Go to DBLP homepageUsing Natural Language Processing Tools to Infer Adversary Techniques and Tactics Under the Mitre ATT&CK Framework
Abstract: This paper presents a novel approach to interpreting Intrusion Detection System (IDS) rules and predicting likely attacker Tactics, Techniques, and Procedures (TTPs) through the use of Large Language Models (LLMs) trained to associate IDS rules to TTPs in the MITRE ATT&CK framework. Our methodology focuses on automatically describing IDS rules to enhance explainability and provide a natural interface for exploring the potential operational impacts that an unmitigated attack may have on network security and operations. Using natural language processing techniques, we trained several models on a dataset of 972 labeled IDS rules, enabling it to generate descriptive narratives to aid in explaining individual rules and providing a foundation for predicting associated TTPs to aid in defensive cyber operations. We present our approach and initial results, discuss the potential implications in the broader context of cyber defense, and propose a conceptual extension where identified TTPs are used to predict and suggest proactive and reactive defense strategies that may be acted upon by human and autonomous defenders. We believe this and related work pave the way for more dynamic and informed decision-making processes in cyber defense, potentially transforming how Security Operations Centers (SOCs) and autonomous cyber defense systems operate.
Loading