Saved in:
Bibliographic Details
Main Authors: Zuo, Fei, Rhee, Junghwan, Choe, Yung Ryn
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2503.18316
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910894398636032
author Zuo, Fei
Rhee, Junghwan
Choe, Yung Ryn
author_facet Zuo, Fei
Rhee, Junghwan
Choe, Yung Ryn
contents Advanced Persistent Threats (APTs) have caused significant losses across a wide range of sectors, including the theft of sensitive data and harm to system integrity. As attack techniques grow increasingly sophisticated and stealthy, the arms race between cyber defenders and attackers continues to intensify. The revolutionary impact of Large Language Models (LLMs) has opened up numerous opportunities in various fields, including cybersecurity. An intriguing question arises: can the extensive knowledge embedded in LLMs be harnessed for provenance analysis and play a positive role in identifying previously unknown malicious events? To seek a deeper understanding of this issue, we propose a new strategy for taking advantage of LLMs in provenance-based threat detection. In our design, the state-of-the-art LLM offers additional details in provenance data interpretation, leveraging their knowledge of system calls, software identity, and high-level understanding of application execution context. The advanced contextualized embedding capability is further utilized to capture the rich semantics of event descriptions. We comprehensively examine the quality of the resulting embeddings, and it turns out that they offer promising avenues. Subsequently, machine learning models built upon these embeddings demonstrated outstanding performance on real-world data. In our evaluation, supervised threat detection achieves a precision of 99.0%, and semi-supervised anomaly detection attains a precision of 96.9%.
format Preprint
id arxiv_https___arxiv_org_abs_2503_18316
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Knowledge Transfer from LLMs to Provenance Analysis: A Semantic-Augmented Method for APT Detection
Zuo, Fei
Rhee, Junghwan
Choe, Yung Ryn
Cryptography and Security
Advanced Persistent Threats (APTs) have caused significant losses across a wide range of sectors, including the theft of sensitive data and harm to system integrity. As attack techniques grow increasingly sophisticated and stealthy, the arms race between cyber defenders and attackers continues to intensify. The revolutionary impact of Large Language Models (LLMs) has opened up numerous opportunities in various fields, including cybersecurity. An intriguing question arises: can the extensive knowledge embedded in LLMs be harnessed for provenance analysis and play a positive role in identifying previously unknown malicious events? To seek a deeper understanding of this issue, we propose a new strategy for taking advantage of LLMs in provenance-based threat detection. In our design, the state-of-the-art LLM offers additional details in provenance data interpretation, leveraging their knowledge of system calls, software identity, and high-level understanding of application execution context. The advanced contextualized embedding capability is further utilized to capture the rich semantics of event descriptions. We comprehensively examine the quality of the resulting embeddings, and it turns out that they offer promising avenues. Subsequently, machine learning models built upon these embeddings demonstrated outstanding performance on real-world data. In our evaluation, supervised threat detection achieves a precision of 99.0%, and semi-supervised anomaly detection attains a precision of 96.9%.
title Knowledge Transfer from LLMs to Provenance Analysis: A Semantic-Augmented Method for APT Detection
topic Cryptography and Security
url https://arxiv.org/abs/2503.18316