On the Uses of Large Language Models to Interpret Ambiguous Cyberattack
Descriptions
- URL: http://arxiv.org/abs/2306.14062v2
- Date: Tue, 22 Aug 2023 19:15:57 GMT
- Title: On the Uses of Large Language Models to Interpret Ambiguous Cyberattack
Descriptions
- Authors: Reza Fayyazi, Shanchieh Jay Yang
- Abstract summary: Tactics, Techniques, and Procedures (TTPs) are to describe how and why attackers exploit vulnerabilities.
A TTP description written by one security professional can be interpreted very differently by another, leading to confusion in cybersecurity operations.
Advancements in AI have led to the increasing use of Natural Language Processing (NLP) algorithms to assist the various tasks in cyber operations.
- Score: 1.6317061277457001
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: The volume, variety, and velocity of change in vulnerabilities and exploits
have made incident threat analysis challenging with human expertise and
experience along. Tactics, Techniques, and Procedures (TTPs) are to describe
how and why attackers exploit vulnerabilities. However, a TTP description
written by one security professional can be interpreted very differently by
another, leading to confusion in cybersecurity operations or even business,
policy, and legal decisions. Meanwhile, advancements in AI have led to the
increasing use of Natural Language Processing (NLP) algorithms to assist the
various tasks in cyber operations. With the rise of Large Language Models
(LLMs), NLP tasks have significantly improved because of the LLM's semantic
understanding and scalability. This leads us to question how well LLMs can
interpret TTPs or general cyberattack descriptions to inform analysts of the
intended purposes of cyberattacks. We propose to analyze and compare the direct
use of LLMs (e.g., GPT-3.5) versus supervised fine-tuning (SFT) of
small-scale-LLMs (e.g., BERT) to study their capabilities in predicting ATT&CK
tactics. Our results reveal that the small-scale-LLMs with SFT provide a more
focused and clearer differentiation between the ATT&CK tactics (if such
differentiation exists). On the other hand, direct use of LLMs offer a broader
interpretation of cyberattack techniques. When treating more general cases,
despite the power of LLMs, inherent ambiguity exists and limits their
predictive power. We then summarize the challenges and recommend research
directions on LLMs to treat the inherent ambiguity of TTP descriptions used in
various cyber operations.
Related papers
- A Comprehensive Overview of Large Language Models (LLMs) for Cyber Defences: Opportunities and Directions [12.044950530380563]
The recent progression of Large Language Models (LLMs) has witnessed great success in the fields of data-centric applications.
We provide an overview for the recent activities of LLMs in cyber defence sections.
Fundamental concepts of the progression of LLMs from Transformers, Pre-trained Transformers, and GPT is presented.
arXiv Detail & Related papers (2024-05-23T12:19:07Z) - Large Language Models for Cyber Security: A Systematic Literature Review [14.924782327303765]
We conduct a comprehensive review of the literature on the application of Large Language Models in cybersecurity (LLM4Security)
We observe that LLMs are being applied to a wide range of cybersecurity tasks, including vulnerability detection, malware analysis, network intrusion detection, and phishing detection.
Third, we identify several promising techniques for adapting LLMs to specific cybersecurity domains, such as fine-tuning, transfer learning, and domain-specific pre-training.
arXiv Detail & Related papers (2024-05-08T02:09:17Z) - ASETF: A Novel Method for Jailbreak Attack on LLMs through Translate Suffix Embeddings [58.82536530615557]
We propose an Adversarial Suffix Embedding Translation Framework (ASETF) to transform continuous adversarial suffix embeddings into coherent and understandable text.
Our method significantly reduces the computation time of adversarial suffixes and achieves a much better attack success rate to existing techniques.
arXiv Detail & Related papers (2024-02-25T06:46:27Z) - Learning to Generate Explainable Stock Predictions using Self-Reflective
Large Language Models [54.21695754082441]
We propose a framework to teach Large Language Models (LLMs) to generate explainable stock predictions.
A reflective agent learns how to explain past stock movements through self-reasoning, while the PPO trainer trains the model to generate the most likely explanations.
Our framework can outperform both traditional deep-learning and LLM methods in prediction accuracy and Matthews correlation coefficient.
arXiv Detail & Related papers (2024-02-06T03:18:58Z) - Large Language Models in Cybersecurity: State-of-the-Art [4.990712773805833]
The rise of Large Language Models (LLMs) has revolutionized our comprehension of intelligence bringing us closer to Artificial Intelligence.
This study examines the existing literature, providing a thorough characterization of both defensive and adversarial applications of LLMs within the realm of cybersecurity.
arXiv Detail & Related papers (2024-01-30T16:55:25Z) - Advancing TTP Analysis: Harnessing the Power of Large Language Models with Retrieval Augmented Generation [1.2289361708127877]
It is unclear how Large Language Models (LLMs) can be used in an efficient and proper way to provide accurate responses for critical domains such as cybersecurity.
This work studies and compares the uses of supervised fine-tuning (SFT) of encoder-only LLMs vs. Retrieval Augmented Generation (RAG) for decoder-only LLMs.
Our studies show decoder-only LLMs with RAG achieves better performance than encoder-only models with SFT.
arXiv Detail & Related papers (2023-12-30T16:56:24Z) - LLMs Killed the Script Kiddie: How Agents Supported by Large Language
Models Change the Landscape of Network Threat Testing [4.899163798406851]
We explore the potential of Large Language Models to reason about threats, generate information about tools, and automate cyber campaigns.
We present prompt engineering approaches for a plan-act-report loop for one action of a threat campaign and and a prompt chaining design that directs the sequential decision process of a multi-action campaign.
arXiv Detail & Related papers (2023-10-10T18:49:20Z) - Baseline Defenses for Adversarial Attacks Against Aligned Language
Models [109.75753454188705]
Recent work shows that text moderations can produce jailbreaking prompts that bypass defenses.
We look at three types of defenses: detection (perplexity based), input preprocessing (paraphrase and retokenization), and adversarial training.
We find that the weakness of existing discretes for text, combined with the relatively high costs of optimization, makes standard adaptive attacks more challenging for LLMs.
arXiv Detail & Related papers (2023-09-01T17:59:44Z) - Visual Adversarial Examples Jailbreak Aligned Large Language Models [66.53468356460365]
We show that the continuous and high-dimensional nature of the visual input makes it a weak link against adversarial attacks.
We exploit visual adversarial examples to circumvent the safety guardrail of aligned LLMs with integrated vision.
Our study underscores the escalating adversarial risks associated with the pursuit of multimodality.
arXiv Detail & Related papers (2023-06-22T22:13:03Z) - Towards Automated Classification of Attackers' TTPs by combining NLP
with ML Techniques [77.34726150561087]
We evaluate and compare different Natural Language Processing (NLP) and machine learning techniques used for security information extraction in research.
Based on our investigations we propose a data processing pipeline that automatically classifies unstructured text according to attackers' tactics and techniques.
arXiv Detail & Related papers (2022-07-18T09:59:21Z) - Trojaning Language Models for Fun and Profit [53.45727748224679]
TROJAN-LM is a new class of trojaning attacks in which maliciously crafted LMs trigger host NLP systems to malfunction.
By empirically studying three state-of-the-art LMs in a range of security-critical NLP tasks, we demonstrate that TROJAN-LM possesses the following properties.
arXiv Detail & Related papers (2020-08-01T18:22:38Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.