Using Large Language Models to Extract Planning Knowledge from Common Vulnerabilities and Exposures

Author/Creator ORCID

Date

2024

Department

Program

Citation of Original Publication

Oates, Tim, Ron Alford, Shawn Johnson, and Cory Hall. “Using Large Language Models to Extract Planning Knowledge from Common Vulnerabilities and Exposures,” In Proceedings of 2024 Workshop on Knowledge Engineering for Planning and Scheduling (June 2024). https://icaps24.icaps-conference.org/program/workshops/keps-papers/KEPS-24_paper_12.pdf.

Rights

This item is likely protected under Title 17 of the U.S. Copyright Law. Unless on a Creative Commons license, for uses protected by Copyright Law, contact the copyright holder or the author.

Subjects

Abstract

Understanding attackers’ goals and plans is crucial for cyber defense, which relies on understanding the basic steps that attackers can take to exploit vulnerabilities. There is a wealth of knowledge about vulnerabilities in text, such as Common Vulnerabilities and Exposures (CVEs), that is accessible to humans but not machines. This paper presents a system, called CLLaMP, that uses large language models (LLMs) to extract declarative representations of CVEs as planning operators represented using the Planning Domain Description Language (PDDL). CLLaMP ingests CVEs, stores them in a database, uses an LLM to extract a PDDL action that specifies preconditions for, and the effects of, the exploit, and updates the database with the action. The resulting planning operators can be used for automatically recognizing attacker plans in real time. We propose metrics for evaluating the quality of extracted operators and show the translation results for a set of randomly selected CVEs.