Towards Automated and Explainable Cyber Threat Hunting Leveraging Generative AI

Bill Chu

Department of Software and Information Systems

UNC Charlotte

Wed Sept 24, 11:30-12:30 WWH 335

ABSTRACT

We attempt to automate parts of threat hunting, taking cyber threat intelligence messages as input and generating queries to search logs for attack evidence using a popular query language used in Security Operations Centers (SOC). Our prototype uses GPT-4 to extract actionable threat intelligence from real-time messages, such as on X and slack channels. The core idea is to explain the extracted intelligence in terms of MITRE ATT&CK TTPs using a knowledge graph with the following benefits: (a) Reduced hallucinations from 47% (GPT-4) to 1.5%  by using two orthogonal ways to cross-check answers. (b) Gaining human trust with explained results. (c) Use chain-of-knowledge prompting to significantly improve query generation accuracy. This approach may be extended to further improve query generation by  expanding the scope of the knowledge graph. Our approach significantly outperforms the Retrieval-Augmented Generation (RAG). It also seems to outperform chain-of-thought reasoning LLM as well.

Bio

Dr. Chu is Professor of Software and Information Systems at UNC Charlotte’s College of Computing and Informatics. His research interests include Cyberthreat Hunting, Cyberthreat Intelligence, and AI security. He received his Ph.D. in Computer Science of the University of Maryland at College Park.