Towards autonomous device protection using behavioural profiling and generative artificial intelligence

Abstract

Demand for autonomous protection in computing devices cannot go unnoticed, considering the rapid proliferation of deployed devices and escalating cyberattacks. Consequently, cybersecurity measures with an improved generalisation that can proactively determine the indicators of compromises to predict 0-day threats or previously unseen malware together with known malware are highly desirable. In this article, the authors present a novel concept of autonomous device protection based on behavioural profiling by continuously monitoring internal resource usage and leveraging generative artificial intelligence (genAI) to distinguish between benign and malicious behaviour. The authors design a proof-of-concept for Windows-based computing devices relying on a built-in event tracing mechanism for log collection that is converted into structured data using a graph data structure. The authors extract graph-level features, that is, graph depth, nodes count, number of leaf nodes, node degree statistics, and events count and node-level features (NLF), that is, process start, file create and registry events details for each graph. Further, the authors investigate the use of genAI exploiting a pre-trained large language network—a simple contrastive sentence embedding framework to extract strong features, that is, dense vectors from event graphs. Finally, the authors train a random forest classifier using both the graph-level features and NLF to obtain classification models that are evaluated on a collected dataset containing one thousand benign and malicious samples achieving accuracy up to 99.25%.