With fears of artificial intelligence (AI) taking over most human tasks continuing to hog the headlines, cybersecurity solutions company Sophos, explored how the cybersecurity industry can leverage GPT-3 as a co-pilot to help defeat attackers.

GPT-3 is the language model behind ChatGPT framework.

“Since OpenAI unveiled ChatGPT back in November, the security community has largely focused on the potential risks this new technology could bring,” Sean Gallagher, principal threat researcher, Sophos, said in a statement. “Can the AI help wannabee attackers write malware or help cybercriminals write much more convincing phishing emails?”

Sophos improves endpoint security solutions to boost cyber defenses
CryptoRom scammers target Twitter, SMS users — Sophos

Sophos explored the technology using different AI language processing techniques in detecting or even mitigating cybersecurity threats. Sophos X-Ops developed projects using GPT-3’s large language models to simplify the search for malicious activity in datasets from security software, more accurately filter spam, and speed up analysis of “living off the land” binary (LOLBin) attacks. 

“At Sophos, we have long seen AI as an ally rather than an enemy for defenders, making it a cornerstone technology for Sophos, and GPT-3 is no different,” Gallagher said. “The security community should be paying attention not just to the potential risks, but the potential opportunities GPT-3 brings.” 

Assistant to cybersecurity defenders

Sophos X-Ops researchers have been working on three prototype projects that demonstrate the potential of GPT-3 as an assistant to cybersecurity defenders. All three use a technique called “few-shot learning” to train the AI model with just a few data samples, reducing the need to collect a large volume of pre-classified data. 

The first application Sophos tested with the few-shot learning method was a natural language query interface for sifting through malicious activity in security software telemetry; specifically, Sophos tested the model against its endpoint detection and response product. With this interface, defenders can filter through the telemetry with basic English commands, removing the need for defenders to understand SQL or a database’s underlying structure. 

ChatGPT

Next, Sophos tested a new spam filter using ChatGPT and found that, when compared to other machine learning models for spam filtering, the filter using GPT-3 was significantly more accurate. Finally, Sophos researchers were able to create a program to simplify the process of reverse-engineering the command lines of LOLBins. Such reverse-engineering is notoriously difficult, but also critical for understanding LOLBins’ behavior and putting a stop to those types of attacks in the future.

“One of the growing concerns within security operation centers is the sheer amount of ‘noise’ coming in,” Gallagher said. “There are just too many notifications and detections to sort through, and many companies are dealing with limited resources.”

According to Sophos, GPT-3 can simplify certain labor-intensive processes and give back valuable time to defenders. The company is working on incorporating some of the prototypes above into its products and made the results available on GitHub for those interested in testing GPT-3 in their own analysis environments. 

“In the future, we believe that GPT-3 may very well become a standard co-pilot for security experts,” said Gallagher.