// 01Executive summary
This document is a research paper detailing a novel method for improving incident response planning using lightweight large language models (LLMs). It focuses on reducing recovery times and hallucination in LLM-generated response actions. The paper does not provide immediate IOCs, specific detection opportunities, or tactical response actions for ongoing threats. Its content is theoretical, aimed at enhancing future incident response capabilities rather than addressing current operational urgency.
// 02Key metrics
// ttps
0
ATT&CK techniques
// iocs
228
indicators
// actors
0
threat groups
// kwords
10
keywords
// 03MITRE ATT&CK
// no techniques extracted
// 04Threat actors
// no actors matched
// 05Indicators of compromise
// ips2
- 147.32.84.165
- 222.88.205.195
// domains169
- kim.hammar
- tansu.alpcan
- e.c.lupu
- 1.fine
- 2.informationretrieval
- 3.planning
- 2.retrievalofrelevant
- islightweightandcanrunoncommodityhardware.weevaluate
- ourmethodonlogsfromincidentsreportedintheliterature.the
- limitsflexibility.anotherimportantconcernwiththisapproach
- seefig.1.our
- vancedpersistentthreatonanenterprisenetwork.state
- havingthegreatestimpact.inadditiontotheempiricalresults
- productbyibm.whiletheseworksreportencouragingresults
- ourmethoddiffersfrompriorworkinseveralways.itdoes
- req.simulator
- thetwophasesofourmethod.inthefirstphase
- candidateresponses.theseresponsesarethenevaluatedviaaplanningprocedure
- outputasequenceofrecommendedresponseactions.themain
- figure3illustratesthephasesofincidentresponse.follow
- duringwhichresponseactionsaredeployed.when
- effectiveresponseactions.thesestepscanbedividedintotwo
- withcorrespondingresponseactionsandreasoningsteps.this
- whichhas14billionparameters.thisparameter
- generationinstructionsandstate-predictioninstructions.inthe
- thatisleastlikelytobehallucinated.inparticular
- systemlogsdescribinganincident.inthiscontext
- actionaccuracyw.r.tgroundtruthaction
- fine-tuningresults.giventhetrainingdataset
- externalsources.byincorporatingsuchinformationatthetime
- resultsinconvergencetoalowerloss.additionalexperimental
- 1.extractiocsfromlogs
- 3.responsegeneration
- istrainedondataavailableonlyupto2020.suppose
- mosteffectiveaction.althoughthe
- recoverytime-to-go.however
- cf.def
- ourplanningprocedure.are
- withthellm.wethenselecttheactionthatleadstotheshortesttrajectory
- fromtheprobabilityh.toaddressthispossibility
- d.output
- illustrationofprop.2.herelisthenumberofsamplesforestimating
- hallucinateisnotknownapriori.forthisreason
- hallucinationprobabilityh.wedenotethisestimatebyh.due
- theliterature.wethencomparetheperformanceofourmethod
- asdefinedindef.2.wemeasuretherecoverytimeindiscrete
- longerthan6.itisalsopossiblethatthegeneratedactionsfail
- estaveragerecoverytime.onaverage
- serversrunwindowsxpsp2.theiripsandconfigurationsare
- win.trojan.cryptodefence
- win.trojan.cryptodefenceransomware.alertsshowtheserver
- ofcandidateactionsn.theaverageplanningtimeswerecomputedbasedon
- 4.wipetheharddriveof147.32.84.165.ifotherinfectedmachines
- 6.restoretheserver
- sdatafromatrustedbackup.oncetheserveris
- shadedareasindicatestandarddeviations.thex
- byppoforeachsimulation.incontrast
- uniformlyovertheempiricalprobabilities.however
- asexpected.weusedm
- toestimatetheexpectedrecoverytimesinalg.1.asshownin
- similarities.boththeresponseplansgeneratedbyourmethod
- tech.rep
- c.ahern
- andm.l.mazurek
- operation.ourmethodmitigatesthisissuethroughfine
- d.schlette
- p.empl
- m.caselli
- t.schreck
- andg.pernul
- j.wei
- x.wang
- d.schuurmans
- m.bosma
- b.ichter
- f.xia
- e.h.chi
- h.mohammadi
- j.j.davis
- andm.kiely
- playbooks-v2.0.html
- k.hammarandr.stadler
- s.haysandj.white
- k.hammar
- t.li
- r.stadler
- andq.zhu
- y.li
- t.alpcan
- andd.bertsekas
- n.nichols
- n.park
- p.rachwalski
- f.rau
- a.webster
- andm.wolk
- ande.c.lupu
- r.matzutt
- anda.mandal
- n.stakhanova
- s.basu
- andj.wong
- ieeecat.no
- m.rodriguez
- r.a.popa
- f.flynn
- l.liang
- a.dafoe
- anda.wang
- r.j.anderson
- a.kott
- r.mangoubi
- andi.linkov
- a.morse
- from-naptime-to-big-sleep.html
- v.gohil
- m.delorenzo
- v.v.a.s.v.nallam
- j.see
- andj.rajendran
- 2024.naacl
- c.s.xia
- m.paltenghi
- j.letian
- m.pradel
- andl.zhang
- h.bouamor
- j.pino
- andk.bali
- 2023.findings
- u.alon
- n.dziri
- s.prabhumoye
- y.yang
- s.gupta
- b.p.majumder
- ser.lisa
- andc.b.thomas
- andj.zhu
- jha25a.html
- d.y.huang
- m.m.aliapoulios
- v.g.li
- l.invernizzi
- e.bursztein
- andthepreviousrecoveryactionsonly.makesurethatthesuggested
- 5.hardenthesystem6.recoveroperationalservices.whenselecting
- ofwhichshouldbestrings.theproperty
- ph.d.dissertation
- y.a.yadkori
- i.kuzborskij
- d.stutz
- a.gyo
- a.fisch
- a.doucet
- m.standen
- m.lucas
- d.bowman
- t.j.richer
- j.kim
- andd.marriott
- recoverystates.wedenotethismatrixbyf
- configurationoftheitinfrastructureweruninourtestbed.thenetworktopologyisshowninfig
- b.ra
- scxq2ye-r4y.thevideodemon
- softwaredependencies.theonlysoftwarerequirementforour
- r4y.thesetupforthedemonstrationisillustratedinfig
- setupforthevideodemonstration.thefine
- rtx8000gpus.theserver
// urls49
- https://dx.doi.org/10.14722/ndss.2026.240358
- https://doi.org/10.1145/3491102.3517559
- https://arxiv.org/abs/2505.04843
- https://docs.oasis-open.org/cacao/security-playbooks/v2.0/security-
- https://arxiv.org/abs/2403.17674
- https://arxiv.org/abs/2403.01271
- https://arxiv.org/abs/2410.17351
- https://arxiv.org/abs/2507.15163
- https://arxiv.org/abs/2303.08774
- https://arxiv.org/abs/2407.11070
- https://proceedings.neurips.cc/paper
- https://doi.org/10.1145/3560830.3563732
- https://arxiv.org/abs/2312.11805
- https://arxiv.org/abs/2506.22706
- http://arxiv.org/abs/1707.06347
- https://arxiv.org/abs/2507.12061
- https://huggingface.co/
- https://doi.org/10.1145/3538969.3538976
- https://huggingface.co/kimhammar/LLMIncidentResponse
- https://doi.org/10.1145/3688810
- https://doi.org/10.1504/IJICS.2007.012248
- https://www.usenix.org/conference/usenixsecurity24/presentation/deng
- https://arxiv.org/abs/2503.11917
- https://help.splunk.com/en/splunk-
- https://www.ndss-symposium.org/ndss-
- https://doi.org/10.1038/srep19540
- https://www.usenix.org/
- https://googleprojectzero.blogspot.com/2024/10/
- https://arxiv.org/abs/2401.01313
- https://arxiv.org/abs/2501.12948
- https://aclanthology.org/
- https://www.ndss-symposium.org/
- https://www.ndss-symposium.org/ndss-paper/the-midas-touch-
- https://arxiv.org/abs/2311.17311
- https://doi.org/10.1145/3597503.3639121
- https://aclanthology.org/2023.findings-emnlp.167/
- https://www.ndss-symposium.org/ndss-paper/generating-api-
- https://arxiv.org/abs/2306.04751
- https://www.sciencedirect.com/science/article/pii/
- https://proceedings.mlr.press/v267/jha25a.html
- https://www.sciencedirect.com/
- https://www.kaggle.com/
- https://doi.org/10.1145/3675741.3675748
- https://wazuh.com/
- https://doi.org/10.5281/zenodo.10706475
- https://arxiv.org/abs/2405.01563
- https://arxiv.org/abs/2108.09118
- https://doi.org/10.5281/
- https://doi.org/10.5281/zenodo.17770990
// sha2560
none
// md50
none
// emails1
- e.c.lupu@imperial.ac.uk
// cves8
- CVE-2017-7494
- CVE-2015-3306
- CVE-2010-0426
- CVE-2015-5602
- CVE-2015-1427
- CVE-2014-6271
- CVE-2016-10033
- CVE-2021-44228
// 06Geographic coverage
// 07YARA rule
// Failed to generate YARA rule
// 08Keywords
{'keyword': 'llm', 'score': 59.7041}
{'keyword': 'response', 'score': 52.6473}
{'keyword': 'https', 'score': 43.3155}
{'keyword': 'incident', 'score': 41.7091}
{'keyword': 'method', 'score': 41.1419}
{'keyword': 'actions', 'score': 36.2276}
{'keyword': 'recovery', 'score': 35.0731}
{'keyword': 'time', 'score': 34.9608}
{'keyword': 'available', 'score': 33.7104}
{'keyword': 'action', 'score': 32.2329}