Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

SHIELD: APT Detection and Intelligent Explanation Using LLM

Parth Atulbhai Gandhi, Prasanna N. Wudali, Yonatan Amaru, Yuval Elovici, Asaf Shabtai

TL;DR

SHIELD addresses the challenge of detecting and explaining APTs in provenance data by marrying unsupervised anomaly detection, graph-based correlation, and large language model (LLM) reasoning. It processes system provenance in short sliding windows while maintaining a rolling provenance graph for long-term attack tracking, generating kill-chain-aligned narratives with IoCs. The approach yields high precision and recall across multiple datasets, including perfect precision on CADETS and strong detection of long-running campaigns, outperforming state-of-the-art baselines and reducing analyst workload via interpretable summaries. The work demonstrates the practical potential of LLM-assisted security investigations and offers a scalable framework for real-world SOC deployments, albeit with resource requirements and a processing delay bound of 15 minutes.

Abstract

Advanced persistent threats (APTs) are sophisticated cyber attacks that can remain undetected for extended periods, making their mitigation particularly challenging. Given their persistence, significant effort is required to detect them and respond effectively. Existing provenance-based attack detection methods often lack interpretability and suffer from high false positive rates, while investigation approaches are either supervised or limited to known attacks. To address these challenges, we introduce SHIELD, a novel approach that combines statistical anomaly detection and graph-based analysis with the contextual analysis capabilities of large language models (LLMs). SHIELD leverages the implicit knowledge of LLMs to uncover hidden attack patterns in provenance data, while reducing false positives and providing clear, interpretable attack descriptions. This reduces analysts' alert fatigue and makes it easier for them to understand the threat landscape. Our extensive evaluation demonstrates SHIELD's effectiveness and computational efficiency in real-world scenarios. SHIELD was shown to outperform state-of-the-art methods, achieving higher precision and recall. SHIELD's integration of anomaly detection, LLM-driven contextual analysis, and advanced graph-based correlation establishes a new benchmark for APT detection.

SHIELD: APT Detection and Intelligent Explanation Using LLM

TL;DR

SHIELD addresses the challenge of detecting and explaining APTs in provenance data by marrying unsupervised anomaly detection, graph-based correlation, and large language model (LLM) reasoning. It processes system provenance in short sliding windows while maintaining a rolling provenance graph for long-term attack tracking, generating kill-chain-aligned narratives with IoCs. The approach yields high precision and recall across multiple datasets, including perfect precision on CADETS and strong detection of long-running campaigns, outperforming state-of-the-art baselines and reducing analyst workload via interpretable summaries. The work demonstrates the practical potential of LLM-assisted security investigations and offers a scalable framework for real-world SOC deployments, albeit with resource requirements and a processing delay bound of 15 minutes.

Abstract

Advanced persistent threats (APTs) are sophisticated cyber attacks that can remain undetected for extended periods, making their mitigation particularly challenging. Given their persistence, significant effort is required to detect them and respond effectively. Existing provenance-based attack detection methods often lack interpretability and suffer from high false positive rates, while investigation approaches are either supervised or limited to known attacks. To address these challenges, we introduce SHIELD, a novel approach that combines statistical anomaly detection and graph-based analysis with the contextual analysis capabilities of large language models (LLMs). SHIELD leverages the implicit knowledge of LLMs to uncover hidden attack patterns in provenance data, while reducing false positives and providing clear, interpretable attack descriptions. This reduces analysts' alert fatigue and makes it easier for them to understand the threat landscape. Our extensive evaluation demonstrates SHIELD's effectiveness and computational efficiency in real-world scenarios. SHIELD was shown to outperform state-of-the-art methods, achieving higher precision and recall. SHIELD's integration of anomaly detection, LLM-driven contextual analysis, and advanced graph-based correlation establishes a new benchmark for APT detection.

Paper Structure

This paper contains 10 sections, 5 equations, 6 figures, 5 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Proposed Method
  4. Evaluation Setup
  5. Evaluation Results
  6. Discussion
  7. Conclusions and Future Work
  8. Chain-of-Thought Detection Algorithm
  9. Comparative Study of LLM Models
  10. Attack Summary Visualization

Figures (6)

  • Figure 1: Overview of the SHIELD pipeline, with an example demonstrating the interaction between the four modules.
  • Figure 2: Deviation analyzer: Detection of event-level anomalies, followed by the addition of the processes and their first-level ancestors and descendants for further analysis.
  • Figure 3: Graph analyzer: Detection of infection points, followed by tag-propagation and iterative pruning of benign entities, resulting in a reduced graph structure optimized for further analysis.
  • Figure 4: LLM analyzer: An illustration of the CoT reasoning.
  • Figure 5: LLM analyzer and temporal correlation engine: Analyzes system logs, tags malicious nodes, performs graph traversal, adds the tagged nodes to the attack set, and maintains historical context of attack evolution while considering memory constraints.
  • ...and 1 more figures