Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT

Nir Daniel, Florian Klaus Kaiser, Anton Dzega, Aviad Elyashar, Rami Puzis

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

Abstract

A typical analyst spends much time and effort investigating alerts from network intrusion detection systems (NIDS). Available NIDS rules for enterprise and industrial control systems are not always accompanied by high-level explanations that allow for building valid hypotheses about the attacker’s techniques and intentions. The plethora of rules and the lack of high-level information necessitates new automated methods for alert enrichment. Large language models, such as ChatGPT, encompass a vast amount of knowledge, including cyber threat intelligence such as ports and protocols (low-level) and MITRE ATT &CK techniques (high-level). Despite being a very new technology, ChatGPT is increasingly used in order to automate processes that experts previously performed. In this paper, we explore the ability of ChatGPT to reason about NIDS rules while labeling them with MITRE ATT &CK techniques. We discuss prompt design and present results on ChatGPT-3.5, ChatGPT-4, and a keyword-based approach. Our results indicate that both versions of ChatGPT outperform a baseline that relies on a-priori frequencies of the techniques. ChatGPT-3.5 is much more precise than ChatGPT-4, with a little reduction in recall.

Original languageEnglish
Title of host publicationComputer Security. ESORICS 2023 International Workshops - CPS4CIP, ADIoT, SecAssure, WASP, TAURIN, PriST-AI, and SECAI, 2023, Revised Selected Papers
EditorsSokratis Katsikas, Habtamu Abie, Silvio Ranise, Luca Verderame, Enrico Cambiaso, Rita Ugarelli, Isabel Praça, Wenjuan Li, Weizhi Meng, Steven Furnell, Basel Katt, Sandeep Pirbhulal, Ankur Shukla, Michele Ianni, Mila Dalla Preda, Kim-Kwang Raymond Choo, Miguel Pupo Correia, Abhishta Abhishta, Giovanni Sileno, Mina Alishahi, Harsha Kalutarage, Naoto Yanai
PublisherSpringer Science and Business Media Deutschland GmbH
Pages76-91
Number of pages16
ISBN (Print)9783031541285
DOIs
StatePublished - 1 Jan 2024
EventInternational Workshops which were held in conjunction with 28th European Symposium on Research in Computer Security, ESORICS 2023 - The Hague, Netherlands
Duration: 25 Sep 202329 Sep 2023

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
Volume14399 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

ConferenceInternational Workshops which were held in conjunction with 28th European Symposium on Research in Computer Security, ESORICS 2023
Country/TerritoryNetherlands
CityThe Hague
Period25/09/2329/09/23

Keywords

  • Alerts investigation
  • Cyber threat intelligence
  • Natural language processing

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fingerprint

Dive into the research topics of 'Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT'. Together they form a unique fingerprint.

Cite this