The ChatGPT AI model can more easily filter malicious activity in XDR telemetry, improve spam filters, and simplify analysis of "Living Off the Land Binaries" -- "LOLBins" for short. Sophos has recently published this in a new report.
The topic is the GPT-3 language model, which is behind the well-known ChatGPT framework, and how the cybersecurity industry can use the model to defend against attackers. The current report "GPT for You and Me: Applying AI Language Processing to Cyber Defenses" describes projects developed by Sophos X-Ops that use the extensive language models of GPT-3. The aim is to simplify the search for malicious activities in data records from security software, to filter spam more precisely and quickly, and to analyze binary attacks (LOLBin) more quickly.
Use AI for defense too
“Since OpenAI unveiled ChatGPT in November 2022, the security industry has largely focused on the potential risks this new technology could pose. Can AI help would-be attackers write malware or cybercriminals craft more compelling phishing emails? Maybe, but at Sophos we've always seen AI as an ally, not an enemy, for defense, making it a cornerstone technology for Sophos, and the same goes for GPT-3. The security industry should not only pay attention to the potential risks of the technology, but also to the possible opportunities,” said Sean Gallagher, Principal Threat Researcher at Sophos.
GPT-3 as a cybersecurity assistant
Sophos X-Ops researchers are working on three prototype projects that demonstrate the potential of GPT-3 as an assistant to cybersecurity defenders. All three projects use a technique called "few-shot learning" to train the AI model with just a few data samples, reducing the need to collect a large amount of pre-classified data.
The first application Sophos tested using the few-shot learning method was a Natural Language Query Interface to scan malicious activity in security software telemetry. In particular, Sophos has validated the model with its Endpoint Detection and Response solution. With this interface, defenders can filter telemetry with simple English commands without having to understand SQL or the underlying structure of a database.
New spam filter with ChatGPT
Next, Sophos tested a new spam filter using ChatGPT and found that the filter with GPT-3 was significantly more accurate compared to other machine learning models for spam filtering. Finally, Sophos researchers were able to create a program that makes it easier to reverse-engineer LOLBins' command lines. Such reverse engineering is notoriously difficult, but also critical to understanding LOLBin behavior and preventing these types of attacks in the future.
SOCs get a strong help
“One of the growing concerns in SOCs (Security Operation Centers) is the sheer volume of 'noise' that is coming in. There are simply too many alerts and detections to sort through, and many organizations are struggling with limited resources. We've proven that with GPT-3 we can simplify certain labor-intensive processes and give defenders valuable time back. We are already working on integrating some of the above prototypes into our products and have made the results of our efforts available on our GitHub for those interested in testing GPT-3 in their own analysis environments. We believe GPT-3 may very well become a co-pilot for security professionals in the future,” Gallagher said.
More at Sophos.com
About Sophos More than 100 million users in 150 countries trust Sophos. We offer the best protection against complex IT threats and data loss. Our comprehensive security solutions are easy to deploy, use and manage. They offer the lowest total cost of ownership in the industry. Sophos offers award-winning encryption solutions, security solutions for endpoints, networks, mobile devices, email and the web. In addition, there is support from SophosLabs, our worldwide network of our own analysis centers. The Sophos headquarters are in Boston, USA and Oxford, UK.