Automating Cyber Threat Hunting Using NLP, Automated Query Generation,
and Genetic Perturbation
- URL: http://arxiv.org/abs/2104.11576v1
- Date: Fri, 23 Apr 2021 13:19:12 GMT
- Title: Automating Cyber Threat Hunting Using NLP, Automated Query Generation,
and Genetic Perturbation
- Authors: Prakruthi Karuna and Erik Hemberg and Una-May O'Reilly and Nick Rutar
- Abstract summary: We have developed the WILEE system that cyber threat hunting by translating high-level threat descriptions into many possible concrete implementations.
Both the (high-level) abstract and (low-level) concrete implementations are represented using a custom domain specific language.
WILEE uses the implementations along with other logic, also written in the DSL, to automatically generate queries to confirm (or refute) any hypotheses tied to the potential adversarial.
- Score: 8.669461942767098
- License: http://creativecommons.org/licenses/by/4.0/
- Abstract: Scaling the cyber hunt problem poses several key technical challenges.
Detecting and characterizing cyber threats at scale in large enterprise
networks is hard because of the vast quantity and complexity of the data that
must be analyzed as adversaries deploy varied and evolving tactics to
accomplish their goals. There is a great need to automate all aspects, and,
indeed, the workflow of cyber hunting. AI offers many ways to support this. We
have developed the WILEE system that automates cyber threat hunting by
translating high-level threat descriptions into many possible concrete
implementations. Both the (high-level) abstract and (low-level) concrete
implementations are represented using a custom domain specific language (DSL).
WILEE uses the implementations along with other logic, also written in the DSL,
to automatically generate queries to confirm (or refute) any hypotheses tied to
the potential adversarial workflows represented at various layers of
abstraction.
Related papers
- It Is Time To Steer: A Scalable Framework for Analysis-driven Attack Graph Generation [50.06412862964449]
Attack Graph (AG) represents the best-suited solution to model and analyze multi-step attacks on computer networks.
This paper introduces an analysis-driven framework for AG generation.
It enables real-time attack path analysis before the completion of the AG generation with a quantifiable statistical significance.
arXiv Detail & Related papers (2023-12-27T10:44:58Z) - An Approach to Abstract Multi-stage Cyberattack Data Generation for ML-Based IDS in Smart Grids [2.5655761752240505]
We propose a method to generate synthetic data using a graph-based approach for training machine learning models in smart grids.
We use an abstract form of multi-stage cyberattacks defined via graph formulations and simulate the propagation behavior of attacks in the network.
arXiv Detail & Related papers (2023-12-21T11:07:51Z) - LLMs Killed the Script Kiddie: How Agents Supported by Large Language
Models Change the Landscape of Network Threat Testing [4.899163798406851]
We explore the potential of Large Language Models to reason about threats, generate information about tools, and automate cyber campaigns.
We present prompt engineering approaches for a plan-act-report loop for one action of a threat campaign and and a prompt chaining design that directs the sequential decision process of a multi-action campaign.
arXiv Detail & Related papers (2023-10-10T18:49:20Z) - Automated Cyber Defence: A Review [0.0]
Research within Automated Cyber Defence will allow the development and enabling intelligence response by autonomously defending networked systems through sequential decision-making agents.
This article comprehensively elaborates the developments within Automated Cyber Defence through a requirement analysis divided into two sub-areas, namely, automated defence and attack agents and Autonomous Cyber Operation (ACO) Gyms.
The requirement analysis is also used to critique ACO Gyms with an overall aim to develop them for deploying automated agents within real-world networked systems.
arXiv Detail & Related papers (2023-03-08T22:37:50Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - Fixed Points in Cyber Space: Rethinking Optimal Evasion Attacks in the
Age of AI-NIDS [70.60975663021952]
We study blackbox adversarial attacks on network classifiers.
We argue that attacker-defender fixed points are themselves general-sum games with complex phase transitions.
We show that a continual learning approach is required to study attacker-defender dynamics.
arXiv Detail & Related papers (2021-11-23T23:42:16Z) - Automating Privilege Escalation with Deep Reinforcement Learning [71.87228372303453]
In this work, we exemplify the potential threat of malicious actors using deep reinforcement learning to train automated agents.
We present an agent that uses a state-of-the-art reinforcement learning algorithm to perform local privilege escalation.
Our agent is usable for generating realistic attack sensor data for training and evaluating intrusion detection systems.
arXiv Detail & Related papers (2021-10-04T12:20:46Z) - A System for Efficiently Hunting for Cyber Threats in Computer Systems
Using Threat Intelligence [78.23170229258162]
We build ThreatRaptor, a system that facilitates cyber threat hunting in computer systems using OSCTI.
ThreatRaptor provides (1) an unsupervised, light-weight, and accurate NLP pipeline that extracts structured threat behaviors from unstructured OSCTI text, (2) a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities, and (3) a query synthesis mechanism that automatically synthesizes a TBQL query from the extracted threat behaviors.
arXiv Detail & Related papers (2021-01-17T19:44:09Z) - Enabling Efficient Cyber Threat Hunting With Cyber Threat Intelligence [94.94833077653998]
ThreatRaptor is a system that facilitates threat hunting in computer systems using open-source Cyber Threat Intelligence (OSCTI)
It extracts structured threat behaviors from unstructured OSCTI text and uses a concise and expressive domain-specific query language, TBQL, to hunt for malicious system activities.
Evaluations on a broad set of attack cases demonstrate the accuracy and efficiency of ThreatRaptor in practical threat hunting.
arXiv Detail & Related papers (2020-10-26T14:54:01Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.