Labeling Network Intrusion Detection System (NIDS) Rules with MITRE ATT&CK Techniques: Machine Learning vs. Large Language Models

Nir Daniel; Florian Klaus Kaiser; Shay Giladi; Sapir Sharabi; Raz Moyal; Shalev Shpolyansky; Andres Murillo; Aviad Elyashar; Rami Puzis

doi:10.3390/bdcc9020023

Labeling Network Intrusion Detection System (NIDS) Rules with MITRE ATT&CK Techniques: Machine Learning vs. Large Language Models

Nir Daniel, Florian Klaus Kaiser, Shay Giladi, Sapir Sharabi, Raz Moyal, Shalev Shpolyansky, Andres Murillo, Aviad Elyashar, Rami Puzis

Department of Software and Information Systems Engineering

Research output: Contribution to journal › Article › peer-review

Abstract

Analysts in Security Operations Centers (SOCs) are often occupied with time-consuming investigations of alerts from Network Intrusion Detection Systems (NIDSs). Many NIDS rules lack clear explanations and associations with attack techniques, complicating the alert triage and the generation of attack hypotheses. Large Language Models (LLMs) may be a promising technology to reduce the alert explainability gap by associating rules with attack techniques. In this paper, we investigate the ability of three prominent LLMs (ChatGPT, Claude, and Gemini) to reason about NIDS rules while labeling them with MITRE ATT&CK tactics and techniques. We discuss prompt design and present experiments performed with 973 Snort rules. Our results indicate that while LLMs provide explainable, scalable, and efficient initial mappings, traditional machine learning (ML) models consistently outperform them in accuracy, achieving higher precision, recall, and F1-scores. These results highlight the potential for hybrid LLM-ML approaches to enhance SOC operations and better address the evolving threat landscape. By utilizing automation, the presented methods will enhance the analysis efficiency of SOC alerts, and decrease workloads for analysts.

Original language	English
Article number	23
Journal	Big Data and Cognitive Computing
Volume	9
Issue number	2
DOIs	https://doi.org/10.3390/bdcc9020023
State	Published - 1 Feb 2025

Keywords

alerts investigation
cyber threat intelligence
natural language processing

ASJC Scopus subject areas

Management Information Systems
Information Systems
Computer Science Applications
Artificial Intelligence

Access to Document

10.3390/bdcc9020023

Cite this

@article{a2a9e407b0de476788eda80f6d358bc3,

title = "Labeling Network Intrusion Detection System (NIDS) Rules with MITRE ATT&CK Techniques: Machine Learning vs. Large Language Models",

abstract = "Analysts in Security Operations Centers (SOCs) are often occupied with time-consuming investigations of alerts from Network Intrusion Detection Systems (NIDSs). Many NIDS rules lack clear explanations and associations with attack techniques, complicating the alert triage and the generation of attack hypotheses. Large Language Models (LLMs) may be a promising technology to reduce the alert explainability gap by associating rules with attack techniques. In this paper, we investigate the ability of three prominent LLMs (ChatGPT, Claude, and Gemini) to reason about NIDS rules while labeling them with MITRE ATT&CK tactics and techniques. We discuss prompt design and present experiments performed with 973 Snort rules. Our results indicate that while LLMs provide explainable, scalable, and efficient initial mappings, traditional machine learning (ML) models consistently outperform them in accuracy, achieving higher precision, recall, and F1-scores. These results highlight the potential for hybrid LLM-ML approaches to enhance SOC operations and better address the evolving threat landscape. By utilizing automation, the presented methods will enhance the analysis efficiency of SOC alerts, and decrease workloads for analysts.",

keywords = "alerts investigation, cyber threat intelligence, natural language processing",

author = "Nir Daniel and Kaiser, {Florian Klaus} and Shay Giladi and Sapir Sharabi and Raz Moyal and Shalev Shpolyansky and Andres Murillo and Aviad Elyashar and Rami Puzis",

note = "Publisher Copyright: {\textcopyright} 2025 by the authors.",

year = "2025",

month = feb,

day = "1",

doi = "10.3390/bdcc9020023",

language = "English",

volume = "9",

journal = "Big Data and Cognitive Computing",

issn = "2504-2289",

publisher = "Multidisciplinary Digital Publishing Institute (MDPI)",

number = "2",

}

TY - JOUR

T1 - Labeling Network Intrusion Detection System (NIDS) Rules with MITRE ATT&CK Techniques

T2 - Machine Learning vs. Large Language Models

AU - Daniel, Nir

AU - Kaiser, Florian Klaus

AU - Giladi, Shay

AU - Sharabi, Sapir

AU - Moyal, Raz

AU - Shpolyansky, Shalev

AU - Murillo, Andres

AU - Elyashar, Aviad

AU - Puzis, Rami

PY - 2025/2/1

Y1 - 2025/2/1

N2 - Analysts in Security Operations Centers (SOCs) are often occupied with time-consuming investigations of alerts from Network Intrusion Detection Systems (NIDSs). Many NIDS rules lack clear explanations and associations with attack techniques, complicating the alert triage and the generation of attack hypotheses. Large Language Models (LLMs) may be a promising technology to reduce the alert explainability gap by associating rules with attack techniques. In this paper, we investigate the ability of three prominent LLMs (ChatGPT, Claude, and Gemini) to reason about NIDS rules while labeling them with MITRE ATT&CK tactics and techniques. We discuss prompt design and present experiments performed with 973 Snort rules. Our results indicate that while LLMs provide explainable, scalable, and efficient initial mappings, traditional machine learning (ML) models consistently outperform them in accuracy, achieving higher precision, recall, and F1-scores. These results highlight the potential for hybrid LLM-ML approaches to enhance SOC operations and better address the evolving threat landscape. By utilizing automation, the presented methods will enhance the analysis efficiency of SOC alerts, and decrease workloads for analysts.

AB - Analysts in Security Operations Centers (SOCs) are often occupied with time-consuming investigations of alerts from Network Intrusion Detection Systems (NIDSs). Many NIDS rules lack clear explanations and associations with attack techniques, complicating the alert triage and the generation of attack hypotheses. Large Language Models (LLMs) may be a promising technology to reduce the alert explainability gap by associating rules with attack techniques. In this paper, we investigate the ability of three prominent LLMs (ChatGPT, Claude, and Gemini) to reason about NIDS rules while labeling them with MITRE ATT&CK tactics and techniques. We discuss prompt design and present experiments performed with 973 Snort rules. Our results indicate that while LLMs provide explainable, scalable, and efficient initial mappings, traditional machine learning (ML) models consistently outperform them in accuracy, achieving higher precision, recall, and F1-scores. These results highlight the potential for hybrid LLM-ML approaches to enhance SOC operations and better address the evolving threat landscape. By utilizing automation, the presented methods will enhance the analysis efficiency of SOC alerts, and decrease workloads for analysts.

KW - alerts investigation

KW - cyber threat intelligence

KW - natural language processing

UR - http://www.scopus.com/inward/record.url?scp=85218443220&partnerID=8YFLogxK

U2 - 10.3390/bdcc9020023

DO - 10.3390/bdcc9020023

M3 - Article

AN - SCOPUS:85218443220

SN - 2504-2289

VL - 9

JO - Big Data and Cognitive Computing

JF - Big Data and Cognitive Computing

IS - 2

M1 - 23

ER -

Labeling Network Intrusion Detection System (NIDS) Rules with MITRE ATT&CK Techniques: Machine Learning vs. Large Language Models

Abstract

Keywords

ASJC Scopus subject areas

Access to Document

Other files and links

Fingerprint

Cite this