The AI Model Can More Easily Filter Malicious Activity in XDR Telemetry, Improve Spam Filters, and Simplify the Analysis of Living Off the Land Binaries

OXFORD, U.K. — März 16, 2023 —

Sophos, a global leader in innovating and delivering cybersecurity as a service, today released new research on how the cybersecurity industry can leverage GPT-3, the language model behind the now well-known ChatGPT framework, as a co-pilot to help defeat attackers. The latest report, “GPT for You and Me: Applying AI Language Processing to Cyber Defenses,” details projects developed by Sophos X-Ops using GPT-3's large language models to simplify the search for malicious activity in datasets from security software, more accurately filter spam, and speed up analysis of “living off the land” binary (LOLBin) attacks.

“Since OpenAI unveiled ChatGPT back in November, the security community has largely focused on the potential risks this new technology could bring. Can the AI help wannabee attackers write malware or help cybercriminals write much more convincing phishing emails? Perhaps, but, at Sophos, we’ve long seen AI as an ally rather than an enemy for defenders, making it a cornerstone technology for Sophos, and GPT-3 is no different. The security community should be paying attention not just to the potential risks, but the potential opportunities GPT-3 brings,” said Sean Gallagher, principal threat researcher, Sophos.

Sophos X-Ops researchers, including SophosAI Principal Data Scientist Younghoo Lee, have been working on three prototype projects that demonstrate the potential of GPT-3 as an assistant to cybersecurity defenders. All three use a technique called “few-shot learning” to train the AI model with just a few data samples, reducing the need to collect a large volume of pre-classified data.

The first application Sophos tested with the few-shot learning method was a natural language query interface for sifting through malicious activity in security software telemetry; specifically, Sophos tested the model against its endpoint detection and response product. With this interface, defenders can filter through the telemetry with basic English commands, removing the need for defenders to understand SQL or a database’s underlying structure.

Next, Sophos tested a new spam filter using ChatGPT and found that, when compared to other machine learning models for spam filtering, the filter using GPT-3 was significantly more accurate. Finally, Sophos researchers were able to create a program to simplify the process for reverse-engineering the command lines of LOLBins. Such reverse-engineering is notoriously difficult, but also critical for understanding LOLBins’ behavior—and putting a stop to those types of attacks in the future.

“One of the growing concerns within security operation centers is the sheer amount of ‘noise’ coming in. There are just too many notifications and detections to sort through, and many companies are dealing with limited resources. We’ve proved that, with something like GPT-3, we can simplify certain labor-intensive processes and give back valuable time to defenders. We are already working on incorporating some of the prototypes above into our products, and we’ve made the results of our efforts available on our GitHub for those interested in testing GPT-3 in their own analysis environments. In the future, we believe that GPT-3 may very well become a standard co-pilot for security experts,” said Gallagher.

Learn more about how GPT-3 can be used to assist defenders in “GPT for You and Me: Applying AI Language Processing to Cyber Defenses” on Sophos.com.

Über Sophos

Sophos ist ein führender Anbieter im Bereich Cybersicherheit und schützt weltweit 600.000 Unternehmen und Organisationen mit einer KI-gestützten Plattform und von Experten bereitgestellten Services. Sophos unterstützt Unternehmen und Organisationen unabhängig von ihrem aktuellen Sicherheitsniveau und entwickelt sich mit ihnen weiter, um Cyberangriffe erfolgreich abzuwehren. Die Lösungen von Sophos kombinieren maschinelles Lernen, Automatisierung und Echtzeit-Bedrohungsinformationen mit der menschlichen Expertise der Sophos X-Ops. So entsteht modernster Schutz mit einer 24/7 aktiven Erkennung, Analyse und Abwehr von Bedrohungen.
Das Sophos-Portfolio beinhaltet branchenührende Managed Detection and Response Services (MDR) sowie umfassende Cybersecurity-Technologien– darunter Schutz für Endpoints, Netzwerke, E-Mails und Cloud-Umgebungen, XDR (Extended Detection and Response), ITDR (Identity Threat Detection and Response) und Next-Gen-SIEM. Ergänzt wird das Angebot durch Beratungs-Services, die Unternehmen und Organisationen helfen, Risiken proaktiv zu reduzieren und schneller zu reagieren – mit umfassender Transparenz und Skalierbarkeit, um Bedrohungen immer einen Schritt voraus zu sein.
Der Vertrieb der Sophos-Lösungen erfolgt über ein globales Partner-Netzwerk, das Managed Service Provider (MSPs), Managed Security Service Provider (MSSPs), Reseller und Distributoren, Marketplace-Integrationen und Cyber Risk Partner umfasst. So können Unternehmen und Organisationen flexibel auf vertrauensvolle Partnerschaften setzen, wenn es um die Sicherheit ihres Geschäfts geht.  Der Hauptsitz von Sophos befindet sich in Oxford, Großbritannien. Weitere Informationen finden Sie unter www.sophos.de.