LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI

TL;DR

This paper introduces LLMCloudHunter, a framework that uses large language models to automatically extract detection rules from unstructured cloud threat intelligence data, including text and images, improving threat detection in cloud environments.

Contribution

The paper presents a novel LLM-based framework that automates extraction of detection rules from unstructured OS-CTI data, including visual content, specifically for cloud security contexts.

Findings

Achieved 92% precision and 98% recall in extracting API calls.

Achieved 99% precision and 98% recall in extracting IoCs.

99.18% of generated rules were successfully converted into Splunk queries.

Abstract

As the number and sophistication of cyber attacks have increased, threat hunting has become a critical aspect of active security, enabling proactive detection and mitigation of threats before they cause significant harm. Open-source cyber threat intelligence (OS-CTI) is a valuable resource for threat hunters, however, it often comes in unstructured formats that require further manual analysis. Previous studies aimed at automating OSCTI analysis are limited since (1) they failed to provide actionable outputs, (2) they did not take advantage of images present in OSCTI sources, and (3) they focused on on-premises environments, overlooking the growing importance of cloud environments. To address these gaps, we propose LLMCloudHunter, a novel framework that leverages large language models (LLMs) to automatically generate generic-signature detection rule candidates from textual and visual OSCTI data. We evaluated the quality of the rules generated by the proposed framework using 12 annotated real-world cloud threat reports. The results show that our framework achieved a precision of 92% and recall of 98% for the task of accurately extracting API calls made by the threat actor and a precision of 99% with a recall of 98% for IoCs. Additionally, 99.18% of the generated detection rule candidates were successfully compiled and converted into Splunk queries.