TY - GEN
T1 - LLMCloudHunter
T2 - 34th ACM Web Conference, WWW 2025
AU - Schwartz, Yuval
AU - Ben-Shimol, Lavi
AU - Mimran, Dudu
AU - Elovici, Yuval
AU - Shabtai, Asaf
N1 - Publisher Copyright: © 2025 Copyright held by the owner/author(s).
PY - 2025/4/28
Y1 - 2025/4/28
N2 - As the number and sophistication of cyber attacks have increased, threat hunting has become a critical aspect of active security, enabling proactive detection and mitigation of threats before they cause harm. Open-source cyber threat intelligence (OSCTI) is a valuable resource for threat hunters; however, it often comes in unstructured formats requiring manual analysis. Previous studies aimed at automating OSCTI analysis are limited since (1) they failed to provide actionable outputs, (2) they did not utilize images in OSCTI sources, and (3) they focused on on-premise environments, overlooking the growing importance of cloud security. To address these gaps, we propose LLMCloudHunter, a novel framework leveraging large language models (LLMs) to automatically generate generic-signature detection rule candidates from textual and visual OSCTI data. We evaluated the quality of the rules generated by our framework using 20 annotated real-world cloud threat reports. Results show that LLMCloudHunter achieved 83% precision and 99% recall for extracting API calls made by the threat actor and 99% precision with 97% recall for indicators of compromise (IoCs). Additionally, 99.18% of the generated detection rule candidates were successfully compiled and converted into Splunk queries.
AB - As the number and sophistication of cyber attacks have increased, threat hunting has become a critical aspect of active security, enabling proactive detection and mitigation of threats before they cause harm. Open-source cyber threat intelligence (OSCTI) is a valuable resource for threat hunters; however, it often comes in unstructured formats requiring manual analysis. Previous studies aimed at automating OSCTI analysis are limited since (1) they failed to provide actionable outputs, (2) they did not utilize images in OSCTI sources, and (3) they focused on on-premise environments, overlooking the growing importance of cloud security. To address these gaps, we propose LLMCloudHunter, a novel framework leveraging large language models (LLMs) to automatically generate generic-signature detection rule candidates from textual and visual OSCTI data. We evaluated the quality of the rules generated by our framework using 20 annotated real-world cloud threat reports. Results show that LLMCloudHunter achieved 83% precision and 99% recall for extracting API calls made by the threat actor and 99% precision with 97% recall for indicators of compromise (IoCs). Additionally, 99.18% of the generated detection rule candidates were successfully compiled and converted into Splunk queries.
KW - Cloud
KW - Cyber threat intelligence (CTI)
KW - LLM
KW - Sigma rules
UR - http://www.scopus.com/inward/record.url?scp=105005153113&partnerID=8YFLogxK
U2 - 10.1145/3696410.3714798
DO - 10.1145/3696410.3714798
M3 - Conference contribution
T3 - WWW 2025 - Proceedings of the ACM Web Conference
SP - 1922
EP - 1941
BT - WWW 2025 - Proceedings of the ACM Web Conference
Y2 - 28 April 2025 through 2 May 2025
ER -