Exploration of Using Large Language Models in Cause Estimation for Anomaly Detection of Packet Payloads

Abstract

Anomaly communication detection which correspond to various communication protocols used within Industrial Control Systems (ICS) is essential to ensure the security of ICS. For this purpose, Anomaly communication detection using Bidirectional Encoder Representations for Transformers (BERT) is attracting attention, since this method automatically learns the characteristics of packet payloads and is adaptable to various protocols. However, in anomaly communication detection using BERT, it is difficult to explicitly identify the role of the detected packets in communication and the cause of the anomaly due to the lack of prior knowledge about the anomaly. As a result, users are required to have specialized knowledge in security and communication.To address this problem, this paper considers exploits large language models (LLMs), which have been achieving results in various fields. Specifically, to apply LLMs for multiple tasks performed by users to infer the cause of anomalies, we design prompts and construct Retrieval-Augmented Generation (RAG). Furthermore, through evaluation experiments, we discuss the effectiveness and challenges of applying LLMs to the task of cause inference.