loading page

Towards autonomous device protection using behavioral profiling and large language network
  • Sandeep Gupta
Sandeep Gupta
Author Profile

Abstract

Demand for autonomous protection in computing devices can not go unnoticed with a cataclysmic rise in cyber-attacks. Consequently, cybersecurity measures with an improved generalization that can proactively determine the indicators of compromises to predict zero-day threats or previously unseen malware together with known malware are highly desirable. In this article, we present a novel concept of autonomous device protection based on behavioral profiling by continuously monitoring internal resource usage and exploiting a large language model to distinguish between benign and malicious behavior. We design and develop a proof-of-concept for Windows-based computing devices relying on a built-in event tracing mechanism for log collection that is converted into structured data using a graph data structure. We extract graph-level features, \textit{i.e., graph depth, nodes count, number of leaf nodes, node degree statistics, and events count}, and node-level features, i.e., process start, file create and registry events details for each graph. Further, we exploit a pre-trained large language network - a simple contrastive sentence embedding framework to extract strong features, i.e., dense vectors, from event graphs. Finally, we train a random forest classifier using both the graph- and node-level features to obtain classification models that are evaluated on a collected dataset containing one thousand benign and malicious samples achieving accuracy up to 99.25%.