Proactively Detecting Threats: A Novel Approach Using LLMs
This addresses the problem of escalating malware threats for enterprise security by offering a proactive detection method, though it is incremental as it applies existing LLMs to a new domain.
This paper tackled the problem of proactively detecting threats by using large language models (LLMs) to identify indicators of compromise (IOCs) from unstructured web-based sources, achieving high performance with Gemini 1.5 Pro showing 0.958 precision and 1.0 recall for malicious IOCs.
Enterprise security faces escalating threats from sophisticated malware, compounded by expanding digital operations. This paper presents the first systematic evaluation of large language models (LLMs) to proactively identify indicators of compromise (IOCs) from unstructured web-based threat intelligence sources, distinguishing it from reactive malware detection approaches. We developed an automated system that pulls IOCs from 15 web-based threat report sources to evaluate six LLM models (Gemini, Qwen, and Llama variants). Our evaluation of 479 webpages containing 2,658 IOCs (711 IPv4 addresses, 502 IPv6 addresses, 1,445 domains) reveals significant performance variations. Gemini 1.5 Pro achieved 0.958 precision and 0.788 specificity for malicious IOC identification, while demonstrating perfect recall (1.0) for actual threats.