Using Retriever Augmented Large Language Models for Attack Graph Generation
Renascence Tarafder Prapty, Ashish Kundu, Arun Iyengar
TL;DR
This work addresses the challenge of generating comprehensive attack graphs in dynamic cybersecurity landscapes. It introduces CrystalBall, a retriever-augmented generation framework that combines a fine-grained CVE retriever with LLM-driven graph construction to automatically produce attack graphs from CVE descriptions and threat reports. Key contributions include a semantic CVE retrieval model, a relational CVE database with embedded representations, and systematic evaluation of multiple LLMs, with GPT-4 delivering the most detailed graphs and best cross-device chaining. The results demonstrate that context-enhanced prompts and threat-report mining enable scalable, context-rich threat modeling, offering practical benefits for real-time security analysis while underscoring the need for domain validation and ethical considerations.
Abstract
As the complexity of modern systems increases, so does the importance of assessing their security posture through effective vulnerability management and threat modeling techniques. One powerful tool in the arsenal of cybersecurity professionals is the attack graph, a representation of all potential attack paths within a system that an adversary might exploit to achieve a certain objective. Traditional methods of generating attack graphs involve expert knowledge, manual curation, and computational algorithms that might not cover the entire threat landscape due to the ever-evolving nature of vulnerabilities and exploits. This paper explores the approach of leveraging large language models (LLMs), such as ChatGPT, to automate the generation of attack graphs by intelligently chaining Common Vulnerabilities and Exposures (CVEs) based on their preconditions and effects. It also shows how to utilize LLMs to create attack graphs from threat reports.