LogPrécis: Unleashing Language Models for Automated Malicious Log Analysis
Abstract: The collection of security-related logs holds the key to understanding attack behaviors and diagnosing vulnerabilities. Still, their analysis remains a daunting challenge. Recently, LLMs (LMs) have demonstrated unmatched potential in understanding natural and programming languages. The question arises whether and how LMs could be also useful for security experts since their logs contain intrinsically confused and obfuscated information. In this paper, we systematically study how to benefit from the state-of-the-art in LM to automatically analyze text-like Unix shell attack logs. We present a thorough design methodology that leads to LogPr\'ecis. It receives as input raw shell sessions and automatically identifies and assigns the attacker tactic to each portion of the session, i.e., unveiling the sequence of the attacker's goals. We demonstrate LogPr\'ecis capability to support the analysis of two large datasets containing about 400,000 unique Unix shell attacks. LogPr\'ecis reduces them into about 3,000 fingerprints, each grouping sessions with the same sequence of tactics. The abstraction it provides lets the analyst better understand attacks, identify fingerprints, detect novelty, link similar attacks, and track families and mutations. Overall, LogPr\'ecis, released as open source, paves the way for better and more responsive defense against cyberattacks.
- doi:10.1145/3133956.3134015.
- doi:10.1145/3548606.3560612.
- Mitre enterprise tactics, https://attack.mitre.org/tactics/enterprise/ (2022).
- doi:10.18653/v1/2020.findings-emnlp.139.
- doi:10.1109/MC.2022.3148714.
- arXiv:1801.06146.
- doi:10.1145/3386252.
- doi:10.1109/EuroSPW55150.2022.00038.
- doi:10.1145/3563766.3564104.
- doi:10.1145/3563766.3564108.
- doi:10.1145/3487351.3492723.
- doi:10.30534/ijatcse/2019/86862019.
- doi:10.1109/SPW.2019.00049.
- doi:10.1109/ICDMW.2017.92.
- arXiv:2310.12663.
- doi:10.1109/TKDE.2020.2981314.
- arXiv:2302.14502.
- doi:10.18653/v1/2020.acl-main.603. URL https://aclanthology.org/2020.acl-main.603
- arXiv:2210.05529.
- Honeypot as a service (haas), https://haas.nic.cz (2023).
- doi:10.5281/zenodo.3687527.
- doi:10.1109/MC.2017.201.
- Dota3: Is your internet of things device moonlighting?, https://blogs.juniper.net/en-us/threat-research/dota3-is-your-internet-of-things-device-moonlighting (2020).
- Report 3479, https://corvus.inf.ufpr.br/reports/3479/ (2019).
- How shellshock can be exploited over dhcp, https://www.helpnetsecurity.com/2014/10/09/how-shellshock-can-be-exploited-over-dhcp/ (2014).
- Lockr, https://www.lockr.io/blog/ (2013).
- Honeypots: Know your adversary, https://www.cyderinc.net/server-administration-ins-and-outs/honeypots-know-your-adversary (2023).
- Our selection of alerts on honeypots: report 9 – may 2023, https://tehtris.com/en/blog/our-selection-of-alerts-on-honeypots-report-9-may-2023 (2023).
Paper Prompts
Sign up for free to create and run prompts on this paper using GPT-5.
Top Community Prompts
Collections
Sign up for free to add this paper to one or more collections.