Automating Cyber Threat Hunting Using NLP, Automated Query Generation, and Genetic Perturbation
This addresses the problem of detecting and characterizing cyber threats in large enterprise networks for security professionals, representing an incremental improvement in automation.
The paper tackles the challenge of automating cyber threat hunting at scale by developing the WILEE system, which translates high-level threat descriptions into concrete implementations using a custom domain-specific language to automatically generate queries for hypothesis testing.
Scaling the cyber hunt problem poses several key technical challenges. Detecting and characterizing cyber threats at scale in large enterprise networks is hard because of the vast quantity and complexity of the data that must be analyzed as adversaries deploy varied and evolving tactics to accomplish their goals. There is a great need to automate all aspects, and, indeed, the workflow of cyber hunting. AI offers many ways to support this. We have developed the WILEE system that automates cyber threat hunting by translating high-level threat descriptions into many possible concrete implementations. Both the (high-level) abstract and (low-level) concrete implementations are represented using a custom domain specific language (DSL). WILEE uses the implementations along with other logic, also written in the DSL, to automatically generate queries to confirm (or refute) any hypotheses tied to the potential adversarial workflows represented at various layers of abstraction.