A Prototype data agent for threat modelling in security operation centers

Abstract

The rapidly evolving Cybersecurity threat landscape demands innovative threat modelling tools that can offer customized threat investigation in the complex and dynamic Security Operation Centers. This thesis outlines the development of a Data Agent designed to support Human Security Analysts in Security Operations Centers (SOCs). The system leverages advancements in generative artificial intelligence (GenAI) and in particular, Large Language Models (LLMs) and Retrieval Augmented Generation (RAG) to create an interactive Data Agent to augment human Security Analysts in investigating high risk threats. The main objective of this research is the design, development, and testing of a Large Language Model- Powered GenAI Agent that acts as a Data Agent, guiding human Security Analysts through the complexities of cybersecurity threat investigation. The intelligent Agent uses a conversational interface to provide explanations, answer questions and offer examples, thus engaging human Security Analysts in the Security Operation Centers. Methodologically, this research adopted a design science approach, involving the iterative development of the intelligent Agent system followed by rigorous testing in virtualized controlled environment. The system's effectiveness was evaluated based on its impact on threat investigation, accuracy levels, and user satisfaction. Keywords: artificial intelligence, cybersecurity, Data Agent, large language model, pre-trained transformer, false positives, retrieval augmented generation, threat investigation, security operations center