RACONTEUR: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer

TL;DR

Raconteur is an LLM-powered shell command explainer that integrates expert knowledge, translates explanations into cybersecurity tactics, and uses documentation retrieval to explain unseen commands, enhancing security analysis.

Contribution

The paper introduces Raconteur, a knowledgeable and portable shell command explainer that combines expert knowledge, tactic translation, and documentation retrieval to improve understanding of malicious commands.

Findings

Raconteur provides high-quality, in-depth explanations of shell commands.

It effectively translates command intent into MITRE ATT&CK tactics.

Experiments show Raconteur outperforms baseline models in explanation accuracy.

Abstract

Malicious shell commands are linchpins to many cyber-attacks, but may not be easy to understand by security analysts due to complicated and often disguised code structures. Advances in large language models (LLMs) have unlocked the possibility of generating understandable explanations for shell commands. However, existing general-purpose LLMs suffer from a lack of expert knowledge and a tendency to hallucinate in the task of shell command explanation. In this paper, we present Raconteur, a knowledgeable, expressive and portable shell command explainer powered by LLM. Raconteur is infused with professional knowledge to provide comprehensive explanations on shell commands, including not only what the command does (i.e., behavior) but also why the command does it (i.e., purpose). To shed light on the high-level intent of the command, we also translate the natural-language-based explanation into standard technique & tactic defined by MITRE ATT&CK, the worldwide knowledge base of cybersecurity. To enable Raconteur to explain unseen private commands, we further develop a documentation retriever to obtain relevant information from complementary documentations to assist the explanation process. We have created a large-scale dataset for training and conducted extensive experiments to evaluate the capability of Raconteur in shell command explanation. The experiments verify that Raconteur is able to provide high-quality explanations and in-depth insight of the intent of the command.