Just a quick update from Lu. In a previous post, I wrote about leveraging a chat bot to shorten dwell time, actually two chat bots, to detect threats and anomalies. While significant in shortening detection time, the post did not address the analysis of data that was automatically translated into information.
But first an explanation of a persona and its relation to large language models (LLMs)
“A persona in the context of artificial intelligence and large language models (LLMs) refers to an assumed identity or role that the AI takes on to interact more effectively with users. This persona is defined by specific characteristics, knowledge, and behaviors that align with the assigned role, ensuring the AI’s responses are contextually relevant and appropriate.
How a Role Can Be Assigned to a Persona
- Define the Role:
- Clearly outline the role or identity the AI will assume. This includes specifying the profession, expertise, and any other relevant traits.
- Example: A cybersecurity expert with expertise in using Volatility3 for memory forensics.
- Set Parameters and Context:
- Configure the LLM with parameters that guide its responses within the scope of the role. This can include specific terminology, knowledge areas, and behavioral traits.
- Example: The AI should use technical jargon related to cybersecurity, refer to tools like Volatility3, and focus on providing detailed analysis of memory dumps.
- Input Prompts and Guidelines:
- Provide initial prompts and guidelines to establish the persona. These prompts help the AI understand the context and the expected style of interaction.
- Example: “You are a cybersecurity expert using Volatility3. Analyze the provided memory dump for potential threats.”
How the Persona Tailors Responses from Large Language Models
- Contextual Relevance:
- The persona ensures that the AI’s responses are relevant to the assigned role. It uses knowledge and terminology specific to the role, making interactions more precise and informative.
- Example: When acting as a cybersecurity expert, the AI will discuss malware, memory forensics, and threat analysis rather than general computing topics.
- Consistency in Behavior and Language:
- The persona maintains consistency in behavior and language. This means the AI will adopt a professional tone, use appropriate technical language, and follow the conventions of the assigned role.
- Example: The AI will consistently refer to tools and methods used in cybersecurity, providing step-by-step analysis and recommendations.
- Enhanced User Experience:
- By adopting a persona, the AI can provide a more engaging and useful experience for users. It helps build trust and ensures that users receive responses that are not only accurate but also contextually appropriate.
- Example: A user seeking help with a cybersecurity issue will receive detailed, expert-level guidance, making the interaction more valuable and effective.
Example of Tailored Response
Without Persona:
- User: “Analyze this memory dump for threats.”
- AI: “Please provide more details about the memory dump. I can help you identify potential issues.”
With Persona (Cybersecurity Expert):
- User: “Analyze this memory dump for threats.”
- AI: “Based on the provided memory dump, I’ll use Volatility3 to scan for anomalies. Initial results show multiple drivers with null fields and suspicious names, which may indicate hidden or malicious drivers. Further analysis is required to confirm potential threats.”
In summary, a persona helps shape the AI’s responses by aligning them with the specific knowledge, behavior, and language expected from the assigned role, leading to more relevant, consistent, and valuable interactions for users.”
How to Request Cyber Security Support
I think that analogies are a good way to understand a concept.
- If you need your car fixed, you go to a mechanic
- If you need advice on your garden, you go to a master gardener
- If you need to create a special meal, you seek advice from a master chef
- If you need advice on cyber security with questions on computer memory analysis, you make a request of a chat engine for that specific role.
With ChatGPT or Lama3, this is no more complex than submitting the following prompt:
Assume the role of a cyber security expert with Volatility3. Are you OK with that role?
You now have a session that you can request insight on questions about cyber security using Volatility3.
Bounding the Question
In previous posts, we have written about automating Volatility3 applications. A set of plugins is selected to transform data collected from a scan of a memory image. Once the information is collected, we start to build a report. The result of transformation of data to information is placed into the report. We then need to determine whether the information indicates a threat or anomaly. We make a request of our chat bot, which is an expert on cyber security and Volatility3 to determine what might be a threat or anomaly.
As an example, we have chosen the driverscan plugin provided by Volatility3.
“The driverscan
plugin in Volatility3 is a tool used in memory forensics to identify and analyze kernel drivers loaded in a system’s memory. Volatility3 is a powerful open-source framework for memory analysis, and the driverscan
plugin specifically helps in investigating the presence and behavior of drivers, which can be critical in identifying malicious activities or anomalies within a system. Here’s a detailed look at the driverscan
plugin:
Purpose and Usage
The primary purpose of the driverscan
plugin is to scan the memory dump of a system to identify and enumerate kernel drivers. This can include both legitimate drivers and potentially malicious ones that might have been loaded by malware.
Key Functions and Features
- Driver Enumeration:
- The plugin scans the memory for loaded kernel drivers, providing a list of drivers found in the system’s memory.
- Information Retrieval:
- For each identified driver, the plugin retrieves detailed information, such as:
- Driver name
- Base address (start)
- Size of the driver in memory
- Service key (associated registry key)
- Path to the driver file
- Offset in the memory dump
- For each identified driver, the plugin retrieves detailed information, such as:
- Detection of Anomalies:
- By analyzing the information retrieved, the plugin can help detect anomalies, such as:
- Drivers with unusual names or no names
- Drivers with null or unusual service keys
- Drivers with zero size or abnormal sizes
- Drivers loaded from suspicious or non-standard paths
- By analyzing the information retrieved, the plugin can help detect anomalies, such as:
- Comparison with Known Good Drivers:
- Investigators can compare the list of drivers identified by the plugin with known good drivers to spot discrepancies or unauthorized drivers.
How It Works
- Memory Dump Analysis:
- The plugin operates on a memory dump of the system. This dump can be obtained using various tools capable of capturing a snapshot of the system’s RAM.
- Signature-Based Scanning:
- The
driverscan
plugin uses signatures and patterns to identify driver structures within the memory. This includes scanning for common driver headers and metadata.
- The
- Output Generation:
- The plugin generates a report listing all identified drivers along with their details. This report can be further analyzed to determine the legitimacy of each driver.”
In preparing to generate a report, we have translated the output of the driverscan plugin into text that the chat bot can use to look for threats and anomalies. We submit the text to the chat bot to bound the question.
The chat engine responds with the following:
“In analyzing the provided output from the driverscan
plugin of Volatility3, several potential threats or anomalies can be identified:
- Unusual or Suspicious Driver Names:
- Drivers with names that are unusual or contain non-printable characters can indicate a potential anomaly or malicious behavior. For example:
driver name of None with a name of 譈䣄墉䠈梉䠐炉䠘碉䄠䡗䡀妋䡀懲譈䣱ⶍ퉾
- These could be signs of attempts to hide malicious drivers or to evade detection.
- Drivers with names that are unusual or contain non-printable characters can indicate a potential anomaly or malicious behavior. For example:
- Drivers with Null Fields:
- Multiple drivers have null values for critical fields such as
driver name
,service_key
, andname
. This is unusual and might indicate a misconfigured system or potentially malicious drivers attempting to conceal their true nature. - Example entries:
driver name of None with a name of None with a service_key of None with a start of 121399204149618 with an offset of 272706830166960 with a size of 67831309
driver name of None with a name of None with a service_key of None with a start of 126814888673637 with an offset of 272706876811400 with a size of 1702453580
- Multiple drivers have null values for critical fields such as
- Drivers with Size 0:
- Many drivers have a reported size of 0. While this might occasionally happen, the presence of many such drivers could suggest a scanning or reporting error, or it could be a technique used to hide the presence of a malicious driver.
- Examples:
driver name of None with a name of None with a service_key of None with a start of 0 with an offset of 140749007766955 with a size of 0
driver name of RAW with a name of \FileSystem\RAW with a service_key of with a start of 0 with an offset of 185322903112432 with a size of 0
- Unusually Large Drivers:
- A driver with an abnormally large size can be a sign of embedded malicious payloads or packed drivers.
- Example:
driver name of igfxn with a name of \Driver\igfxn with a service_key of igfxn with a start of 272707703209984 with an offset of 185323016916464 with a size of 44638208
- Overlapping Memory Ranges:
- Check for drivers that might have overlapping memory ranges, which can indicate a conflict or a malicious attempt to overwrite legitimate driver space.”
The chat bot response is formatted for inclusion in the report.
Conclusion
There is a fair amount of testing required to determine the false negatives and true positives. But to have gotten this far there is significant evidence that there is reason to push forward.
Lu sends.