A step above Zero Day Cybersecurity

Detecting zero-day threats on a network, specially before they even start showing indicators of compromise, requires sophisticated and proactive measures. The idea of using Large Language Models (LLMs) trained specifically for IT traffic introduces an innovative approach into the concept of cybersecurity AI (LitLMs).

This is precisely what Guillermo Larraz Pérez – BLM for the Teldat Cybersecurity Business Unit, will be explaining in more detail at #18ENISE, trade fair organized by INCIBE. At the Palacio de Exposiciones de León, Spain (21-23 October 2024).

So let’s make a preview of what this is all about.

To understand how these Large Language Models could potentially work in the context of IT and specifically in that of cybersecurity:

?

How Large IT Language Models Can Detect Known Threats or Viruses

Large IT Language Models (LitLMs) can be trained on vast datasets of known network traffic, including both benign traffic and traffic associated with malicious activities (e.g. malware communications, botnet activity or phishing attempts, etc.). The goal would be to make these models highly familiar with the normal "language" of network traffic so they can spot anomalies or known patterns associated with malicious behavior. The process work as follows:

• Pattern Recognition: LLMs in combination with our NGFW analyze incoming traffic in real-time, recognizing patterns or sequences of deciphered packet data that are consistent with known malware signatures, attack vectors, or abnormal behaviors. For example, it could detect command-and-control (C2) traffic patterns or communication that resembles how ransomware often propagates or operates.
• Contextual Understanding: LLMs have the ability to understand not just isolated data points but the context in which that data is transmitted. This means the model can identify cases where the traffic looks legitimate on the surface but, based on the broader context (such as the time of communication, the structure of the packet, and its interaction with other network services), may still pose a threat.
• Dynamic Learning: Unlike traditional antivirus systems that rely on signature-based detection, LLMs use unsupervised or semi-supervised learning to continue updating themselves as new threats emerge, learning from each new instance of suspicious behavior to detect even modified or slightly altered known threats.

?

How Large IT Language Models Can Detect Zero-Day Attacks:

Zero-day attacks are especially dangerous because they exploit vulnerabilities that are not yet known to the security community, meaning traditional defenses like NGFW and signature-based systems fail to detect them. LitLMs technology is trained for IT security so that it can offer a novel approach to spotting such attacks based on their ability to detect subtle deviations from normal traffic language.

• Anomaly Detection: Since zero-day attacks packet content typically differ in ways that are outside the norm (e.g., initiating unexpected connections, using unrecognized protocols, exhibiting unusual communication patterns, etc.), LLMs can be trained to establish a baseline of what normal network traffic language looks like. Anything that deviates from this baseline could trigger an alert. For instance, if a zero-day attack sends malformed packets or interacts with systems in unusual ways, the model could flag it based on the statistical improbability of such behavior in typical network traffic.
• Behavioral Analysis: LLMs can be used not just to analyze traffic content but also to understand traffic behavior. Zero-day exploits often involve a series of steps or behaviors (like privilege escalation, lateral movement, data exfiltration, etc.) that the model can be trained to recognize as suspicious, even if the specific attack is unknown.
• Prediction and Inference: LLMs could use predictive modeling to infer potential threats before they fully manifest. If the model detects early-stage indicators of compromise—such as minor data anomalies or unusual access requests—it might predict that a zero-day attack could be underway and initiate countermeasures before significant damage occurs.

?

Detecting Threats on the Communication Lines:

To prevent viruses or threats from ever reaching the firewall, LitLMs could be deployed directly on communication lines on the Cloud where they would monitor incoming and outgoing traffic in real-time.

• Pre-Firewall Inspection: This layer of security inspects traffic at the cloud network, where LLMs filter potential threats by identifying suspicious patterns and behaviors even before the data reaches the firewall. By running deep packet inspection and analyzing the metadata and payload of each packet, the model can identify and drop malicious traffic.
• Preventative Blocking (optional): Once the model has flagged a packet or series of packets as suspicious or malicious, it could block the traffic immediately or raise an alarm to the admin users, preventing it from entering the network entirely. This method ensures that known threats are filtered out as early as possible.
• Multi-Layered Protection: To ensure optimal protection, LLM-based systems work alongside traditional firewalls and intrusion detection/prevention systems (IDS/IPS) to create multiple layers of defense. The LLM would focus on early detection (e.g., at the communication lines), while firewalls and other tools provide backup within the network itself. One advantage of this approach is that it can detect zero-day attacks without the need of indicators of compromise, thus reducing even further the possible penetration of any attack and blocking it before it even starts acting upon the system. This is a clear differentiator with any other AI-technology of the market.

?

Challenges and Considerations

While LitLMs offer a powerful approach to threat detection, there are also challenges:

• Training Data: The effectiveness of the LitLM depends on the quality and diversity of the training data. The model needs to be exposed to a wide variety of both benign and malicious traffic patterns.
• False Positives: An overly sensitive LitLM might generate false positives, flagging legitimate traffic as malicious. Striking a balance between sensitivity and accuracy is key.
• Computational Resources: Running LitLMs on communication lines in real-time require significant processing power, especially at large scales. Optimizing these models for speed and efficiency would be essential.
• Evasion Tactics: Sophisticated attackers might try to craft traffic that mimics normal behavior or exploit weaknesses in the model’s understanding, requiring ongoing updates and improvements to the LitLM's capabilities.

In conclusion, deploying LitLMs for real-time IT traffic analysis offers a promising path towards more advanced detection of both known and zero-day threats. By leveraging pattern recognition, anomaly detection, and contextual analysis, such models could provide an additional layer of security that identifies and neutralizes threats before they even reach the firewall, offering a proactive defense against the constantly evolving landscape of cyber threats within communication lines.

?