Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Advancing TTP Analysis: Harnessing the Power of Large Language Models with Retrieval Augmented Generation (2401.00280v3)

Published 30 Dec 2023 in cs.CR and cs.LG

Abstract: Tactics, Techniques, and Procedures (TTPs) outline the methods attackers use to exploit vulnerabilities. The interpretation of TTPs in the MITRE ATT&CK framework can be challenging for cybersecurity practitioners due to presumed expertise and complex dependencies. Meanwhile, advancements with LLMs have led to recent surge in studies exploring its uses in cybersecurity operations. It is, however, unclear how LLMs can be used in an efficient and proper way to provide accurate responses for critical domains such as cybersecurity. This leads us to investigate how to better use two types of LLMs: small-scale encoder-only (e.g., RoBERTa) and larger decoder-only (e.g., GPT-3.5) LLMs to comprehend and summarize TTPs with the intended purposes (i.e., tactics) of a cyberattack procedure. This work studies and compares the uses of supervised fine-tuning (SFT) of encoder-only LLMs vs. Retrieval Augmented Generation (RAG) for decoder-only LLMs (without fine-tuning). Both SFT and RAG techniques presumably enhance the LLMs with relevant contexts for each cyberattack procedure. Our studies show decoder-only LLMs with RAG achieves better performance than encoder-only models with SFT, particularly when directly relevant context is extracted by RAG. The decoder-only results could suffer low Precision' while achieving highRecall'. Our findings further highlight a counter-intuitive observation that more generic prompts tend to yield better predictions of cyberattack tactics than those that are more specifically tailored.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (18)
  1. SecureBERT: A Domain-Specific Language Model for Cybersecurity. International Conference on Security and Privacy in Communication Systems, 39–56.
  2. Transforming Healthcare Education: Harnessing Large Language Models for Frontline Health Worker Capacity Building using Retrieval-Augmented Generation. medRxiv, 2023–12.
  3. Leveraging BERT’s Power to Classify TTP from Unstructured Text. 2022 Workshop on Communication Networks and Power Systems (WCNPS), 1–7.
  4. Improving language models by retrieving from trillions of tokens. International Conference on Machine Learning, 2206–2240.
  5. BERT: Pre-training of deep bidirectional transformers for language understanding. Proceedings of NAACL-HLT, 4171–4186.
  6. On the Uses of Large Language Models to Interpret Ambiguous Cyberattack Descriptions. arXiv preprint arXiv:2306.14062.
  7. TTPDrill: Automatic and accurate extraction of threat actions from unstructured text of CTI sources. Proceedings of the 33rd annual computer security applications conference, 103–115.
  8. Comparative Experiment on TTP Classification with Class Imbalance Using Oversampling from CTI Dataset. Security and Communication Networks, 2022.
  9. RoBERTa: A Robustly Optimized BERT Pre-training Approach. arXiv preprint arXiv:1907.11692.
  10. When not to trust language models: Investigating effectiveness of parametric and non-parametric memories. Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 9802–9822.
  11. Recent advances in natural language processing via large pre-trained language models: A survey. ACM Computing Surveys, 56(2): 1–40.
  12. Automatic Mapping of Unstructured Cyber Threat Intelligence: An Experimental Study:(Practical Experience Report). IEEE 33rd International Symposium on Software Reliability Engineering (ISSRE), 181–192.
  13. In-context retrieval-augmented language models. arXiv preprint arXiv:2302.00083.
  14. TTPHunter: Automated Extraction of Actionable Intelligence as TTPs from Narrative Threat Reports. Proceedings of the 2023 Australasian Computer Science Week, 126–134.
  15. Towards Automated Classification of Attackers’ TTPs by combining NLP with ML Techniques. arXiv preprint arXiv:2207.08478.
  16. Attention is all you need. Advances in Neural Information Processing Systems, 30.
  17. TIM: threat context-enhanced TTP intelligence mining on unstructured threat data. Cybersecurity, 5(1): 3.
  18. A Survey of Large Language Models. arXiv preprint arXiv:2303.18223.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Reza Fayyazi (4 papers)
  2. Rozhina Taghdimi (1 paper)
  3. Shanchieh Jay Yang (14 papers)
Citations (1)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube