Enregistré dans:
Détails bibliographiques
Auteurs principaux: Zhang, Hao, Shao, Shuo, Li, Song, Zhong, Zhenyu, Liu, Yan, Qin, Zhan
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2506.16981
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866908830645878784
author Zhang, Hao
Shao, Shuo
Li, Song
Zhong, Zhenyu
Liu, Yan
Qin, Zhan
author_facet Zhang, Hao
Shao, Shuo
Li, Song
Zhong, Zhenyu
Liu, Yan
Qin, Zhan
contents End-point monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security events. Unfortunately, existing methods of semantic analysis based on audit logs have low granularity, only reaching the system call level, making it difficult to effectively classify highly covert behaviors. Additionally, existing works mainly match audit log streams with rule knowledge bases describing behaviors, which heavily rely on expertise and lack the ability to detect unknown attacks and provide interpretive descriptions. In this paper, we propose SmartGuard, an automated method that combines abstracted behaviors from audit event semantics with large language models. SmartGuard extracts specific behaviors (function level) from incoming system logs and constructs a knowledge graph, divides events by threads, and combines event summaries with graph embeddings to achieve information diagnosis and provide explanatory narratives through large language models. Our evaluation shows that SmartGuard achieves an average F1 score of 96\% in assessing malicious behaviors and demonstrates good scalability across multiple models and unknown attacks. It also possesses excellent fine-tuning capabilities, allowing experts to assist in timely system updates.
format Preprint
id arxiv_https___arxiv_org_abs_2506_16981
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle SmartGuard: Leveraging Large Language Models for Network Attack Detection through Audit Log Analysis and Summarization
Zhang, Hao
Shao, Shuo
Li, Song
Zhong, Zhenyu
Liu, Yan
Qin, Zhan
Cryptography and Security
End-point monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security events. Unfortunately, existing methods of semantic analysis based on audit logs have low granularity, only reaching the system call level, making it difficult to effectively classify highly covert behaviors. Additionally, existing works mainly match audit log streams with rule knowledge bases describing behaviors, which heavily rely on expertise and lack the ability to detect unknown attacks and provide interpretive descriptions. In this paper, we propose SmartGuard, an automated method that combines abstracted behaviors from audit event semantics with large language models. SmartGuard extracts specific behaviors (function level) from incoming system logs and constructs a knowledge graph, divides events by threads, and combines event summaries with graph embeddings to achieve information diagnosis and provide explanatory narratives through large language models. Our evaluation shows that SmartGuard achieves an average F1 score of 96\% in assessing malicious behaviors and demonstrates good scalability across multiple models and unknown attacks. It also possesses excellent fine-tuning capabilities, allowing experts to assist in timely system updates.
title SmartGuard: Leveraging Large Language Models for Network Attack Detection through Audit Log Analysis and Summarization
topic Cryptography and Security
url https://arxiv.org/abs/2506.16981