RU2825975C1 - Method of combining large language model and security agent - Google Patents

Abstract

FIELD: information technology.

SUBSTANCE: invention relates to a method for automatic compilation of requests and responses to a large language model on issues related to computer security. Method includes steps performed on a host, which is a user end device, where: a) receiving input data from a security agent located on said host; b) selecting one or more phrases from the input data; c) leaving at least one text request from selected phrases; d) sending each text request to a large language model located on said host; e) receiving a response from a large language model; f) extracting key phrases from the received response from the large language model; if key phrases at step f) have not been determined, the context is stored in the form of requests and responses from steps c) and f) and this context is transmitted to another large language model located outside the host.

EFFECT: high efficiency of detecting security incidents by using local and external large language models.

6 cl, 5 dwg, 2 tbl

Description

Field of technology

The invention relates to the field of information technology, and more specifically to systems and methods for using large language models together with security agents on user devices.

State of the art

Currently, more and more companies are using information security monitoring centers (Security Operations Center, SOC), which is associated with the growing number of information threats, the complexity of the company's infrastructure, as well as the requirements of authorities and regulators to protect user data from theft or illegal use. In recent years, the average amount of damage from an information security incident (hereinafter referred to as an incident) associated with penetration into the company's infrastructure has also increased, exceeding $ 5 million in 2022.

SOC specialists process data (the so-called artifacts, i.e. incident-related documents and other files) collected from employee workstations, network devices and other computer infrastructure objects in order to detect and stop a potential incident from developing into an attack as early as possible. For monitoring and collecting data, specialists can use SIEM (Security information and event management) solutions and EDR (Endpoint detection and response) products, such as Kaspersky Unified Monitoring and Analysis Platform, as well as firewalls and intrusion detection systems (IPS), and user and entity behavior analytics (UEBA) systems.

Having received data that may indicate a possible incident, SOC specialists determine whether there is a threat and, if so, what its parameters are, such as the type (e.g., unwanted content, unauthorized access, information leakage) or source (e.g., on which computer the spyware was detected). If a possible incident is detected, measures are taken to eliminate it and minimize damage.

Despite the fact that many functions of various SIEM solutions are automated, the expertise of a computer security specialist is still used to correctly identify an incident, which can lead to missing possible incidents, since a person may not always have access to up-to-date information regarding the most recent incidents and related artifacts. Increasing the number of sources of information related to incidents also does not always help in solving the problem, because it takes time to add them to the SOC. In addition, the specialists themselves may not always have enough time and expertise to select and process important artifacts, since there may be thousands of artifacts themselves. This problem is especially relevant in the case of an APT attack (Advanced Persistent Threat), when incident patterns may be unknown to both SOC specialists and SIEM solutions.

There are various automatic systems for processing information on computer incidents. For example, the system proposed in patent US 8776241 is used to investigate information security incidents. The core of this system allows you to determine the causes of an incident and apply appropriate measures to correct the consequences and prevent this incident from occurring in the corporate network. The effectiveness of this system is also achieved due to the ability to interpret system events and system log entries in an accessible and convenient form. The system allows you to build connections between system events and store only the information necessary to determine the persons guilty of violating the security policy and identify vulnerabilities in the corporate network infrastructure due to which a security incident could have occurred. The key feature of the technology is the construction of event chains. The patent description contains several examples of building these chains. Among them is tracking events in chronological order, when events recorded in the corporate network are sorted by time and analyzed in a given order. Another example of creating chains is based on the connections between computers and system events. Two computers are considered linked if they have events recorded with the same computer system object, such as a file or link.

However, the system cannot solve the problem described above, which is related to the lack of time and expertise on the part of both specialists and information systems. Threat researchers often publish the results of their investigations (attackers' tactics, methods, and procedures) on the Internet in the form of reports, presentations, blog articles, tweets, and other content. It takes a long time before this knowledge is systematized and applied within SOC teams and SIEM solutions.

Another problem with using SIEM solutions is the limited amount of data transferred from endpoints (or hosts) of users to SIEM solution servers. A large number of events occur on the user's endpoint: creating new streams, creating/opening files (including temporary ones), using synchronization objects, working with registry keys. Security agents installed on endpoints (usually EDR products) filter most of these events when transmitting them to the SIEM solution. But in complex cases (for example, APT attacks or information leakage by an insider), the filtered information can be critical. There is a need to use SOC expertise directly on the endpoint (the user's endpoint).

Thus, known technologies have shortcomings that prevent a full solution to the stated technical problem, which is why the need for the stated invention arises.

Disclosure of the essence of the invention

The technical result consists in reducing the time of collection and increasing the level of processing of information (artifacts) during the investigation of an information security incident.

In an embodiment, a method is used for automatically composing queries and responses to a large language model on issues related to computer security, which includes the following steps: receiving input data from a security agent on a host; selecting one or more phrases from the input data; composing at least one text query from the selected phrases; sending each text query to a large language model; receiving a response from a large language model; selecting key phrases from the received response from the large language model; storing the context in the form of queries and responses for transmission to another large language model located outside the host.

In another implementation, a text query is generated to a large language model in natural language.

Another implementation involves extracting key phrases from a response from a large language model using natural language processing libraries.

Another implementation option extracts key phrases from a response from a large language model using a set of regular expressions.

In another implementation, the input data from the elements of the information security monitoring center is in JSON format.

In another embodiment, the input data from the elements of the information security monitoring center is in XML format.

Brief description of the drawings

Additional objects, features and advantages of the present invention will be apparent from reading the following description of the embodiment of the invention with reference to the accompanying drawings, in which:

Fig. 1A shows a diagram of the operation of the present invention.

Fig. 1B shows a diagram of the operation of the present invention when using a large language model on a user's end device.

Fig. 2A shows the mode of operation of the present invention.

Fig. 2B illustrates a method of operation of the present invention when running a large language model on a host.

Fig. 3 shows an example of a computer system with which the present invention can be implemented.

Implementation of the invention

The objects and features of the present invention, the methods for achieving these objects and features will become apparent by reference to exemplary embodiments. However, the present invention is not limited to the exemplary embodiments disclosed below, it can be embodied in various forms. The description provided is intended to help a person skilled in the art to fully understand the invention, which is defined only within the scope of the appended claims.

Glossary

Security Operations Center (SOC) is a structural unit of an organization responsible for operational monitoring of the IT environment and prevention of information security incidents (hereinafter referred to as incidents). SOC specialists collect and analyze data from various infrastructure objects of the organization and, upon detection of suspicious activity, take measures to prevent an attack. The following elements are used for monitoring and data collection: SIEM solutions, EDR products, NDR and similar ones (hereinafter referred to as SOC elements). In addition, SOC also uses services such as the Threat Intelligence Platform.

SIEM (Security Information and Event Management) is a class of software products designed to collect and analyze information about security events. The tasks of a SIEM solution include:

monitor real-time alarms from network devices and applications;

process the received data and find relationships between them;

identify deviations from the normal behavior of controlled systems;

Notify SOC specialists about detected incidents.

EDR (Endpoint Detection & Response) is a class of solutions for detecting and studying malicious activity on endpoints: network-connected workstations, servers, Internet of Things (IoT) devices, and so on.

SOC specialist (information security specialist) is an employee responsible for collecting and analyzing data related to incidents. As a rule, information security specialists work within the SOC with SIEM, EDR and other data collection and incident tracking products.

Indicator of Compromise (IoC) - in the field of computer security, an object or activity observed on a network or a specific device that, with a high degree of probability, indicates unauthorized access to the system, which also indicates a compromise of the object or activity.

For example, the following serve as indicators of compromise:

unusual DNS queries;

suspicious files, applications and processes;

IP addresses and domains belonging to botnets or malware command servers;

a significant number of attempts to access an account (attempts to brute force passwords);

suspicious activity in administrator or privileged user accounts;

unexpected software update;

installation of unauthorized (illegitimate) software;

data transfer through rarely used ports;

atypical human behavior on a website;

signature or hash of the malware;

unusual size of HTML responses;

unauthorized modification of configuration files, registries or device settings;

a large number of unsuccessful login attempts.

A large language model (LLM) is a language model consisting of a neural network with many parameters (usually billions of weights or more) trained on a large amount of text.

Fig. 1A shows the operation diagram of the present invention. Information security specialists 101 , SOC elements 102 interact with the trained large language model (hereinafter referred to as LLM) 105 via the request handler 104. The SOC elements 102 are SIEM solutions, EDR products and similar ones. In one embodiment, the information security specialist 101 interacts with the LLM 105 via the web interface of the handler 104. The SOC elements 102 collect data from the endpoints 107 of the enterprise infrastructure 106 to collect and analyze information about security events. An example of endpoints 107 are computers (hosts) and devices such as smartphones, routers, IoT devices. In a preferred embodiment, EDR solutions are installed on the endpoints 107 .

The infrastructure of the enterprise 106 may also contain other devices not shown in Fig. 1A , namely, ACS (access control and management systems), SCADA (Supervisory Control And Data Acquisition), PLC (Programmable Logic Controller) units and other software and hardware systems of a modern enterprise.

In one embodiment, LLM 105 operates based on natural language queries. In this case, handler 104 performs the functions of translating input/output queries from SOC elements into the input format required by LLM and vice versa (e.g., JSON/XML).

In another implementation, LLM 105 is additionally trained on texts taken from various blogs, articles, and publications related to information security incidents (e.g., DFIR Report) and threat research (e.g., securelist.com).

The handler 104 is also used to store the context that is used when interacting with the LLM 105 in the form of requests and responses in order to maximize the efficiency of interaction with the LLM 105. The context includes all previously made requests to the LLM 105 as well as the responses received.

In one embodiment, the handler 104 is implemented using natural language processing libraries such as SpaCy, NTLK, and others. In another embodiment, the handler 104 uses a set of regular expressions to extract text elements from the received responses from the LLM 105. A token, N-gram, or lexeme is used as a text element.

Information security specialists 101 and SOC elements 102 transmit to the processor 104 data collected from one or more devices 107 about:

modules configured for automatic execution (autorun);

running processes and their command lines;

events from operating system (hereinafter referred to as OS) logs: installation of services, process launches, execution of PowerShell scripts, etc.;

events from application logs (antivirus, browser or remote system management tool);

meta-information on files (both processes and system files): name, path, hash, meta-information from the manifest (original name, description, developer name), information on the digital signature, lines from the file, debug information, section names, disassembled/decompiled code of entry points into the executable file (or exported DLL function library), part of the text file of the script;

information about the execution of a file (for example, in an emulator or in a virtual machine), which includes a log of calls to system API functions and their arguments, as well as additional information such as open file descriptors.

LLM 105 cannot correctly accept such data as input, so handler 104 converts this data into requests of this type:

Is the following Windows service name '$ServiceName' with the following startup string '$Servicecmd' an indicator of compromise?

Are any of the following Windows services and their corresponding command lines indicators of compromise?

[

{

"ServiceName": "ServiceName1",

“Servicecmd”: “Servicecmd1”

},

{

"ServiceName": "ServiceName2",

“Servicecmd”: “Servicecmd2”

},

]

The answer from LLM 105 includes a text description that can be easily interpreted by the IS Specialist 101. Sample answer:

“ Yes, the specified combination of running process and command line may be an indicator of compromise .”

LLM 105 also provides information to support the answer, such as:

“ The metadata was indicators of compromise, such as “the command line is trying to download a file from an external server” or “it is using the -ep bypass flag, which tells PowerShell to bypass standard security checks.”

The handler 104 interprets the response from the LLM 105 by extracting key phrases. An example of such a phrase is a response including the words “yes”, which gives an affirmative answer to the initial requests. In addition, to simplify the interpretation of the response from the LLM 105 , the handler 104 additionally inserts the following text to the request:

Your response should be a json object with the following structure:

{short_answer:”yes/no”,

long_answer_with description:full_text,

other_data_required_to_investigate_incident:full_text

}

When such key phrases are detected, the 104 handler:

transmits an alarm signal (alert) to SOC elements 102 , as well as to the information security specialist 101 ;

sends a request to collect additional data from one of the devices 107 on which the initial data for the request was collected;

triggers (serves as a trigger) for response measures (e.g. blocking one or more hosts 107 ).

Thus, the handler 104 works with the LLM 105 using a question-answer pattern, where, within the framework of requests to the LLM 105 , it uses key phrases to formulate questions, and when analyzing the responses from the LLM 105, it relies on the search for key phrases to find an affirmative answer to the original question or to determine the need for additional questions.

Fig. 1B shows a diagram of the operation of the present invention when using a large language model on a user's end device.

On one or more hosts 107, in addition to the security agent 110, an agent LLM 112 and a request handler 111 are installed. In one embodiment, an EDR solution, such as Kaspersky Endpoint Security for Windows/Linux, acts as the security agent 110 .

From agent 110, a large amount of information can be obtained on events that occur in the OS on host 107 . The list of events is available as an event log or via an API and includes at least one of:

working with the file system - primarily opening files for writing;

working with the registry;

launching threads in controlled processes;

remote procedure call;

Windows Management Instrumentation (WMI) call;

opening network connections.

A huge flow of such events is processed using agent 110 only on the host side 107 , only a part of these events is transmitted to the side of SOC elements 102 according to certain filters.

Request handler 111 is similar to request handler 104 . In one embodiment, agent LLM 112 differs from LLM 105 in a number of parameters due to the limited resources of host 107 .

The creation of such models as LLM involves two stages - first, a large language model is trained every few days/weeks/months at the pretraining stage. This stage is very resource-intensive - several thousand specialized calculation accelerators (or GPUs) can be used, the process takes from several days to weeks. The output is a base model, which has a configured set of several billion weights.

At the second stage, which can happen every few days, fine tuning is done, when the model processes feedback on requests to the base model with the help of experts. The output is an assistant model. Both the second assistant model and the base model (preferably) are used as an agent LLM 112 .

Domain adaptation can be used for work in the field of information security using P-Tuning, LoRA, QLoRA and other technologies. Information security experts, in particular SOC experts 101 , work on such adaptation.

Agent LLM 112 can be created from open models: Llama 2, MPT-7B, Falcon and others, including derivative models (for example, Meta LLaMA 2-chat). These models represent a ready-made basic model that needs to be trained at the fine-tuning stage. In addition, they have various parameters, the key one being the size of the model - it has a size of several billion parameters (weights) and can reach tens of billions.

Due to limited resources on host 107 , the agent LLM 112 model is selected that will not heavily load current resources (primarily memory/video memory). Fine tuning of the agent LLM 112 includes work only with the information that can be obtained from agent 110 - first of all, this is data on file operations, work with the registry, etc.

In one embodiment, before installing the agent LLM 112 on the host 107 , the presence of a specialized accelerator and the amount of memory that can be used are checked. For example, as shown in Table 1.

Table 1 Video memory capacity Size of model parameters < 48 GB 7 billion 49 - 72 GB 13 billion 73 - 128 GB 70 billion

After network quantization, the memory consumption is significantly reduced. For example, for the Q5_K_S quantization method, it is presented in Table 2.

Table 2 Model type Memory capacity Llama-2-7B 7.15 GB Llama-2-13B 11.47 GB Llama-2-70B 33.07 GB

Another implementation option uses a dedicated LLM accelerator (e.g. Instinct MI300X, Intel Gaudi2).

In other embodiments, the agent LLM 112 may be deployed outside of the host 107 .

Other options for fine-tuning the agent LLM 112 depend on the host role 107 and the agent 110 used. For the mail server, fine-tuning will involve processing data associated with mail messages (to detect phishing and spam).

In one embodiment, the agent 110 has an already configured agent LLM 112 for installation on the target host 107 . In other embodiments, the agent LLM 112 is installed on the host 107 separately and runs as a separate process. Work with the agent LLM 112 occurs through the request handler 111 , which can be connected via an API to the agent 110 .

The agent LLM 112 has the ability to use previously saved context from the agent 110 in the form of such tools as RAG (retrieval-augmented generation) - generation with advanced search. In this case, the agent LLM 112 gets access to saved logs from the agent 110 to obtain the most relevant information on events on the host 107. For example, when requesting through the request handler 111 in the form:

Is the combination of process “C:\Users\User01\AppData\Local\Temp\dOlnolh.exe” and command line “ - EgUxRCdQ” is an indicator of compromise?

Additionally, information about all previously launched processes (services), previously marked flags of compromise on the system that occurred over a long period of time is loaded. This allows processing complex variants of attacks that can occur over weeks or even months.

Tools like llama_index allow loading data from agent 110 even in the form of machine-readable data, without using the 111 query handler directly. Database dumps, CSV, JSON, XML, Parquet data formats and others are used as data.

In another embodiment, the agent LLM 112 makes a call to the LLM 105 through the request handler 104. In another embodiment, the LLM 105 has access to the context of the agent LLM 112 when working with the agent 110 .

Additionally, the agent LLM 112 can expand the functionality of the interaction of agent 110 with SOC 102 elements. For example, agent 110 has an implementation in the form of an EDR solution that sends a limited set of logs to the SIEM system, which does not allow collecting the entire full picture of a possible incident. In this case, the agent LLM 112 is used to collect and process all event logs that the EDR solution uses. This will automate a number of actions that are usually performed by specialist 101. Examples may be:

If, while analyzing logs, agent LLM 112 detects suspicious behavior of an executable that was discovered by agent 110 , agent LLM 112 can query the tool, retrieve the file from host 107 , and request its analysis in the sandbox to then provide more context for incident analysis.

Agent LLM 112 can make requests to the Kaspersky Threat Intelligence Portal service (or other similar solutions such as MISP, AlienVault OTX) to obtain advanced statistics on a file or URL.

Agent LLM 112 makes an additional request to the Kaspersky Threat Intelligence Portal based on available information about criminal groups that used malicious tools (files and URL links, vulnerabilities found, etc.) that were detected using agent 110 . This will also save time for specialists 101 .

The agent LLM 112 may perform the functions of the agent 110 to close vulnerabilities using the Patch Management system if it is not used directly by the agent 110 .

When a suspicious file is detected on host 107 using agent 110, agent LLM 112 will take on the functions of analyst 101 to collect information about the method of obtaining the file. For example, if the file appeared on the disk after being saved from an email attachment, then agent LLM 112 can make a request to the mail server to collect information about this mailing and transfer it as part of the incident to the SOC side 102 .

Fig. 2A shows the mode of operation of the present invention.

At step 201, input data is received by the security information monitoring center (SOC). Typically, SOC elements 102 collect input data (examples of collected data are described above) from endpoints 107 of the enterprise infrastructure 106 .

At step 202, a query is generated in LLM 105. Since queries to LLM 105 are generated in natural language, the handler 104 adds the following key phrases to the input data:

“ Is the combination of: ” - specifies the list of required data,

“ is an indicator of compromise ”, “ is a threat ”, “ is an attack ”, “ is a cyber attack ”, “ is malicious action/file ” - a question about the threat,

“ think it step by step ” - a requirement to give an answer broken down into steps,

“ is presence file on disk ” - a request for a specific file.

The specified phrases are stored both in the handler 104 itself (for example, in the form of a list) and in a separate database (not shown in Fig. 1A ).

Queries, for example, may look like:

Is the combination of process “C:\Users\User01\AppData\Local\Temp\dOlnolh.exe” and command line “ -EgUxRCdQ” is an indicator of compromise?

According to the submitted request, the input data are:

Object type Object Process C:\Users\User01\AppData\Local\Temp\dOlnolh.exe Command line -EgUxRCdQ

The process and its launch command line data were obtained from EDR installed on one of the hosts 107 . Handler 104 lists the specified objects in the request and adds the above key phrases to form a natural language request.

In step 203, the processor 104 receives the response from the LLM 105 and analyzes it. Since the LLM 105 produces a response in the form of natural language text, the processor 104 uses connected natural language processing libraries, such as SpaCy or NTLK, to extract the desired terms and phrases. The analysis includes the extraction of previously known phrases or text elements. A token, N-gram, or lexeme is used as a text element. In one embodiment, the extraction of known phrases is implemented using regular expressions.

At step 204 it is determined whether a threat has been identified based on the response from LLM 105 . The criterion for identifying a threat is the presence of certain phrases in the response. One implementation option is based on searching for the words " yes " and other affirmative response options in the response. Other key phrases are: " This could be an indicator of compromise ", " This is suspicious behaviour". If a threat has been identified, then at step 205 the necessary artifacts are collected using SOC elements 102 and the incident/threat is further analyzed within the SOC with the involvement of specialists 101 .

If certain phrases were not determined at step 204 , then proceed to step 206 .

At step 206 it is determined whether further data is needed for LLM 105 . The key phrases in this case are: "should be further investigated ", "additional data required ", " necessary to analyze further " and other similar phrases. These phrases are stored both in the processor 104 itself (e.g., as a list) and in a separate database (not shown in Fig. 1A ). In addition, the type of information required is analyzed depending on the presence of the following words:

Endpoint, host, local - means the need to collect information from hosts 107 .

Registry - information from the registry is required.

File - file activity information is required.

Network - information about network activity is required.

Process - information about processes is required.

Autorun - additional information about autorun keys is required.

PowerShell - additional analysis of PowerShell scripts is required.

In addition, the context associated with these words is analyzed. For example, the word " process " may be qualified with the qualification " running process ", which means only running processes.

In the event that the handler 104 was unable to identify what additional data may be needed, then the method terminates at step 207 .

After determining the necessary additional information, proceed to step 208 .

At step 208, additional information is collected from one of the SOC elements 102. For example, an EDR solution is used to collect information from one of the hosts 107. The method then repeats from step 202 with the new collected data until the method finishes its work either at step 205 or at step 207 .

LLM 105 in Fig. 1A can be further trained. On one or several target hosts 107 (these can be virtual machines and sandbox-type objects) a targeted infection with known examples (samples) of malware occurs. For example, the PowerShell Empire framework can be installed and several typical malicious procedures can be launched. After this, the method in Fig. 2A is performed to select the necessary requests and responses from LLM 105 .

For example, in response to the request:

Is the following is indicator of compromise:

Launch String: “C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” -NonI -W hidden -c “IEX ([Text.Encoding]::UNICODE.GetString([Convert]::FromBase64String(( gp HKCU:\Software\Microsoft\Windows\CurrentVersion debug).debug)))”

LLM 105 gives the following answer:

Yes, this could be an indicator of compromise. It is possible that the attacker has created a malicious task in the registry to launch PowerShell with a hidden flag and encoded base64 string. This code could potentially execute malicious commands on the system, such as installing malware or stealing data. In order to confirm if this indeed is an indicator of compromise, it would be necessary to analyze the script further and look for other clues that indicate malicious activity.

This answer means:

“Yes, this could be an indicator of compromise. It is possible that the attacker has created a malicious task in the registry to launch PowerShell with a hidden flag and a base64 encoded string. This code could potentially execute malicious commands on the system, such as installing malware or stealing data. In order to confirm whether this is indeed an indicator of compromise, it is necessary to analyze the script further and look for other signs that indicate malicious activity.”

By running several consecutive queries to LLM 105 with different parameters that relate to malicious activity on hosts 107 and receiving the necessary responses, it is possible to supplement the context that will be used when retraining / additionally training LLM 105 .

Fig. 2B illustrates a method of operation of the present invention when running a large language model on a host.

At step 211, input data is received from the security agent 110 . The input data may be an event log or a call to an API function that is provided by the agent 110 .

At step 212 , a request is generated for the agent LLM 112. Since requests for the agent LLM 112 are generated in natural language, the handler 111 adds the following key phrases to the input data:

“ Is the combination of: ” - specifies the list of required data,

“ is an indicator of compromise ”, “ is a threat ”, “ is an attack ”, “ is a cyber attack ”, “ is malicious action/file ” - a question about the threat,

“ think it step by step ” - a requirement to give an answer broken down into steps,

“ is presence file on disk ” - a request for a specific file.

The specified phrases are stored both in the handler 111 itself (for example, in the form of a list) and in a separate database (not shown in Fig. 1B ).

Queries, for example, may look like:

Is the combination of process “C:\Users\User01\AppData\Local\Temp\dOlnolh.exe” and command line “ -EgUxRCdQ” is an indicator of compromise?

According to the submitted request, the input data are:

Object type Object Process C:\Users\User01\AppData\Local\Temp\dOlnolh.exe Command line -EgUxRCdQ

In another implementation option, tools like llama_index allow loading data from agent 110 even in the form of machine-readable data, without using handler 111 directly. Database dumps, CSV, JSON, XML, Parquet data formats and others are used as data.

At step 213, the handler 111 receives the response from the agent LLM 112 and analyzes it. Since the agent LLM 112 produces a response in the form of natural language text, the handler 111 uses connected natural language processing libraries, such as SpaCy or NTLK, to extract the desired terms and phrases. The analysis includes the extraction of previously known phrases or text elements. A token, N-gram, or lexeme is used as a text element. In one embodiment, the extraction of known phrases is implemented using regular expressions.

At step 214 it is determined whether a threat has been identified based on the response from the agent LLM 112 . The criterion for identifying a threat is the presence of certain phrases in the response. One implementation option is based on searching for the words " yes " and other affirmative response options in the response. Other key phrases are: " This could be an indicator of compromise ", " This is suspicious behaviour ". If a threat has been identified, then at step 215 the necessary artifacts are collected using agent 110 and with the involvement of specialists 101 .

If certain phrases were not determined at step 214 , then step 216 is reached. The key phrases in this case are: " should be further investigated", "additional data required ", " necessary to analyze further " and other similar phrases. These phrases are stored both in the processor 111 itself (e.g., as a list) and in a separate database (not shown in Fig. 1B ). Additionally, the type of information required is analyzed depending on the presence of the following words:

Endpoint, host, local - means the need to collect information from hosts 107 .

Registry - information from the registry is required.

File - file activity information is required.

Network - information about network activity is required.

Process - information about processes is required.

Autorun - additional information about autorun keys is required.

PowerShell - additional analysis of PowerShell scripts is required.

In addition, the context associated with these words is analyzed. For example, the word " process " may be qualified with the qualification " running process ", which means only running processes.

At step 216, the LLM 105 is contacted, as described in detail in Fig. 2A . In this case, the use of the agent LLM 112 on the host 107 allows for a reduction in the load on the LLM 105 , the detection of more events, and the provision of more data for subsequent incident detection. The entire context of the interaction between the agent and the agent LLM 112 on the host will be used to contact the LLM 105. The context includes the set of requests and responses from the agent LLM 112 when interacting with the agent.

Fig. 3 shows a computer system on which various embodiments of the systems and methods disclosed in this document can be implemented. The computer system 20 can be a system configured to implement the present invention and can be represented as a single computing device or as multiple computing devices, such as a desktop computer, a portable computer, a notebook, a server, a mainframe, an embedded device, and other forms of computing devices.

As shown in Fig. 3 , the computer system 20 includes: a central processor 21 , a system memory 22 and a system bus 23 that connects various system components, including memory associated with the central processor 21 . The system bus 23 is implemented as any bus structure known in the art, which in turn contains a bus memory or a bus memory controller, a peripheral bus and a local bus capable of interacting with any other bus architecture. Examples of buses are: PCI, ISA, PCI-Express, HyperTransport™, InfiniBand™, Serial ATA, I2C and other suitable connections between components of the computer system 20 . The central processor 21 contains one or more processors having one or more cores. The central processor 21 executes one or more sets of machine-readable instructions that implement the methods presented in this document. The system memory 22 may be any memory for storing data and/or computer programs executed by the central processor 21 . The system memory may contain both a read-only memory (ROM) 24 and a random access memory (RAM) 25 . The main input/output system (BIOS) 26 contains the main procedures that ensure the transfer of information between elements of the computer system 20 , for example, at the time of loading the operating system using the ROM 24 .

The computer system 20 includes one or more data storage devices, such as one or more removable storage devices 27 , one or more non-removable storage devices 28 , or combinations of removable and non-removable devices. One or more removable storage devices 27 and/or non-removable storage devices 28 are connected to the system bus 23 via the interface 32. In one embodiment, the removable storage devices 27 and the corresponding computer-readable storage media are non-volatile modules for storing computer instructions, data structures, program modules and other data of the computer system 20. The system memory 22 , the removable storage devices 27 and the non-removable storage devices 28 can use various computer-readable storage media. Examples of computer-readable storage media include computer memory such as cache memory, SRAM, DRAM, Z-RAM, T-RAM, eDRAM, EDO RAM, DDR RAM, EEPROM, NRAM, RRAM, SONOS, PRAM; flash memory or other memory technologies such as solid-state drives (SSD) or flash drives; magnetic cassettes, magnetic tapes, and magnetic disks such as hard disks or floppy disks; optical media such as compact discs (CD-ROM) or digital versatile discs (DVD); and any other media that can be used to store desired data and that can be accessed by a computer system 20 .

The system memory 22 , the removable storage devices 27 and the non-removable storage devices 28 contained in the computer system 20 are used to store the operating system 35 , applications 37 , other program modules 38 and program data 39. The computer system 20 includes a peripheral interface 46 for transmitting data from input devices 40 , such as a keyboard, mouse, stylus, game controller, voice input device, touch input device, or other peripheral devices, such as a printer or scanner through one or more input/output ports, such as a serial port, parallel port, universal serial bus (USB) or other peripheral interface. A display device 47 , such as one or more monitors, projectors or built-in displays, is also connected to the system bus 23 through an output interface 48 , such as a video adapter. In addition to the display devices 47 , the computer system 20 is equipped with other peripheral output devices (not shown in Fig. 3 ), such as speakers and other audiovisual devices.

The computer system 20 may operate in a network environment using a network connection with one or more remote computers 49. The remote computer (or computers) 49 is a working personal computer or a server that contains most or all of the components mentioned earlier in the description of the essence of the computer system 20 shown in Fig. 3. Other devices may also be present in the network environment, such as routers, network stations or other network nodes. The computer system 20 may include one or more network interfaces 51 or network adapters for communicating with the remote computers 49 via one or more networks, such as a local area network (LAN) 50 , a wide area network (WAN), an intranet and the Internet. Examples of a network interface 51 are an Ethernet interface, a Frame Relay interface, a SONET interface and wireless interfaces.

Embodiments of the present invention may be a system, a method, or a computer-readable storage medium (or carrier).

A computer-readable storage medium is a tangible device that stores and stores program code in the form of computer-readable instructions or data structures that are accessible to the central processor 21 of the computer system 20. The computer-readable storage medium may be an electronic, magnetic, optical, electromagnetic, semiconductor memory device, or any suitable combination thereof. As an example, such a computer-readable storage medium may include random access memory (RAM), read-only memory (ROM), EEPROM, a portable compact disc with read-only memory (CD-ROM), a digital versatile disc (DVD), flash memory, a hard disk, a portable computer diskette, a memory card, a floppy disk, or even a mechanically encoded device such as punched cards or relief structures with instructions recorded thereon.

The system and method of the present invention can be considered in terms of means. The term "means" as used herein refers to an actual device, component or group of components implemented by hardware, such as an application-specific integrated circuit (ASIC) or FPGA, or as a combination of hardware and software, such as a microprocessor system and a set of machine-readable instructions for implementing the functionality of the means, which (when executed) transform the microprocessor system into a special-purpose device. The means can also be implemented as a combination of these two components, whereby some functions can be implemented only by hardware, and other functions - by a combination of hardware and software. In some embodiments, at least part, and in some cases all, of the means can be executed on the central processor 21 of the computer system 20. Accordingly, each means can be implemented in various suitable configurations and should not be limited to any particular embodiment given herein.

Finally, it should be noted that the information provided in the description is examples that do not limit the scope of the present invention defined by the claims. It will be clear to one skilled in the art that in developing any actual embodiment of the present invention, many decisions specific to a particular embodiment must be made in order to achieve specific goals, and these specific goals will be different for different embodiments. It is understood that such development efforts can be complex and time-consuming, but, nevertheless, they will be a routine engineering task for those of ordinary skill in the art, using the present disclosure.

Claims (13)

1. A computer-implemented method for automatically generating queries and responses to a large language model on issues related to computer security, comprising steps performed on a host representing a user's end device, in which: a) receive input data from the security agent located on the above-mentioned host; b) select one or more phrases from the input data; c) make up at least one text query from the selected phrases; d) send each text query to a large language model located on the above-mentioned host; d) receive a response from a large language model; e) extract key phrases from the response received from a large language model; g) if the key phrases in step e) were not determined, save the context in the form of requests and responses from steps c) and e) and pass this context to another large language model located outside the host. 2. The method according to item 1, in which a text query is composed for a large language model in natural language. 3. The method according to claim 1, wherein key phrases are extracted from the response from a large language model using natural language processing libraries. 4. The method according to claim 1, wherein key phrases are extracted from the response from a large language model using a set of regular expressions. 5. The method according to item 1, wherein the input data from the elements of the information security monitoring center are in JSON format. 6. The method according to claim 1, wherein the input data from the elements of the information security monitoring center are in XML format.