Search

US-12627689-B2 - Large language model (LLM) powered detection reasoning solution

US12627689B2US 12627689 B2US12627689 B2US 12627689B2US-12627689-B2

Abstract

Various techniques for LLM powered detection reasoning solutions are disclosed. In some embodiments, a system, a process, and/or a computer program product for an LLM powered detection reasoning solution includes monitoring network traffic at a security platform, wherein the security platform generates a sample based on the monitored network traffic; sending the sample to a security service to generate a Large Language Model (LLM) powered detection and reason, wherein the LLM is prompted to automatically generate a malware or benign verdict and a reason for explaining the verdict; and reporting the LLM powered detection and reason.

Inventors

  • Zhibin Zhang
  • Yu Fu
  • Yuwen Dai
  • Qian Feng
  • Zhemin Su
  • Mei Wang

Assignees

  • PALO ALTO NETWORKS, INC.

Dates

Publication Date
20260512
Application Date
20240118

Claims (18)

  1. 1 . A system, comprising: a processor configured to: monitor network traffic at a security platform, wherein the security platform generates a sample based on the monitored network traffic; send the sample to a security service to generate a Large Language Model (LLM) powered detection and reason, wherein the LLM powered detection and reason is prompted to automatically generate a malware or benign verdict and a reason for explaining the malware or benign verdict, wherein the generating of the LLM comprises to: generate, based on samples associated with malicious HyperText Transfer Protocol (HTTP) request headers with command injection, a plurality of prompts for training the LLM for malware detection reasoning; and train the LLM based on the plurality of prompts; and report the LLM powered detection and reason; and a memory coupled to the processor and configured to provide the processor with instructions.
  2. 2 . The system of claim 1 , wherein LLM powered detection and reason is associated with an inline security service.
  3. 3 . The system of claim 1 , wherein LLM powered detection and reason is associated with an offline security reporting service.
  4. 4 . The system of claim 1 , wherein the security platform includes an endpoint agent, a Domain Name System (DNS) proxy, a network gateway firewall (NGFW), and/or an internal gateway hosted on a remote network associated with a cloud security service.
  5. 5 . The system of claim 1 , further comprising to: generate a malware verdict for the sample based on the LLM powered detection and reason.
  6. 6 . The system of claim 1 , further comprising to: generate a benign verdict for the sample based on the LLM powered detection and reason.
  7. 7 . The system of claim 1 , further comprising to: generate a malware verdict for the sample based on the LLM powered detection and reason; and generate a human understandable explanation for the malware verdict based on the LLM powered detection and reason.
  8. 8 . The system of claim 1 , further comprising to: generate a benign verdict for the sample based on the LLM powered detection and reason; and generate a human understandable explanation for the benign verdict based on the LLM powered detection and reason.
  9. 9 . A method, comprising: monitoring network traffic at a security platform, wherein the security platform generates a sample based on the monitored network traffic; sending the sample to a security service to generate a Large Language Model (LLM) powered detection and reason, wherein the LLM powered detection and reason is prompted to automatically generate a malware or benign verdict and a reason for explaining the malware or benign verdict, wherein the generating of the LLM comprises: generating, based on samples associated with malicious HyperText Transfer Protocol (HTTP) request headers with command injection, a plurality of prompts for training the LLM for malware detection reasoning; and training the LLM based on the plurality of prompts; and reporting the LLM powered detection and reason.
  10. 10 . The method of claim 9 , wherein LLM powered detection and reason is associated with an inline security service.
  11. 11 . The method of claim 9 , wherein LLM powered detection and reason is associated with an offline security reporting service.
  12. 12 . The method of claim 9 , wherein the security platform includes an endpoint agent, a Domain Name System (DNS) proxy, a network gateway firewall (NGFW), and/or an internal gateway hosted on a remote network associated with a cloud security service.
  13. 13 . The method of claim 9 , further comprising: generating a malware verdict for the sample based on the LLM powered detection and reason.
  14. 14 . The method of claim 9 , further comprising: generating a benign verdict for the sample based on the LLM powered detection and reason.
  15. 15 . The method of claim 9 , further comprising: generating a malware verdict for the sample based on the LLM powered detection and reason; and generating a human understandable explanation for the malware verdict based on the LLM powered detection and reason.
  16. 16 . The method of claim 9 , further comprising: generating a benign verdict for the sample based on the LLM powered detection and reason; and generating a human understandable explanation for the benign verdict based on the LLM powered detection and reason.
  17. 17 . A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for: monitoring network traffic at a security platform, wherein the security platform generates a sample based on the monitored network traffic; sending the sample to a security service to generate a Large Language Model (LLM) powered detection and reason, wherein the LLM powered detection and reason is prompted to automatically generate a malware or benign verdict and a reason for explaining the malware or benign verdict, wherein the generating of the LLM comprises: generating, based on samples associated with malicious HyperText Transfer Protocol (HTTP) request headers with command injection, a plurality of prompts for training the LLM for malware detection reasoning; and training the LLM based on the plurality of prompts; and reporting the LLM powered detection and reason.
  18. 18 . A system, comprising: a processor configured to: send a set of malware samples for training data input to a Large Language Model (LLM), wherein the set of malware samples are associated with malicious HyperText Transfer Protocol (HTTP) request headers with command injection; generate, based on the set of malware samples, a plurality of prompts to train the LLM for malware detection reasoning; train the LLM using the plurality of prompts; and deploy the LLM for the malware detection reasoning as an inline security service and/or an offline reporting security service; and a memory coupled to the processor and configured to provide the processor with instructions.

Description

BACKGROUND OF THE INVENTION Nefarious individuals attempt to compromise computer systems in a variety of ways. As one example, such individuals may embed or otherwise include malicious software (“malware”) in email attachments and transmit or cause the malware to be transmitted to unsuspecting users. When executed, the malware compromises the victim's computer. Some types of malware will instruct a compromised computer to communicate with a remote host. For example, malware can turn a compromised computer into a “bot” in a “botnet,” receiving instructions from and/or reporting data to a command and control (C&C) server under the control of the nefarious individual. One approach to mitigating the damage caused by malware is for a security company (or other appropriate entity) to attempt to identify malware and prevent it from reaching/executing on end user computers. Another approach is to try to prevent compromised computers from communicating with the C&C server. Unfortunately, malware authors are using increasingly sophisticated techniques to obfuscate the workings of their software. As one example, some types of malware use Domain Name System (DNS) queries to exfiltrate data. Accordingly, there exists an ongoing need for improved techniques to detect malware and prevent its harm. Techniques for detecting malware may be performed locally by a firewall or via a cloud service. BRIEF DESCRIPTION OF THE DRAWINGS Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings. FIG. 1 is a block diagram of an environment in which malicious traffic is detected or suspected in accordance with some embodiments. FIG. 2A illustrates an embodiment of a data appliance. FIG. 2B is a functional diagram of logical components of an embodiment of a data appliance. FIG. 3A is an architecture of a Large Language Model (LLM) powered detection reasoning solution for a security service in accordance with some embodiments. FIG. 3B is an example prompt for performing the training of the LLM powered detection reasoning solution for a security service in accordance with some embodiments. FIG. 4A is a functional diagram of logical components of an LLM powered detection reasoning solution in example use cases in accordance with some embodiments. FIG. 4B illustrates the verdict and reason returned from the LLM powered detection reasoning solution for a command injection attack in accordance with some embodiments. FIG. 4C illustrates the verdict and reason returned from the LLM powered detection reasoning solution for a command and control (C2) attack in accordance with some embodiments. FIG. 4D illustrates the verdict and reason returned from the LLM powered detection reasoning solution for another Empire C2 attack example in accordance with some embodiments. FIG. 4E illustrates an example of a report from an existing ATP system that does not utilize the LLM powered detection reasoning solution. FIG. 5 is a flow diagram of a process for an LLM powered detection reasoning solution in accordance with some embodiments. FIG. 6 is a flow diagram of a process for training an LLM powered detection reasoning solution in accordance with some embodiments. DETAILED DESCRIPTION The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions. A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details.