Labeling NIDS Rules with MITRE ATT &CK Techniques Using ChatGPT

Abstract

A typical analyst spends much time and effort investigating alerts from network intrusion detection systems (NIDS). Available NIDS rules for enterprise and industrial control systems are not always accompanied by high-level explanations that allow for building valid hypotheses about the attacker’s techniques and intentions. The plethora of rules and the lack of high-level information necessitates new automated methods for alert enrichment. Large language models, such as ChatGPT, encompass a vast amount of knowledge, including cyber threat intelligence such as ports and protocols (low-level) and MITRE ATT &CK techniques (high-level). Despite being a very new technology, ChatGPT is increasingly used in order to automate processes that experts previously performed. In this paper, we explore the ability of ChatGPT to reason about NIDS rules while labeling them with MITRE ATT &CK techniques. We discuss prompt design and present results on ChatGPT-3.5, ChatGPT-4, and a keyword-based approach. Our results indicate that both versions of ChatGPT outperform a baseline that relies on a-priori frequencies of the techniques. ChatGPT-3.5 is much more precise than ChatGPT-4, with a little reduction in recall.