Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques
This paper explores the potential use of Large Language Models (LLMs), such as ChatGPT, Google Gemini, and Microsoft Copilot, in threat hunting, specifically focusing on Living off the Land (LotL) techniques. LotL methods allow threat actors to blend into regular network activity, which makes detect...
Saved in:
| Main Authors: | , , , , , , |
|---|---|
| Format: | Article |
| Language: | English |
| Published: |
MDPI AG
2025-03-01
|
| Series: | Machine Learning and Knowledge Extraction |
| Subjects: | |
| Online Access: | https://www.mdpi.com/2504-4990/7/2/31 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1849706005838954496 |
|---|---|
| author | Antreas Konstantinou Dimitrios Kasimatis William J. Buchanan Sana Ullah Jan Jawad Ahmad Ilias Politis Nikolaos Pitropakis |
| author_facet | Antreas Konstantinou Dimitrios Kasimatis William J. Buchanan Sana Ullah Jan Jawad Ahmad Ilias Politis Nikolaos Pitropakis |
| author_sort | Antreas Konstantinou |
| collection | DOAJ |
| description | This paper explores the potential use of Large Language Models (LLMs), such as ChatGPT, Google Gemini, and Microsoft Copilot, in threat hunting, specifically focusing on Living off the Land (LotL) techniques. LotL methods allow threat actors to blend into regular network activity, which makes detection by automated security systems challenging. The study seeks to determine whether LLMs can reliably generate effective queries for security tools, enabling organisations with limited budgets and expertise to conduct threat hunting. A testing environment was created to simulate LotL techniques, and LLM-generated queries were used to identify malicious activity. The results demonstrate that LLMs do not consistently produce accurate or reliable queries for detecting these techniques, particularly for users with varying skill levels. However, while LLMs may not be suitable as standalone tools for threat hunting, they can still serve as supportive resources within a broader security strategy. These findings suggest that, although LLMs offer potential, they should not be relied upon for accurate results in threat detection and require further refinement to be effectively integrated into cybersecurity workflows. |
| format | Article |
| id | doaj-art-db941292fb1a4ed0afac6bdbd1c9d9ee |
| institution | DOAJ |
| issn | 2504-4990 |
| language | English |
| publishDate | 2025-03-01 |
| publisher | MDPI AG |
| record_format | Article |
| series | Machine Learning and Knowledge Extraction |
| spelling | doaj-art-db941292fb1a4ed0afac6bdbd1c9d9ee2025-08-20T03:16:19ZengMDPI AGMachine Learning and Knowledge Extraction2504-49902025-03-01723110.3390/make7020031Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land TechniquesAntreas Konstantinou0Dimitrios Kasimatis1William J. Buchanan2Sana Ullah Jan3Jawad Ahmad4Ilias Politis5Nikolaos Pitropakis6Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UKBlockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UKBlockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UKBlockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UKCybersecurity Center, Prince Mohammad Bin Fahd University, Al-Khobar 34754, Saudi ArabiaIndustrial Systems Institute, Research Center “ATHENA”, Patras Science Park Building, Platani, 265 04 Patras, GreeceBlockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UKThis paper explores the potential use of Large Language Models (LLMs), such as ChatGPT, Google Gemini, and Microsoft Copilot, in threat hunting, specifically focusing on Living off the Land (LotL) techniques. LotL methods allow threat actors to blend into regular network activity, which makes detection by automated security systems challenging. The study seeks to determine whether LLMs can reliably generate effective queries for security tools, enabling organisations with limited budgets and expertise to conduct threat hunting. A testing environment was created to simulate LotL techniques, and LLM-generated queries were used to identify malicious activity. The results demonstrate that LLMs do not consistently produce accurate or reliable queries for detecting these techniques, particularly for users with varying skill levels. However, while LLMs may not be suitable as standalone tools for threat hunting, they can still serve as supportive resources within a broader security strategy. These findings suggest that, although LLMs offer potential, they should not be relied upon for accurate results in threat detection and require further refinement to be effectively integrated into cybersecurity workflows.https://www.mdpi.com/2504-4990/7/2/31LLMsartificial intelligencethreat huntingsecurity automation |
| spellingShingle | Antreas Konstantinou Dimitrios Kasimatis William J. Buchanan Sana Ullah Jan Jawad Ahmad Ilias Politis Nikolaos Pitropakis Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques Machine Learning and Knowledge Extraction LLMs artificial intelligence threat hunting security automation |
| title | Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques |
| title_full | Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques |
| title_fullStr | Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques |
| title_full_unstemmed | Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques |
| title_short | Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques |
| title_sort | leveraging llms for non security experts in threat hunting detecting living off the land techniques |
| topic | LLMs artificial intelligence threat hunting security automation |
| url | https://www.mdpi.com/2504-4990/7/2/31 |
| work_keys_str_mv | AT antreaskonstantinou leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT dimitrioskasimatis leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT williamjbuchanan leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT sanaullahjan leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT jawadahmad leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT iliaspolitis leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques AT nikolaospitropakis leveragingllmsfornonsecurityexpertsinthreathuntingdetectinglivingoffthelandtechniques |