conference (CVC) 2026

21-22 May 2026

Computing Conference 2026

9-10 July 2026

Artificial Intelligence Conference 2026

3-4 September 2026

Future Technologies Conference (FTC) 2026

15-16 October 2026