A typical analyst spends much time and effort investigating alerts from network intrusion detection systems (NIDS). Available NIDS rules for enterprise and industrial control systems are not always accompanied by high-level explanations that allow for building valid hypotheses about the attacker’s techniques and intentions. The plethora of rules and the lack of high-level information necessitates new automated methods for alert enrichment. Large language models, such as ChatGPT, encompass a vast amount of knowledge, including cyber threat intelligence such as ports and protocols (low-level) and MITRE ATT &CK techniques (high-level). Despite being a very new technology, ChatGPT is increasingly used in order to automate processes that experts previously performed. In this paper, we explore the ability of ChatGPT to reason about NIDS rules while labeling them with MITRE ATT &CK techniques. We discuss prompt design and present results on ChatGPT-3.5, ChatGPT-4, and a keyword-based approach. Our results indicate that both versions of ChatGPT outperform a baseline that relies on a-priori frequencies of the techniques. ChatGPT-3.5 is much more precise than ChatGPT-4, with a little reduction in recall.
CITATION STYLE
Daniel, N., Kaiser, F. K., Dzega, A., Elyashar, A., & Puzis, R. (2024). Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT. In Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics) (Vol. 14399 LNCS, pp. 76–91). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-54129-2_5
Mendeley helps you to discover research relevant for your work.