SHIELD: APT Detection and Intelligent Explanation Using LLM
Journal:
arXiv
Published Date:
Feb 4, 2025
Abstract
Advanced persistent threats (APTs) are sophisticated cyber attacks that can
remain undetected for extended periods, making their mitigation particularly
challenging. Given their persistence, significant effort is required to detect
them and respond effectively. Existing provenance-based attack detection
methods often lack interpretability and suffer from high false positive rates,
while investigation approaches are either supervised or limited to known
attacks. To address these challenges, we introduce SHIELD, a novel approach
that combines statistical anomaly detection and graph-based analysis with the
contextual analysis capabilities of large language models (LLMs). SHIELD
leverages the implicit knowledge of LLMs to uncover hidden attack patterns in
provenance data, while reducing false positives and providing clear,
interpretable attack descriptions. This reduces analysts' alert fatigue and
makes it easier for them to understand the threat landscape. Our extensive
evaluation demonstrates SHIELD's effectiveness and computational efficiency in
real-world scenarios. SHIELD was shown to outperform state-of-the-art methods,
achieving higher precision and recall. SHIELD's integration of anomaly
detection, LLM-driven contextual analysis, and advanced graph-based correlation
establishes a new benchmark for APT detection.
