Go to DBLP homepageAGLHunter: Automated Threat Hunting Using In-Context Learning-Enhanced LLM
Abstract: Advanced Persistent Threats (APTs) are characterized by their persistence, sophistication, and stealth, posing significant challenges to network detection. Existing research on attack detection leveraging Provenance Graphs (PGs) has proven effective in correlating system entities and capturing persistence. However, the exponential growth of audit logs makes large-scale data storage and processing difficult. In addition, current threat hunting methods rely heavily on manually crafted attack query graphs, which are limited by expert knowledge and lack automated solutions. In this paper, we propose AGLHunter, an automated threat hunting system designed to enhance automation and efficiency while maintaining high detection accuracy. Our system leverages the In-Context Learning (ICL) capability of the Large Language Model (LLM) to automatically construct query graphs from Cyber Threat Intelligence (CTI) reports. Next, we extract suspicious subgraphs from PGs and employ graph representation learning to match these sub graphs with the query graphs, enabling efficient and accurate threat hunting. We use DARPA TC and OpTC datasets to evaluate AGLHunter's performance. The results show that AGLHunter not only achieves higher automation but also shows superior performance with reduced memory usage. AGLHunter, leveraging ICL-enhanced LLM, improved the F1 score for query graph construction by 13.6%, reduced the overall hunting time by more than 170 seconds, and maintained high detection accuracy.
External IDs:dblp:conf/cscwd/CuiJYMHYF25
Loading