Generative AI can assist cybersecurity professionals with threat detection: report

A new research report published on Monday has shown how the cybersecurity professionals can leverage GPT-4, the language model behind the ChatGPT framework, launched earlier this week by Artificial Intelligence (AI) research firm, OpenAI, as a co-pilot to help defeat attackers.

The research by UK-based cybersecurity firm Sophos details projects developed by its threat intelligence services Sophos X-Ops using GPT-3’s large language models to simplify the search for malicious activity in datasets from security software, more accurately filter spam, and speed up analysis of “living off the land” binary (LOLBin) attacks.

LoLBins are binaries of a non-malicious nature, local to the operating system that have been utilised and exploited by cyber criminals and crime groups to camouflage their malicious activity.

“Since OpenAI unveiled ChatGPT back in November, the security community has largely focused on the potential risks this new technology could bring,” said Sean Gallagher, principal threat researcher, Sophos, speaking on the new initiative. He said that Sophos researchers have been observing “AI as an ally rather than an enemy for defenders”, making it a cornerstone technology for cyber security professionals. “The security community should be paying attention not just to the potential risks, but the potential opportunities GPT-3 brings,” he said.

Sophos X-Ops researchers, including Sophos’ AI Principal Data Scientist Younghoo Lee, have been working on three prototype projects that demonstrate the potential of GPT-3 as an assistant to cybersecurity defenders. All three use a technique called “few-shot learning” to train the AI model with just a few data samples, reducing the need to collect a large volume of pre-classified data.

The first application Sophos tested with the few-shot learning method was a natural language query interface for sifting through malicious activity in security software telemetry; specifically, Sophos tested the model against its endpoint detection and response product. With this interface, defenders can filter through the telemetry with basic English commands, removing the need for defenders to understand SQL or a database’s underlying structure.

Next, Sophos tested a new spam filter using ChatGPT and found that, when compared to other machine learning models for spam filtering, the filter using GPT-3 was significantly more accurate. Finally, Sophos researchers were able to create a program to simplify the process for reverse-engineering the command lines of LOLBins. Such reverse-engineering is notoriously difficult, but also critical for understanding LOLBins’ behaviour — and putting a stop to those types of attacks in the future.

“One of the growing concerns within security operation centres is the sheer amount of ‘noise’ coming in. There are just too many notifications and detections to sort through, and many companies are dealing with limited resources,” said Gallagher.

“We’ve proved that, with something like GPT-3, we can simplify certain labour-intensive processes and give back valuable time to defenders. We are already working on incorporating some of the prototypes above into our products, and we’ve made the results of our efforts available on our GitHub for those interested in testing GPT-3 in their own analysis environments. In the future, we believe that GPT-3 may very well become a standard co-pilot for security experts,” he added.

To be sure, other cyber security researchers in recent months have highlighted the implication of ChatGPT and GPT-4 on security professionals. In a research report published on March 14, Israeli cyber security firm, Check Point Research, said despite improvements to safety metrics, GPT-4 still poses the risk of being manipulated by cyber criminals to generate malicious code.  

Cyber security experts have also warned that such risks can emerge from rising sophistication of security threats driven by GPT-4’s better reasoning and language comprehension abilities, as well as its long-form text generation ability that can be used to write more complex code for malicious software programmes. 

Earlier in a January report, cybersecurity researchers of CyberArk also detailed how their researchers bypassed ChatGPT’s content filters and got it to create what they described as “functional code” to inject a DLL into explorer.exe. The researchers went on to use the chatbot to create polymorphic code that is difficult for antimalware software to spot and deal with.