ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data
Currently, the detection of Common Vulnerabilities and Exposures (CVE) exploitation attempts heavily depends on rule sets manually written for the detection unit. As the number of published CVEs increases each year, there is a need to advance automation efforts for CVE detection. For this purpose, w...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11018393/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | Currently, the detection of Common Vulnerabilities and Exposures (CVE) exploitation attempts heavily depends on rule sets manually written for the detection unit. As the number of published CVEs increases each year, there is a need to advance automation efforts for CVE detection. For this purpose, we introduce ALDExA, a framework that fetches CVE information and corresponding exploit codes to identify an exploit string supported by a Large Language Model (LLM). An exploit string is a characteristic element of the analyzed attack and can be monitored during an actual exploitation attempt. As the novelty in this framework lies in the extraction capabilities of the LLM, we furthermore evaluate eight different models towards their performance in identifying a correct exploit string. We evaluate contemporary models in two experiments and find that they are, in up to 81% of the evaluated cases, capable of extracting a correct exploit string from the attack code. In addition, we propose a promising approach to increase the accuracy further and to automatically detect false predictions. As <monospace>ALDExA</monospace> is the first approach to fully automate the CVE detection pipeline, we also discuss remaining limitations and worthwhile areas of future research. |
|---|---|
| ISSN: | 2169-3536 |