Showing 1–8 of 8 results for author: Mimran, D

LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI

Authors: Yuval Schwartz, Lavi Benshimol, Dudu Mimran, Yuval Elovici, Asaf Shabtai

Abstract: As the number and sophistication of cyber attacks have increased, threat hunting has become a critical aspect of active security, enabling proactive detection and mitigation of threats before they cause significant harm. Open-source cyber threat intelligence (OS-CTI) is a valuable resource for threat hunters, however, it often comes in unstructured formats that require further manual analysis. Pre… ▽ More As the number and sophistication of cyber attacks have increased, threat hunting has become a critical aspect of active security, enabling proactive detection and mitigation of threats before they cause significant harm. Open-source cyber threat intelligence (OS-CTI) is a valuable resource for threat hunters, however, it often comes in unstructured formats that require further manual analysis. Previous studies aimed at automating OSCTI analysis are limited since (1) they failed to provide actionable outputs, (2) they did not take advantage of images present in OSCTI sources, and (3) they focused on on-premises environments, overlooking the growing importance of cloud environments. To address these gaps, we propose LLMCloudHunter, a novel framework that leverages large language models (LLMs) to automatically generate generic-signature detection rule candidates from textual and visual OSCTI data. We evaluated the quality of the rules generated by the proposed framework using 12 annotated real-world cloud threat reports. The results show that our framework achieved a precision of 92% and recall of 98% for the task of accurately extracting API calls made by the threat actor and a precision of 99% with a recall of 98% for IoCs. Additionally, 99.18% of the generated detection rule candidates were successfully compiled and converted into Splunk queries. △ Less

Submitted 6 July, 2024; originally announced July 2024.

GenKubeSec: LLM-Based Kubernetes Misconfiguration Detection, Localization, Reasoning, and Remediation

Authors: Ehud Malul, Yair Meidan, Dudu Mimran, Yuval Elovici, Asaf Shabtai

Abstract: A key challenge associated with Kubernetes configuration files (KCFs) is that they are often highly complex and error-prone, leading to security vulnerabilities and operational setbacks. Rule-based (RB) tools for KCF misconfiguration detection rely on static rule sets, making them inherently limited and unable to detect newly-discovered misconfigurations. RB tools also suffer from misdetection, si… ▽ More A key challenge associated with Kubernetes configuration files (KCFs) is that they are often highly complex and error-prone, leading to security vulnerabilities and operational setbacks. Rule-based (RB) tools for KCF misconfiguration detection rely on static rule sets, making them inherently limited and unable to detect newly-discovered misconfigurations. RB tools also suffer from misdetection, since mistakes are likely when coding the detection rules. Recent methods for detecting and remediating KCF misconfigurations are limited in terms of their scalability and detection coverage, or due to the fact that they have high expertise requirements and do not offer automated remediation along with misconfiguration detection. Novel approaches that employ LLMs in their pipeline rely on API-based, general-purpose, and mainly commercial models. Thus, they pose security challenges, have inconsistent classification performance, and can be costly. In this paper, we propose GenKubeSec, a comprehensive and adaptive, LLM-based method, which, in addition to detecting a wide variety of KCF misconfigurations, also identifies the exact location of the misconfigurations and provides detailed reasoning about them, along with suggested remediation. When empirically compared with three industry-standard RB tools, GenKubeSec achieved equivalent precision (0.990) and superior recall (0.999). When a random sample of KCFs was examined by a Kubernetes security expert, GenKubeSec's explanations as to misconfiguration localization, reasoning and remediation were 100% correct, informative and useful. To facilitate further advancements in this domain, we share the unique dataset we collected, a unified misconfiguration index we developed for label standardization, our experimentation code, and GenKubeSec itself as an open-source tool. △ Less

Submitted 30 May, 2024; originally announced May 2024.

Observability and Incident Response in Managed Serverless Environments Using Ontology-Based Log Monitoring

Authors: Lavi Ben-Shimol, Edita Grolman, Aviad Elyashar, Inbar Maimon, Dudu Mimran, Oleg Brodt, Martin Strassmann, Heiko Lehmann, Yuval Elovici, Asaf Shabtai

Abstract: In a fully managed serverless environment, the cloud service provider is responsible for securing the cloud infrastructure, thereby reducing the operational and maintenance efforts of application developers. However, this environment limits the use of existing cybersecurity frameworks and tools, which reduces observability and situational awareness capabilities (e.g., risk assessment, incident res… ▽ More In a fully managed serverless environment, the cloud service provider is responsible for securing the cloud infrastructure, thereby reducing the operational and maintenance efforts of application developers. However, this environment limits the use of existing cybersecurity frameworks and tools, which reduces observability and situational awareness capabilities (e.g., risk assessment, incident response). In addition, existing security frameworks for serverless applications do not generalize well to all application architectures and usually require adaptation, specialized expertise, etc. for use in fully managed serverless environments. In this paper, we introduce a three-layer security scheme for applications deployed in fully managed serverless environments. The first two layers involve a unique ontology based solely on serverless logs which is used to transform them into a unified application activity knowledge graph. In the third layer, we address the need for observability and situational awareness capabilities by implementing two situational awareness tools that utilizes the graph-based representation: 1) An incident response dashboard that leverages the ontology to visualize and examine application activity logs in the context of cybersecurity alerts. Our user study showed that the dashboard enabled participants to respond more accurately and quickly to new security alerts than the baseline tool. 2) A criticality of asset (CoA) risk assessment framework that enables efficient expert-based prioritization in cybersecurity contexts. △ Less

Submitted 12 May, 2024; originally announced May 2024.

CodeCloak: A Method for Evaluating and Mitigating Code Leakage by LLM Code Assistants

Authors: Amit Finkman, Eden Bar-Kochva, Avishag Shapira, Dudu Mimran, Yuval Elovici, Asaf Shabtai

Abstract: LLM-based code assistants are becoming increasingly popular among developers. These tools help developers improve their coding efficiency and reduce errors by providing real-time suggestions based on the developer's codebase. While beneficial, these tools might inadvertently expose the developer's proprietary code to the code assistant service provider during the development process. In this work,… ▽ More LLM-based code assistants are becoming increasingly popular among developers. These tools help developers improve their coding efficiency and reduce errors by providing real-time suggestions based on the developer's codebase. While beneficial, these tools might inadvertently expose the developer's proprietary code to the code assistant service provider during the development process. In this work, we propose two complementary methods to mitigate the risk of code leakage when using LLM-based code assistants. The first is a technique for reconstructing a developer's original codebase from code segments sent to the code assistant service (i.e., prompts) during the development process, enabling assessment and evaluation of the extent of code leakage to third parties (or adversaries). The second is CodeCloak, a novel deep reinforcement learning agent that manipulates the prompts before sending them to the code assistant service. CodeCloak aims to achieve the following two contradictory goals: (i) minimizing code leakage, while (ii) preserving relevant and useful suggestions for the developer. Our evaluation, employing GitHub Copilot, StarCoder, and CodeLlama LLM-based code assistants models, demonstrates the effectiveness of our CodeCloak approach on a diverse set of code repositories of varying sizes, as well as its transferability across different models. In addition, we generate a realistic simulated coding environment to thoroughly analyze code leakage risks and evaluate the effectiveness of our proposed mitigation techniques under practical development scenarios. △ Less

Submitted 13 April, 2024; originally announced April 2024.

Adversarial Machine Learning Threat Analysis and Remediation in Open Radio Access Network (O-RAN)

Authors: Edan Habler, Ron Bitton, Dan Avraham, Dudu Mimran, Eitan Klevansky, Oleg Brodt, Heiko Lehmann, Yuval Elovici, Asaf Shabtai

Abstract: O-RAN is a new, open, adaptive, and intelligent RAN architecture. Motivated by the success of artificial intelligence in other domains, O-RAN strives to leverage machine learning (ML) to automatically and efficiently manage network resources in diverse use cases such as traffic steering, quality of experience prediction, and anomaly detection. Unfortunately, it has been shown that ML-based systems… ▽ More O-RAN is a new, open, adaptive, and intelligent RAN architecture. Motivated by the success of artificial intelligence in other domains, O-RAN strives to leverage machine learning (ML) to automatically and efficiently manage network resources in diverse use cases such as traffic steering, quality of experience prediction, and anomaly detection. Unfortunately, it has been shown that ML-based systems are vulnerable to an attack technique referred to as adversarial machine learning (AML). This special kind of attack has already been demonstrated in recent studies and in multiple domains. In this paper, we present a systematic AML threat analysis for O-RAN. We start by reviewing relevant ML use cases and analyzing the different ML workflow deployment scenarios in O-RAN. Then, we define the threat model, identifying potential adversaries, enumerating their adversarial capabilities, and analyzing their main goals. Next, we explore the various AML threats associated with O-RAN and review a large number of attacks that can be performed to realize these threats and demonstrate an AML attack on a traffic steering model. In addition, we analyze and propose various AML countermeasures for mitigating the identified threats. Finally, based on the identified AML threats and countermeasures, we present a methodology and a tool for performing risk assessment for AML attacks for a specific ML use case in O-RAN. △ Less

Submitted 4 March, 2023; v1 submitted 16 January, 2022; originally announced January 2022.

Evaluating the Security of Open Radio Access Networks

Authors: Dudu Mimran, Ron Bitton, Yehonatan Kfir, Eitan Klevansky, Oleg Brodt, Heiko Lehmann, Yuval Elovici, Asaf Shabtai

Abstract: The Open Radio Access Network (O-RAN) is a promising RAN architecture, aimed at resha** the RAN industry toward an open, adaptive, and intelligent RAN. In this paper, we conducted a comprehensive security analysis of Open Radio Access Networks (O-RAN). Specifically, we review the architectural blueprint designed by the O-RAN alliance -- A leading force in the cellular ecosystem. Within the secur… ▽ More The Open Radio Access Network (O-RAN) is a promising RAN architecture, aimed at resha** the RAN industry toward an open, adaptive, and intelligent RAN. In this paper, we conducted a comprehensive security analysis of Open Radio Access Networks (O-RAN). Specifically, we review the architectural blueprint designed by the O-RAN alliance -- A leading force in the cellular ecosystem. Within the security analysis, we provide a detailed overview of the O-RAN architecture; present an ontology for evaluating the security of a system, which is currently at an early development stage; detect the primary risk areas to O-RAN; enumerate the various threat actors to O-RAN; and model potential threats to O-RAN. The significance of this work is providing an updated attack surface to cellular network operators. Based on the attack surface, cellular network operators can carefully deploy the appropriate countermeasure for increasing the security of O-RAN. △ Less

Submitted 16 January, 2022; originally announced January 2022.

Evaluation of Security Solutions for Android Systems

Authors: Asaf Shabtai, Dudu Mimran, Yuval Elovici

Abstract: With the increasing usage of smartphones a plethora of security solutions are being designed and developed. Many of the security solutions fail to cope with advanced attacks and are not aways properly designed for smartphone platforms. Therefore, there is a need for a methodology to evaluate their effectiveness. Since the Android operating system has the highest market share today, we decided to f… ▽ More With the increasing usage of smartphones a plethora of security solutions are being designed and developed. Many of the security solutions fail to cope with advanced attacks and are not aways properly designed for smartphone platforms. Therefore, there is a need for a methodology to evaluate their effectiveness. Since the Android operating system has the highest market share today, we decided to focus on it in this study in which we review some of the state-of-the-art security solutions for Android-based smartphones. In addition, we present a set of evaluation criteria aiming at evaluating security mechanisms that are specifically designed for Android-based smartphones. We believe that the proposed framework will help security solution designers develop more effective solutions and assist security experts evaluate the effectiveness of security solutions for Android-based smartphones. △ Less

Submitted 17 February, 2015; originally announced February 2015.

Detection of Deviations in Mobile Applications Network Behavior

Authors: L. Chekina, D. Mimran, L. Rokach, Y. Elovici, B. Shapira

Abstract: In this paper a novel system for detecting meaningful deviations in a mobile application's network behavior is proposed. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications. The new system is capable of: (1) identifying malicious attacks or masquerading applications installed on a mobile device, and (2) identifyin… ▽ More In this paper a novel system for detecting meaningful deviations in a mobile application's network behavior is proposed. The main goal of the proposed system is to protect mobile device users and cellular infrastructure companies from malicious applications. The new system is capable of: (1) identifying malicious attacks or masquerading applications installed on a mobile device, and (2) identifying republishing of popular applications injected with a malicious code. The detection is performed based on the application's network traffic patterns only. For each application two types of models are learned. The first model, local, represents the personal traffic pattern for each user using an application and is learned on the device. The second model, collaborative, represents traffic patterns of numerous users using an application and is learned on the system server. Machine-learning methods are used for learning and detection purposes. This paper focuses on methods utilized for local (i.e., on mobile device) learning and detection of deviations from the normal application's behavior. These methods were implemented and evaluated on Android devices. The evaluation experiments demonstrate that: (1) various applications have specific network traffic patterns and certain application categories can be distinguishable by their network patterns, (2) different levels of deviations from normal behavior can be detected accurately, and (3) local learning is feasible and has a low performance overhead on mobile devices. △ Less

Submitted 5 August, 2012; v1 submitted 27 July, 2012; originally announced August 2012.

Comments: Length of 10 pages, submitted to Annual Computer Security Applications Conference, ACSAC'2012