SmartGuard: Leveraging Large Language Models for Network Attack Detection through Audit Log Analysis and Summarization

TL;DR

SmartGuard is a novel system that uses large language models to analyze audit logs at a detailed behavior level, improving detection of covert attacks and providing interpretive explanations.

Contribution

It introduces a method combining behavior extraction, knowledge graph construction, and LLM-based summarization to enhance attack detection and explanation in enterprise security.

Findings

Achieves 96% F1 score in malicious behavior detection

Demonstrates scalability across multiple models and unknown attacks

Shows strong fine-tuning capabilities for expert system updates

Abstract

End-point monitoring solutions are widely deployed in today's enterprise environments to support advanced attack detection and investigation. These monitors continuously record system-level activities as audit logs and provide deep visibility into security events. Unfortunately, existing methods of semantic analysis based on audit logs have low granularity, only reaching the system call level, making it difficult to effectively classify highly covert behaviors. Additionally, existing works mainly match audit log streams with rule knowledge bases describing behaviors, which heavily rely on expertise and lack the ability to detect unknown attacks and provide interpretive descriptions. In this paper, we propose SmartGuard, an automated method that combines abstracted behaviors from audit event semantics with large language models. SmartGuard extracts specific behaviors (function level) from incoming system logs and constructs a knowledge graph, divides events by threads, and combines event summaries with graph embeddings to achieve information diagnosis and provide explanatory narratives through large language models. Our evaluation shows that SmartGuard achieves an average F1 score of 96\% in assessing malicious behaviors and demonstrates good scalability across multiple models and unknown attacks. It also possesses excellent fine-tuning capabilities, allowing experts to assist in timely system updates.