Abstract: The present disclosure provides methods, systems and computer readable media for training and implementing a generative machine learning model for identifying and mitigating security threats. Certain examples relate to generative model training, in which a training image is provided to a generative machine learning (ML) model in a training prompt, with an Indicator of Compromise (IoC) prediction instruction pertaining to the first security image. The model generates a predicted IoC and a parameter of the model is updated based on a loss function that quantifies error between a ground truth IoC and the predicted IoC. Other examples relate to the use of trained generative models for cybersecurity. A mitigation prompt comprising a second security image and an associated mitigation instruction is provided to a trained generative model. The model outputs an indication of a cybersecurity mitigation action based on the mitigation prompt, and the cybersecurity mitigation action is performed on the system.

Abstract: Disclosed is a machine learning model architecture that leverages existing large language models to analyze log files for security vulnerabilities. In some configurations, log files are processed by an encoder machine learning model to generate embeddings. Embeddings generated by the encoder model are used to construct graphs. The graphs are in turn used to train a graph classifier model for identifying security vulnerabilities. The encoder model may be an existing general-purpose large language model. In some configurations, the nodes of the graphs are the embedding vectors generated by the encoder model while edges represent similarities between nodes. Graphs constructed in this way may be pruned to highlight more meaningful node topologies. The graphs may then be labeled based on a security analysis of the corresponding log files. A graph classifier model trained on the labeled graphs may be used to identify security vulnerabilities.

Abstract: In network security systems, graph-based techniques can be used to identify, for any given security incident including a collection of security events, other incidents that are similar. In example embodiments, similarity is determined based on graph representations of the incidents in which security events are represented as nodes, using graph matching techniques or incident thumbprints computed from node embeddings. The identified similar incidents can provide context to inform threat assessment and the selection of appropriate mitigating actions.

Abstract: In network security systems, graph-based techniques may be employed to generate “thumbprints” of security incidents, which may thereafter be used, e.g., for threat actor attribution or the identification of similar incidents. In various embodiments, each security incident is represented by a graph in which security events correspond to nodes, and which encodes associated metadata in additional nodes and/or node/edge attributes. Graph representation learning may be used to compute node and/or edge embeddings, which can then be aggregated into the thumbprint of the incident.

Abstract: A computing system for generating automated responses to improve response times for diagnosing security alerts includes a processor and a memory. An application is stored in the memory and executed by the processor. The application includes instructions for receiving a text phrase relating to a security alert; using a natural language interface with a natural language model to select one of a plurality of intents corresponding to the text phrase; and mapping the selected intent to one of a plurality of actions. Each of the plurality of actions includes at least one of a static response, a dynamic response, and a task. The application includes instructions for sending a response based on the at least one of the static response, the dynamic response, and the task.