ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data
Currently, the detection of Common Vulnerabilities and Exposures (CVE) exploitation attempts heavily depends on rule sets manually written for the detection unit. As the number of published CVEs increases each year, there is a need to advance automation efforts for CVE detection. For this purpose, w...
Saved in:
| Main Authors: | , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
IEEE
2025-01-01
|
| Series: | IEEE Access |
| Subjects: | |
| Online Access: | https://ieeexplore.ieee.org/document/11018393/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850232369956519936 |
|---|---|
| author | Niclas Ilg Maximilian Pfitzenmaier Dominik Germek Paul Duplys Michael Menth |
| author_facet | Niclas Ilg Maximilian Pfitzenmaier Dominik Germek Paul Duplys Michael Menth |
| author_sort | Niclas Ilg |
| collection | DOAJ |
| description | Currently, the detection of Common Vulnerabilities and Exposures (CVE) exploitation attempts heavily depends on rule sets manually written for the detection unit. As the number of published CVEs increases each year, there is a need to advance automation efforts for CVE detection. For this purpose, we introduce ALDExA, a framework that fetches CVE information and corresponding exploit codes to identify an exploit string supported by a Large Language Model (LLM). An exploit string is a characteristic element of the analyzed attack and can be monitored during an actual exploitation attempt. As the novelty in this framework lies in the extraction capabilities of the LLM, we furthermore evaluate eight different models towards their performance in identifying a correct exploit string. We evaluate contemporary models in two experiments and find that they are, in up to 81% of the evaluated cases, capable of extracting a correct exploit string from the attack code. In addition, we propose a promising approach to increase the accuracy further and to automatically detect false predictions. As <monospace>ALDExA</monospace> is the first approach to fully automate the CVE detection pipeline, we also discuss remaining limitations and worthwhile areas of future research. |
| format | Article |
| id | doaj-art-c275f8a93a0c4ae99b5587eedc054a8c |
| institution | OA Journals |
| issn | 2169-3536 |
| language | English |
| publishDate | 2025-01-01 |
| publisher | IEEE |
| record_format | Article |
| series | IEEE Access |
| spelling | doaj-art-c275f8a93a0c4ae99b5587eedc054a8c2025-08-20T02:03:13ZengIEEEIEEE Access2169-35362025-01-0113953799539110.1109/ACCESS.2025.357525811018393ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured DataNiclas Ilg0https://orcid.org/0009-0009-8360-665XMaximilian Pfitzenmaier1Dominik Germek2Paul Duplys3https://orcid.org/0009-0003-4306-9702Michael Menth4https://orcid.org/0000-0002-3216-1015Bosch Research, Renningen, GermanyChair of Communication Networks, University of Tuebingen, Tuebingen, GermanyBosch Research, Hildesheim, GermanyRobert Bosch GmbH, Sector Mobility, Ludwigsburg, GermanyChair of Communication Networks, University of Tuebingen, Tuebingen, GermanyCurrently, the detection of Common Vulnerabilities and Exposures (CVE) exploitation attempts heavily depends on rule sets manually written for the detection unit. As the number of published CVEs increases each year, there is a need to advance automation efforts for CVE detection. For this purpose, we introduce ALDExA, a framework that fetches CVE information and corresponding exploit codes to identify an exploit string supported by a Large Language Model (LLM). An exploit string is a characteristic element of the analyzed attack and can be monitored during an actual exploitation attempt. As the novelty in this framework lies in the extraction capabilities of the LLM, we furthermore evaluate eight different models towards their performance in identifying a correct exploit string. We evaluate contemporary models in two experiments and find that they are, in up to 81% of the evaluated cases, capable of extracting a correct exploit string from the attack code. In addition, we propose a promising approach to increase the accuracy further and to automatically detect false predictions. As <monospace>ALDExA</monospace> is the first approach to fully automate the CVE detection pipeline, we also discuss remaining limitations and worthwhile areas of future research.https://ieeexplore.ieee.org/document/11018393/Common vulnerabilities and exposuresCVE detectionexploit code analysisintrusion detectionlarge language models |
| spellingShingle | Niclas Ilg Maximilian Pfitzenmaier Dominik Germek Paul Duplys Michael Menth ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data IEEE Access Common vulnerabilities and exposures CVE detection exploit code analysis intrusion detection large language models |
| title | ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data |
| title_full | ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data |
| title_fullStr | ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data |
| title_full_unstemmed | ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data |
| title_short | ALDExA: Automated LLM-Assisted Detection of CVE Exploitation Attempts in Host-Captured Data |
| title_sort | aldexa automated llm assisted detection of cve exploitation attempts in host captured data |
| topic | Common vulnerabilities and exposures CVE detection exploit code analysis intrusion detection large language models |
| url | https://ieeexplore.ieee.org/document/11018393/ |
| work_keys_str_mv | AT niclasilg aldexaautomatedllmassisteddetectionofcveexploitationattemptsinhostcaptureddata AT maximilianpfitzenmaier aldexaautomatedllmassisteddetectionofcveexploitationattemptsinhostcaptureddata AT dominikgermek aldexaautomatedllmassisteddetectionofcveexploitationattemptsinhostcaptureddata AT paulduplys aldexaautomatedllmassisteddetectionofcveexploitationattemptsinhostcaptureddata AT michaelmenth aldexaautomatedllmassisteddetectionofcveexploitationattemptsinhostcaptureddata |